Manual fail over with subset of devices having access
-
I'd be grateful for views please on how best to accomplish the following.
I have a Gigabit symmetrical fibre broadband connection, with unlimited data with a lot of data hungry devices behind my pfsense box in a domestic setting.
If that connection goes down, I want to failover to a 4G LTE connection.
But...
-
I want the failover to be manual (I need to know I have an issue and that I'm working off 4G)
-
I want to limit the devices that can access the 4G connection to essential devices (eg a laptop or two, rather than Netflix etc).
What's the best way to do that please? Ideally I'd like to avoid replicating firewall walls for WAN/WAN2 and keep it simple in terms of defining the group of permitted devices.
Many thanks in advance.
-
-
@Andrew453 said in Manual fail over with subset of devices having access:
I want the failover to be manual (I need to know I have an issue and that I'm working off 4G)
If you configure System > Advanced > Notification pfSense will inform you anyway on a gateway failover. So if your only thoughts are to know, which gateway is used, just configure a gateway failover group, set it as default gateway in System > Routing > Gateways and let pfSense do the fail-over automatically.
If you want to do the gateway switching manually anyway, go to System > Routing > Gateways and change the default gateway.
However, I don't know if pfSense notifies you on gateway failing based on the gateway group. Maybe.I want to limit the devices that can access the 4G connection to essential devices (eg a laptop or two, rather than Netflix etc).
Create an alias and add all allowed devices to it. Add a pass rule on the internal interface to tag the connection.
On the 4G WAN add a block rule, which is triggered by the tag with "invert". So all connections, which are not tagged should be blocked. -
Thank you very much for your reply.
I've managed to get it to work - thanks for your help. A couple of points:
• I needed also to add a rule specifically to allow DNS traffic from the DNS Resolver in the firewall across the 4G WAN, otherwise DNS doesn't work (because it doesn't hit on the LAN rule)
• In addition to changing the gateway manually (which is fine), I also need to tweak the DNS Resolver setting so that outbound requests go across the 4G WAN and not the normal WAN. Not sure if there's a way around that? If I enable both outgoing interfaces in DNS Resolver, then it seems to distribute DNS traffic even when the gateway doesn't need to failover.