Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Firewall rules for selective failover

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 3 Posters 460 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      richardsago
      last edited by

      Good day. I have created an alias containing seven IP addresses that will be allowed for failover to another WAN:
      2f26ea90-69bc-4199-94f0-5488963df125-image.png

      I have duplicated the firewall rule allowing the data to pass through, then moved the duplicate above the original entry so it will be processed because it's seen by the firewall first, then set the duplicate's source to the new aliases:
      eccc1f41-3583-48c4-9816-46744af12e9b-image.png

      But when I clicked the States link of the new entry, some IP addresses that do not belong to the seven IP addresses of the new alias appeared:
      4c1e366a-0aa2-44ae-bbc7-34dba89b8c07-image.png

      My understanding is that only the seven IP addresses should appear in the Source column of this screen. Please let me know my errors, or if my understanding is wrong. Thank you in advance.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB Offline
        Bob.Dig LAYER 8 @richardsago
        last edited by Bob.Dig

        @richardsago Probably old states from before altering the rule. Kill all states to be sure.
        Btw. some of your rules don't make sense: The last rule and the first DNS-rules. If you want your firewall-DNS to be accessible, you don't set a (internet-)gateway in that rule.

        R 1 Reply Last reply Reply Quote 0
        • R Offline
          richardsago @Bob.Dig
          last edited by

          Thank you @Bob.Dig for the reply. There are users that are connected so I will check again tomorrow in the hopes that all states should have been closed by then. Is my reasoning correct or will there be old states that will still be there tomorrow?

          SteveITSS 1 Reply Last reply Reply Quote 0
          • SteveITSS Offline
            SteveITS Rebel Alliance @richardsago
            last edited by

            @richardsago which rule are you viewing states for?

            Is “failover” a gateway or group?

            Are you missing the block rule?
            https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-use

            To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
            Only install packages for your version of pfSense.
            Upvote 👍 helpful posts!

            R 1 Reply Last reply Reply Quote 0
            • R Offline
              richardsago @SteveITS
              last edited by

              Thank you @SteveITS for the reply. "failover" is a gateway group that prioritizes WAN1 and then will failover to WAN2
              eed59d8b-92a8-4164-b07e-4f238e50a449-image.png

              Thank you for pointing me to the link. If I replace my last two entries with these three entries will this ensure that only the seven devices in the alias Allowed_FailOver will failover to WAN2 if WAN1 fails, and the remaining devices will still be connected to WAN1 but will not failover to WAN2 if WAN1 fails:
              3202566b-7eaa-4206-9183-6a5aa10bbf4a-image.png

              SteveITSS 1 Reply Last reply Reply Quote 0
              • SteveITSS Offline
                SteveITS Rebel Alliance @richardsago
                last edited by

                @richardsago That looks better. You also need to check the "Do not create rules when gateway is down" option per the docs.

                To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                Only install packages for your version of pfSense.
                Upvote 👍 helpful posts!

                R 1 Reply Last reply Reply Quote 0
                • R Offline
                  richardsago @SteveITS
                  last edited by

                  Thank you @SteveITS for the reply. When I implemented Blocking External Client DNS Queries the first line (the allow line) on the docs has the Gateway set to asterisk:
                  138eb77b-6d7c-4f35-af07-136416b31dc9-image.png

                  But because we have multi-WAN I set the gateway of the allow line to the gateway group "failover". I thought that if I did this it will ensure that the allow line will always be run whether WAN1 or WAN2 is up. Should I just set the allow line's Gateway back to asterisk and this will still run the allow line whether WAN1 or WAN2 is up?

                  1ecac941-293b-4435-b300-71de76e08203-image.png

                  SteveITSS 1 Reply Last reply Reply Quote 0
                  • SteveITSS Offline
                    SteveITS Rebel Alliance @richardsago
                    last edited by

                    @richardsago IIRC if you set a gateway those packets will be forced out the gateway. You are connecting to LAN Address on the pfSense so the packets should not be sent anywhere else.

                    To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                    Only install packages for your version of pfSense.
                    Upvote 👍 helpful posts!

                    R 1 Reply Last reply Reply Quote 0
                    • R Offline
                      richardsago @SteveITS
                      last edited by

                      Thank you @SteveITS for the reply. Sorry I did not understand. Did you mean I was correct when I set the gateway of the allow line to the gateway group "failover"? Or did you mean I should set it to asterisk and it will still do what we required which was to run this allow line using WAN1 but fail over to WAN2 if WAN1 goes down?

                      SteveITSS 1 Reply Last reply Reply Quote 0
                      • SteveITSS Offline
                        SteveITS Rebel Alliance @richardsago
                        last edited by

                        @richardsago What are you intending to allow there? DNS lookups to DNS servers on the Internet? Or DNS lookups to pfSense itself?

                        I assumed it was the latter, in which case no gateway is needed since pfSense LAN IP is on the LAN subnet, and failover would be irrelevant since the DNS query would not leave the local network.

                        The images of rules are showing different interfaces, at least the Destination differs. If you intend to allow queries only to pfSense it would be clearer to allow destinations of LAN Address, VLAN10 Address, VLAN20 Address in the rule on each interface.

                        To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                        Only install packages for your version of pfSense.
                        Upvote 👍 helpful posts!

                        R 1 Reply Last reply Reply Quote 0
                        • R Offline
                          richardsago @SteveITS
                          last edited by

                          Thank you @SteveITS for the reply. Please let me know if I understand correctly that if I want to block external client DNS queries and for WAN1 to fail over to WAN2 then I need to change the highlighted gateway entry below from gateway group "failover" to asterisk?

                          4ebff412-3546-4829-a62f-9e1403a56ee0-image.png

                          SteveITSS 1 Reply Last reply Reply Quote 0
                          • SteveITSS Offline
                            SteveITS Rebel Alliance @richardsago
                            last edited by

                            @richardsago Blocking external DNS queries is the second rule in your image...from VLAN20 to *:53.

                            I assume you're looking at the VLAN20 interface here?

                            The first rule I guess covers from devices on that network to the pfSense VLAN20 IP. Is DNS working for VLAN20 devices? It would be clearer to remove the gateway setting there yes. Presumably you want the VLAN20 devices to use pfSense as their DNS server?

                            To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                            Only install packages for your version of pfSense.
                            Upvote 👍 helpful posts!

                            R 1 Reply Last reply Reply Quote 0
                            • R Offline
                              richardsago @SteveITS
                              last edited by

                              Thank you @SteveITS for the reply. Yes this is for the VLAN20 interface. DNS is working for its devices when the first rule's gateway was "failover" and also when this is now set to asterisk. I have finished setting the first rule of all VLANs from gateway "failover" to asterisk and everything is working. Thank you for this clarification.

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.