Firewall rules for selective failover
-
@richardsago which rule are you viewing states for?
Is โfailoverโ a gateway or group?
Are you missing the block rule?
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-use -
Thank you @SteveITS for the reply. "failover" is a gateway group that prioritizes WAN1 and then will failover to WAN2
Thank you for pointing me to the link. If I replace my last two entries with these three entries will this ensure that only the seven devices in the alias Allowed_FailOver will failover to WAN2 if WAN1 fails, and the remaining devices will still be connected to WAN1 but will not failover to WAN2 if WAN1 fails:
-
@richardsago That looks better. You also need to check the "Do not create rules when gateway is down" option per the docs.
-
Thank you @SteveITS for the reply. When I implemented Blocking External Client DNS Queries the first line (the allow line) on the docs has the Gateway set to asterisk:
But because we have multi-WAN I set the gateway of the allow line to the gateway group "failover". I thought that if I did this it will ensure that the allow line will always be run whether WAN1 or WAN2 is up. Should I just set the allow line's Gateway back to asterisk and this will still run the allow line whether WAN1 or WAN2 is up?
-
@richardsago IIRC if you set a gateway those packets will be forced out the gateway. You are connecting to LAN Address on the pfSense so the packets should not be sent anywhere else.
-
Thank you @SteveITS for the reply. Sorry I did not understand. Did you mean I was correct when I set the gateway of the allow line to the gateway group "failover"? Or did you mean I should set it to asterisk and it will still do what we required which was to run this allow line using WAN1 but fail over to WAN2 if WAN1 goes down?
-
@richardsago What are you intending to allow there? DNS lookups to DNS servers on the Internet? Or DNS lookups to pfSense itself?
I assumed it was the latter, in which case no gateway is needed since pfSense LAN IP is on the LAN subnet, and failover would be irrelevant since the DNS query would not leave the local network.
The images of rules are showing different interfaces, at least the Destination differs. If you intend to allow queries only to pfSense it would be clearer to allow destinations of LAN Address, VLAN10 Address, VLAN20 Address in the rule on each interface.
-
Thank you @SteveITS for the reply. Please let me know if I understand correctly that if I want to block external client DNS queries and for WAN1 to fail over to WAN2 then I need to change the highlighted gateway entry below from gateway group "failover" to asterisk?
-
@richardsago Blocking external DNS queries is the second rule in your image...from VLAN20 to *:53.
I assume you're looking at the VLAN20 interface here?
The first rule I guess covers from devices on that network to the pfSense VLAN20 IP. Is DNS working for VLAN20 devices? It would be clearer to remove the gateway setting there yes. Presumably you want the VLAN20 devices to use pfSense as their DNS server?
-
Thank you @SteveITS for the reply. Yes this is for the VLAN20 interface. DNS is working for its devices when the first rule's gateway was "failover" and also when this is now set to asterisk. I have finished setting the first rule of all VLANs from gateway "failover" to asterisk and everything is working. Thank you for this clarification.
