Failover only

  • Hi All,
    I have a PFSENSE Fw with two internet connections that I don't want to load balance since one connections is devoted to mail services and vpn access while the onther one is used for web browsing and normal internet surfing.
    Wan is 10 Mbit/s low-cost connection while OPT2 is 2Mbit/s quite expensive with a good SLA.
    So my aim is to use the most reliable line to keep core services up and grant road warriors access to the LAN through an OpenVPN link.
    I don't want or need load balancing since I don't want the "services" line to be cluttered with traffic made by normal users in office.
    What i need is to activate failover since the 10Mbit/s line is not very reliable.
    So I created a pool for failover only like shown in the attached pool.png file.
    I also have some static routes configured liek shown in the attached static-routes.png.
    The routes are needed to force the usage of the OPT2 interface to reach some specific internet services that require access from a fixed IP.
    My problem is simple: failover doesn't happen at all.
    The IP used for ping monitoring doesn't belong to any of two ISPs: it's a very reliable DNS server.
    I'm not using any proxy.
    The DNS server is in the LAN and uses the same external DNS server above as forwarders.
    One more info: WAN link is on DHCp while OPT2 has a fixed IP.
    Thanks for your kind attention.


  • I have similar layout to build, so i wana knows if you can do it work? or if anybody can help with this problem? plus i need to use squidguard, but i read that doesnt work with multiwan, that its true?
    thks and sorry about my english

  • @Bittone66:

    The IP used for ping monitoring doesn't belong to any of two ISPs: it's a very reliable DNS server.

    Here´s your problem. You should be using two different monitor IPs. My recommandation would be to use your ISPs gateways (if they respond to ping).

  • Hi dondos,
    ok I changed the monitored IPs but still failover doesn't happen.
    As you can see in the log I attached there is something wrong going on with apinger.
    The log refers to the last test today: I unplugged the cable from my wan port waited for 90 seconds and plugged it in again.
    Result: no connection while the wan cable was unplugged.
    Any clue?
    Thanks in adavance for your time.


  • Let´s see:

    1. Those static routes looks strange. In this case ˝interface˝ means on which interface the traffic will be sent to the specified gateway. You sould use here anything (WAN, OPT1, OPT2, etc.) but LAN.
    2. Did you configured static routes for your DNS servers? If your only DNS server is then you wouldn´t be able to access the internet because your DNS server is marked as down. Your PC should be configured to use your pfSense box as DNS server.

    There´s nothing wrong with apinger. I had a similar problem. See this topic.

    Here`s my working setup:

  • Hi dondos,
    changed the static routing on your hint, but nothing changed on the failover issue.
    My DNS servers are not the hosts used for link monitoring nor are the ones of the ISPs . I'm using a "private" service offered by another company with a very robust infrastructure, so I require no static routing for DNS service.
    To clarify my DNS solution: the PFsense uses a DNS that is inside my LAN network, this DNS forwards to the external DNS servers, so I should need no stati routing for DNS name resolution.


    P.S.: how long the failover process  takes on you setup?

  • I see… Well I´m out of ideas then.

    In my case the failover process take about 10 seconds.

  • Your problem is the touch /tmp/filter_dirty error. There are newer snapshots of the 1_2 branch that have that fixed.

    Note: I would not recommend those for anyone else to use.

Log in to reply