PfSense 2.0 site-to-site Dual Wan failover guide?



  • We are testing pfSense 2.0 and love it so far. OpenVPN from Viscosity is great! Once we are confident of upgrading our existing 1.2.3 routers that have dual WAN I want to move from IPSec tunnels to automatic failover OpenVPN tunnels between the locations. Does anyone have a guide for this procedure? I just bought the new Packt book, but they don't cover that.

    Thanks!


  • Rebel Alliance Developer Netgate

    We don't really have a guide for that (yet!), there are a couple different ways you can do it though:

    1. Run permanent tunnels over both WANs without routes/IPs and run OSPF to do routing which can handle the failover
    2. Use floating rules/outbound NAT rules to direct your outgoing OpenVPN client connections into a failover gateway group. This, combined with an extra remote line in the client to make it try a second server IP may do the trick. (On the server side, you may want to bind OpenVPN to LAN and use port forwards from each WAN to direct the incoming connections so they are allowed over each WAN as needed…)

    Sorry for the lack of detail, but it's a pretty complicated thing to spell out.

    I just received a copy of that Packt book, I need to look it over. We (pfSense developers, staff, etc) didn't write that so I'm not sure what its quality will be like, and honestly since we have our own book there are some ethical issues about reviewing it since there is a conflict of interest.



  • Any way we can pay for the creation of such a report? I like the idea of the new site that had tutorials for subscribers. Or would it be better for me to just pay for you to configure an example setup for me one one of my networks that I can replicate?

    Thanks


  • Rebel Alliance Developer Netgate

    I have a rough draft of the OSPF method that I've sent to some of our commercial support subscribers before, but it's still a little rough around the edges.

    The other method hasn't had any documentation at all yet, I'm not sure anyone has ever done that exactly as I described.

    You could put up a bounty for the documentation if you want to speed it up. It will happen eventually, whether it ends up on the Doc Wiki, in our 2.0 book (when that gets going), but funding always speeds up the process.


Locked