Wierd Load Balancing and VPn question Multi-WAN and configuration

  • Wasn't sure this was the right place, I'm sure the mods will move it if it isn't

    I have a kinda wierd setup that I am looking to do.

    My company uses PFSense with Open VPN and it is great however we are looking for a backup solution that might be possible with pfsense and would make me very happy if it can.

    Our primary WAN at a remote location is done through MPLS lines back to our core IT network. Recently it has been a prblem when the MPLS fails I can't get to my gear on the other side becuase their core netowrk is down (mine is not). I don't need VPN tuinneling to work on this WAN because of the MPLS and the complications that it would cause me with gateways and such.

    What I am looking to accomplish is that when the primary WAN link goes down (the MPLS system) that pfsense will build a VPN tunnel using Open VPN out WAN2 which would be connected to a cellular capable router for backup purposes to bring the network back to my core system and then once the WAN is restored, drop the vpn and the celullar connection and drive to the primary WAN.

    Is this possible?

    I have attached a photo to show what I am trying to accomplish

  • here is the PIC of what I am attempting to do

    ![network attempt #1.PNG](/public/imported_attachments/1/network attempt #1.PNG)
    ![network attempt #1.PNG_thumb](/public/imported_attachments/1/network attempt #1.PNG_thumb)

  • That's doable where you can deploy a routing protocol (probably OSPF, may have to use BGP as routes may need to be exchanged with the MPLS provider), but will get pretty complex because I know your core network is a whole lot more complex than one switch there, at least 3 routing devices involved (jschimanski is a support customer, I'm moderately familiar with their network), plus the MPLS provider's network. I'll follow up with you in private on options, will need to get some more specifics on all the core routing devices to determine exactly where and how the routing protocol would need to be setup.

  • Rebel Alliance Developer Netgate

    Another possible way would be (on 2.0, recent snapshots only) to send the outgoing OpenVPN traffic for that instance into a failover pool, so it would re-route over the other WAN if needed.

    If the remote system has a different IP for each direction, you can also add another "remote x.x.x.x" entry into the custom options to direct it there if the primary link on the server end should fail.

Log in to reply