Failover from local i/f to OpenVPN tunnel (2.0-RC3)

  • Hi,

    Sorry if this was already covered somewhere, I didn't find it by searching web and forums.

    I've got 2 pfSense 2.0-RC3 VMs connecting 2 networks on different sites:


    pfA: LAN (, WAN1, WAN2, OPT1 (
    pfB: LAN (, WAN

    A fibre link connects nwB directly to pfA-OPT1, so if pfA can ping pfB-LAN ( on OPT1, traffic between nwA and nwB should go thru OPT1 (this already works, of course).

    But if pfA cannot ping on OPT1 (i.e. the fibre link between sites is down), traffic between nwA and nwB should go thru an OpenVPN site-to-site tunnel between pfA-WAN2 (a backup Internet connection) and pfB-WAN.

    Can this be achieved with pfSense, and if so, how?

    Thanks a lot,


  • Yes this can be done.
    Create a failover pool under "System" –> "Routing" --> "Groups" and use this failover pool in the allow-firewall on your LAN interface.

  • Thanks for the quick response!

    Yeah, I tried that, and it works fine for "normal" gateways. But which gateway should I use for OpenVPN in the new gateway group?

    The OpenVPN tunnel uses as transfer network, but I cannot create a gateway for No matter which i/f I choose (there are only LAN, WAN1, WAN2, OPT1 to choose from, no OpenVPN), I always get: "The gateway address does not lie within the chosen interface's subnet." That's true, of course.

    Thank you,


  • You can assign the OpenVPN interface as another OPTx.

  • Ah, that's nice!

    I've done it like this now, and the configuration part of it seems to work just fine … I'll try an automatic failover this weekend.

    Thanks a lot!

Log in to reply