WAN<->VPN failoover

  • Hi all
    i've a problem with pfsense 2.0.1.
    There's my configuration:(soekris 5501 with 4 lan):

    WAN –>> PPPOE internet with static address
    LAN  -->> internal lan (
    OPT1 -->> mpls line with another site. (
    VPN (openvpn) on WAN interface. (vpn tunnel

    i must do this:

    • All internet traffic "must" pass in WAN
    • Traffic for subnet must pass for OPT1 interface, but in case of failure (pinging one address) traffic must redirect to VPN.
      In interface grouping i dont see VPN.....
      How i can do this??
      Thanks to all!!

  • you need to assign an interface to the ovpn instance. be sure to set the interface type to 'none'.
    then restart your openvpn service and add firewall rules to the newly created OPT(X) interface.

    If all works like it did before, you can now assign the OPT(X) interface to a gateway-group

    you could probably also use a dynamic routing protocol like (quagga)ospf to accomplish the same thing, then you might not need to assign an interface to the ovpn instance


  • Thanks!!!!
    I try it this evening…..
    but.... what rules i must add??

  • by default pfsense will block all, so you probably want to allow the same things you had in the 'openvpn' firewall tab

  • Thanks….
    now i've the opt3 interface on vpn.
    But i dont understand what ip address i must assign to this interface.
    DHCP or the openvpn tunnel's address?
    Thanks for answer..

  • as ive mentioned before … don't set an address on opt3. don't set it to dhcp either. set type to 'none' , then restart openvpn service.

    an address will be assigned automagically

  • How did this work out for you?  I've asked a similar question at http://forum.pfsense.org/index.php/board,21.0.html and would like to compile a how-to guide.

    If you're going to eat poison you might as well lick the plate.

  • Eureka!  Thanks, Heper!

    Here's the guide I've promised:

    The scenario:

    You have two locations with Internet connections and a dedicated point-to-point connection between the two and two pfSense systems performing all routing at both sites.  You desire the two sites remain connected should the dedicated connection fail.

    The solution:

    Create a pfSense configuration with failover from the point-to-point connection to a site-to-site VPN utilizing the existing Internet connections at each site.


    1.  Create an OpenVPN Server on the main pfSense and Client setup on the remote pfSense (I used pre-shared keys).  DO NOT set a route option in the Advanced box as most instructions for configuring OpenVPN will suggest nor should you have a static route to your remote network defined under System -> Routes.  Also note that  IPSec can not be used in this scenario as it doesn't create a new adapter that we can work with in the firewall rules and gateways.

    2.  Check and see that the VPN turns on and connects via Status -> OpenVPN before proceeding.  If it does not then troubleshoot your Internet connectivity and OpenVPN settings.

    2.  Go to Interfaces -> Assign and add Interface OPT3 with Network port ovpns1 on both the server and the client pfSense systems.

    3.  On both your local and remote pfSense add a new Firewall Rule allowing all protocols from any source to to any destination under both OPT3 and OpenVPN.

    4.  On both your local and remote pfSense add OPT3 as a Gateway under System -> Routing -> Gateways leaving the Gateway and other options blank.

    5.  On both your local and remote pfSense create a new Group under System -> Routing -> Groups.  The group will define your dedicated connection as Tier 1 and OPT3 as Tier 2.  My trigger level is set to Member Down.

    6.  On both your local and remote pfSense create a new Firewall Rule under LAN which has all traffic from all sources bound for the remote network use the new Gateway Group (under Advanced) you created in Step 5.

    7.  Test - unplug the point-to-point connection, monitor things under Status -> Gateways, wait a minute or so, and hopefully you will still be passing traffic albeit through the VPN.

Log in to reply