IPsec multi-wan failover
-
Not yet. That's really all there is to it though.
Setup DynDNS, set to use a failover gateway group.
Setup IPsec to use the same failover gateway group.
Set the other end to use the dyndns host as the peer address.Sorry but i don't have DynDNS access to make the setup because both firewall are in my internal network(no internet access), so exist another way to work ipsec over multi-wan failover
sorry about my English -
No, Dynamic DNS is the only viable way at the moment.
Use an internal dynamic DNS server then. Setup BIND somewhere with an RFC2136 dynamic zone and have the other firewall use it to resolve hosts for a private domain.
That's all out of scope for this thread/board though.
-
another question… can i use gateway group in the local endpoint??? because it are show in my interface list
@jimp:No, Dynamic DNS is the only viable way at the moment.
Use an internal dynamic DNS server then. Setup BIND somewhere with an RFC2136 dynamic zone and have the other firewall use it to resolve hosts for a private domain.
That's all out of scope for this thread/board though.
i was think make that but unknown how to, i'm using windows server 2012 as internal DNS Server … is possible make over it?? or another possible solution found here http://arkanis.de/weblog/2015-11-27-build-your-own-dyndns correct me please thank
-
If it's an internal DNS server on one side or the other, then you'd have to expose that to the Internet which probably isn't what you want. It's best to have it be a server with a dedicated static address if possible. If it's all internal you end up in a catch 22/chicken-egg scenario. To reach the DNS server you need the VPN, but without the VPN, you can't reach the DNS server.
-
IPSEC failover using Dynamic DNS and multi WAN has never worked properly on any of my sites since 2.2. It has with all my testing just hung, never updated the dynamic DNS and never failed over. It looks like bug 7719 which is fixed in 2.4.0 looks like it finally solves Dynamic DNS. It looks like it was an issue with gateway groups.
https://redmine.pfsense.org/issues/7719
I will be testing as soon as 2.4.0 is released and I'll report my findings!
-
IPSEC failover using Dynamic DNS and multi WAN has never worked properly on any of my sites since 2.2. It has with all my testing just hung, never updated the dynamic DNS and never failed over. It looks like bug 7719 which is fixed in 2.4.0 looks like it finally solves Dynamic DNS. It looks like it was an issue with gateway groups.
https://redmine.pfsense.org/issues/7719
I will be testing as soon as 2.4.0 is released and I'll report my findings!
Does it work?
-
I haven't tested extensively, but the 2.4.0 update did not seem to resolve failover issues on my end. Would be really interested in results from other people though.
-
Dear All,
Is there any recent guides on this topic? Finally I'd like to implement multi-wan fail-over, but can't understand completely how. The main concern is do I have to use Dynamic DNS or it is possible to avoid this technique and use a sort of routing protocols?
On other side for me it's not a must to use IP Sec, I take OpenVPN to achieve my goal.Thanks for your replies in advance!
-
Right, my latest testing on 2.4.3 is ddns still does NOT work.
I can't believe that the pfsense team with the various tickets and bugs aren't actually fixing things and not testing it, (e.g. bug 8333) so that got me thinking.
https://redmine.pfsense.org/issues/8333I wonder if the issue is:
My gateway group consists of 2 CARP entries, WAN1 carp and WAN2 carp and I wonder wonder wonder if that's why ddns just never updates!
However, as it stands today, 2 pfsense in an HA cluster with multi WAN (WAN1 and WAN2) - on failing WAN1, ddns entry goes RED on the status pages but never actually updates and goes green with the WAN2 carp address.
-
Well, i'm one more with the same problem.
First of all, PFsense 2.4.2, both sides with Group Gateway Failover, DDNS on Remote Gateway.
So, i'm reading a lot of articles and, … i'll test a single change at IPSEC configuration. VPN > IPSEC > Advanced Configuration > Configure Unique IDs as NO.
Why ? https://blog.bravi.org/?p=1209
I don't know if i misunderstood, but, i'll try this shot …