Failover from WAN traffic (WAN1) to IPsec VPN (WAN2)

  • Hi all,
    Find attached my architecture for multi-WAN remote site using pfsense, the details are found below
    1. WAN1 uses normal routing from the remote site to the Data center via a WAN Service Provider.
    2. WAN2 use an internet modem to connect to the Data center using IPSec VPN.
    3.When WAN1 is in standalone mode (thus WAN2 shutdown), connectivity is seamless and works OK.
    4. When WAN2 is in standalone mode (thus WAN1 shutdown), IPsec works perfectively to the Data center with no issues.
    5. From the Gateway group WAN1 is the primary and WAN2 is the secondary (Failover mode)
    6. The issues is if I bring up both WAN1 and WAN2, instead of WAN2 waiting for WAN1 to fail before bringing up the IPSec VPN the VPN comes up automatically.
    7. When this happens, connectivity to the  data center becomes impossible.
    Question: How do I make WAN2 to be on standby till WAN1 fails to bring up the VPN

    Thanks guys looking forward to your response, but have a look at the diagram.
    ![remote site arch.jpg](/public/imported_attachments/1/remote site arch.jpg)
    ![remote site arch.jpg_thumb](/public/imported_attachments/1/remote site arch.jpg_thumb)

  • Can you use OpenVPN instead of IPSec?

    The scenario:

    You have two locations with Internet connections and a dedicated point-to-point connection between the two and two pfSense systems performing all routing at both sites.  You desire the two sites remain connected should the dedicated connection fail.

    The solution:

    Create a pfSense configuration with failover from the point-to-point connection to a site-to-site VPN utilizing the existing Internet connections at each site.


    1.  Create an OpenVPN Server on the main pfSense and Client setup on the remote pfSense (I used pre-shared keys).  DO NOT set a route option in the Advanced box as most instructions for configuring OpenVPN will suggest nor should you have a static route to your remote network defined under System -> Routes.  Also note that  IPSec can not be used in this scenario as it doesn't create a new adapter that we can work with in the firewall rules and gateways.

    2.  Check and see that the VPN turns on and connects via Status -> OpenVPN before proceeding.  If it does not then troubleshoot your Internet connectivity and OpenVPN settings.

    2.  Go to Interfaces -> Assign and add Interface OPT3 with Network port ovpns1 on both the server and the client pfSense systems.

    3.  On both your local and remote pfSense add a new Firewall Rule allowing all protocols from any source to to any destination under both OPT3 and OpenVPN.

    4.  On both your local and remote pfSense add OPT3 as a Gateway under System -> Routing -> Gateways leaving the Gateway and other options blank.

    5.  On both your local and remote pfSense create a new Group under System -> Routing -> Groups.  The group will define your dedicated connection as Tier 1 and OPT3 as Tier 2.  My trigger level is set to Member Down.

    6.  On both your local and remote pfSense create a new Firewall Rule under LAN which has all traffic from all sources bound for the remote network use the new Gateway Group (under Advanced) you created in Step 5.

    7.  Test - unplug the point-to-point connection, monitor things under Status -> Gateways, wait a minute or so, and hopefully you will still be passing traffic albeit through the VPN.

  • Thanks darnitol, will try it and get back to you. Many thanks for your input I appreciate it.

  • Darnitol, you are the man!!! Works like magic, thanks a million.

Log in to reply