Complex Failover Rules

  • Greetings,

    I've been running pfSense for a few months time and it's really excellent.

    We currently have a DSL connection which we use only for voice (SIP) and a WiMax-type connection that we use for bulk traffic (web browsing / email etc.). The rules all work fine, but voice over DSL is not ideal so we're getting a leased line for voice, at which point we'll use DSL for our bulk traffic and WiMax for backup:

    WAN1: Leased line - Voice only
    WAN2: DSL - Bulk traffic
    WAN3: Wimax - Backup

    If WAN1 fails, voice will fall back to running via WAN2. However, if that happens, it will already be congested with bulk traffic. So I want to move the bulk traffic to WAN3 at the same time so the DSL connection is as clear as possible for voice.

    Is there any way this is possible?

  • you might get away with something like this:

    WAN1 monitor ip: some public ip like
    WAN2 monitor ip: an ip only pingable from WAN1  for example the gateway of WAN1 (set the "down" to 20 )
    WAN3 monitor ip: some public ip like

    i have no clue if this will/can/should work but if you can afford to play around behind office hours then it might be worth a shot
    IF this somehow works it should result in what you are requesting (but i doubt it)
    what might happen is this:
    WAN1 goes down and voice switches to WAN2
    after 20 seconds WAN2 goes fake-down and WAN3 will take bulk. What will happen to the voice traffic at this point is a mistery, but worth a shot.

  • heper, that should work as you would use 2 different gateway groups anyways.

  • Many thanks for your replies and sorry about the delayed response - I didn't get an email notification from the forum so thought no-one had responded.  ::)

    It sounds promising, but looking at the user interfaces I'm not sure how I would achieve it (I'm using 2.0.3).

    To explain what I mean…I would set up the gateway groups like this:

    Voice GW Group: WAN1 (p1), WAN2 (p2)
    Bulk GW Group: WAN2 (p1), WAN3 (p2)

    The issue is that I can only set a monitor IP specific to a gateway, not a gateway group. So if I set WAN2 to monitor an address only reachable by WAN1, and WAN1 goes down, I think WAN2 will be marked as DOWN (on a global basis), so neither gateway group will be able to use it. I end up with my Voice GW Group having WAN1 really down and WAN2 fake down, so no traffic would flow at all.

    Or am I misunderstanding something?

  • I see what you are saying. I had to go look at the GUI also … So, perhaps do this. Put WAN1 and WAN3 in a group for phones and WAN2 and 3 for bulk. If 1 dies, then wimax will not have bulk traffic on it. If 2 dies it moves to 3 and traffic is still seperate. If 3 dies, doesn't really matter since it won't be used. The only issue will be if you have multiple link failures. If 1 and 3 dies, everything moves to 2. but if 2 and 3 dies, bulk traffic will not pass. Same thing for 1 and 2 for phone traffic. Hopefully that would be very, very rare. Too bad you cannot have nested gateway groups.

  • That's a clever way of doing it  :) Unfortunately WAN3 (the WiMax-like connection) can't support voice due to horrible latency, jitter and sheer lack of bandwidth (which I can't upgrade).

    I'm starting to think traffic shaping is the way forward - SIP connections to our PBX would take absolute priority if WAN2 is shared between bulk traffic and voice (when WAN1 is down). Was trying to stay clear of it due to bad previous experiences with traffic shaping on other routers - does it work effectively on pfSense? Voice is so sensitive to packet delays etc.

  • I use it at my office and home (which is severely limited on bandwidth) and it works very well.
    If the WAN3 connection is that bad, change it out for a different DSL provider or something (maybe cable).
    Either way works.

Log in to reply