Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Newbie to pfSense wanting to have gateway failover

    Routing and Multi WAN
    2
    5
    1929
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      StrikedOut last edited by

      Hi All.

      As the title says, I am completely new to pfSense so wanted to get some advise and pointers to the correct documentation for creating a router that will use a set gateway but in the event of this gateway failing either through a line fault (gateway still contactable) or router failure (gateway not responding) will divert all internet traffic to our redundant line.

      Something like this;

      Can you advise on the best practise for this set up and documentation for configuration?

      Also, what are the recommended addons for pfSense?

      Thanks for you help.

      1 Reply Last reply Reply Quote 0
      • S
        StrikedOut last edited by

        Still looking for some advise.

        Something else I would like to know is that if it switches to the redundant line, can pfSense also force DNS queries to use an alternative server? Will it switch back when the primary becomes available?

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis last edited by

          That sort of thing is common. Firstly, the subnet between pfSense and each gateway will need to be different (you have 192.168.11.n for both in the drawing).

          Make the gateway to MPLS the default.
          Specify a DNS server for each gateway.
          In gateway monitoring, specify an alternate monitor IP for each gateway, that is out in real internet land (8.8.8.8 8.8.4.4 etc) and that will respond and give a real indication if the gateway really has internet (or at least in this example, really has Google).
          Make a Gateway Group that has MLPS at tier 1, backup at tier 2.
          Add a rule/rules to LAN to feed all the general internet traffic into the Gateway Group.
          The traffic will fail over if MLPS gateway monitoring says it is down. It will fail back when MLPS is up again.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • S
            StrikedOut last edited by

            Hi and thanks for the reply.

            So changing the IP subnets to this or similar (probably end in 253 for both WAN 1 and 2);

            And at the risk of sounding more of a noob than I actually am, can you point me to the correct location to make the changes, don't want to change something I'm not supposed to.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis last edited by

              In your first drawing you had 192.168.11.0/24 addresses on the links to both gateways. So I guessed that you did not have this setup already. When yyou say:

              don't want to change something I'm not supposed to

              it makes me think you have a production network running at the moment, with some version of connections close to what is in the drawing. If that is the case, then you are going to need to find some "late night" down time and make sure to backup all config before changing/testing.
              From my head, the process is:

              1. Set LAN address to 192.168.11.26/24
              2. Set WAN address to 192.168.111.27/24 and add a gateway to 192.168.111.250 - it will be the default gateway "by default":)
              3. Assign OPT1 to the NIC for the backup link, give it 192.168.211.28/24 and add a gateway to 192.168.211.254
              4. Edit each gateway, specify an alternate monitor IP that is on the real internet and responds to ping  (e.g. 8.8.8.8 and 8.8.4.4) - it is no good monitoring just the 192.168.n.n gateway addresses, they are likely to be up all the time.
              5. Add an alias that includes all the private networks you are using. The easy way is to make an alias "Private192" for 192.168.0.0/16
              6. Add a Gateway Group "MPLSpriority" - make WANGW tier 1, OPT1GW tier 2.
              7. Add a rule on LAN, before the allow all rule, that says:
                source LANnet destination not Private192, gateway MPLSpriority
                (the gateway for a rule is in the advanced section of the Firewall Rule Edit GUI page)

              What have I forgotten?

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • First post
                Last post