Newbie to pfSense wanting to have gateway failover

  • Hi All.

    As the title says, I am completely new to pfSense so wanted to get some advise and pointers to the correct documentation for creating a router that will use a set gateway but in the event of this gateway failing either through a line fault (gateway still contactable) or router failure (gateway not responding) will divert all internet traffic to our redundant line.

    Something like this;

    Can you advise on the best practise for this set up and documentation for configuration?

    Also, what are the recommended addons for pfSense?

    Thanks for you help.

  • Still looking for some advise.

    Something else I would like to know is that if it switches to the redundant line, can pfSense also force DNS queries to use an alternative server? Will it switch back when the primary becomes available?

  • That sort of thing is common. Firstly, the subnet between pfSense and each gateway will need to be different (you have 192.168.11.n for both in the drawing).

    Make the gateway to MPLS the default.
    Specify a DNS server for each gateway.
    In gateway monitoring, specify an alternate monitor IP for each gateway, that is out in real internet land ( etc) and that will respond and give a real indication if the gateway really has internet (or at least in this example, really has Google).
    Make a Gateway Group that has MLPS at tier 1, backup at tier 2.
    Add a rule/rules to LAN to feed all the general internet traffic into the Gateway Group.
    The traffic will fail over if MLPS gateway monitoring says it is down. It will fail back when MLPS is up again.

  • Hi and thanks for the reply.

    So changing the IP subnets to this or similar (probably end in 253 for both WAN 1 and 2);

    And at the risk of sounding more of a noob than I actually am, can you point me to the correct location to make the changes, don't want to change something I'm not supposed to.

  • In your first drawing you had addresses on the links to both gateways. So I guessed that you did not have this setup already. When yyou say:

    don't want to change something I'm not supposed to

    it makes me think you have a production network running at the moment, with some version of connections close to what is in the drawing. If that is the case, then you are going to need to find some "late night" down time and make sure to backup all config before changing/testing.
    From my head, the process is:

    1. Set LAN address to
    2. Set WAN address to and add a gateway to - it will be the default gateway "by default":)
    3. Assign OPT1 to the NIC for the backup link, give it and add a gateway to
    4. Edit each gateway, specify an alternate monitor IP that is on the real internet and responds to ping  (e.g. and - it is no good monitoring just the 192.168.n.n gateway addresses, they are likely to be up all the time.
    5. Add an alias that includes all the private networks you are using. The easy way is to make an alias "Private192" for
    6. Add a Gateway Group "MPLSpriority" - make WANGW tier 1, OPT1GW tier 2.
    7. Add a rule on LAN, before the allow all rule, that says:
      source LANnet destination not Private192, gateway MPLSpriority
      (the gateway for a rule is in the advanced section of the Firewall Rule Edit GUI page)

    What have I forgotten?