Multi-WAN (for Failover) + VPN Routing for US content….



  • I know this topic has probably been beaten to death, but I have a feeling I am missing something stupid and I thought I would ask the pros here for some advice.

    First, some background…..

    I don't have a ton of experience with BSD, I have mostly used CentOS / Ubuntu based distros in the past.  Over the past year, I have been through many of the Linux router based distros.  Clarkconnect -> ClearOS -> Centos -> m0n0wall -> Zentyal -> Untangle -> and now pfSense.

    My current setup is something like this;

    WAN (Cable)
                                     pfSense router - > switch -> Wired connections
    WAN (3G failover)                                             -> WNDR3700 (running dd-wrt) (wireless AP)

    Throw in a StrongVPN OpenVPN account for good measure.

    I switched to pfSense because I wanted my router to do the routing, and not have 2 routers operating, with port forwarding and such enabled to make it all work.  And dd-wrt is not as stable as a linux router distro.

    I also recently changed cable providers.  Hence the reason for the failover.  7 days to switch from one cable operator to another is a little too long for me.

    So here is what I have done.  I created 2 gateway groups.  Netflix(with Canadian ISP backup) and WAN (With failover).  Netflix gateway has my VPN account as tier 1, and the cable modem interface as tier 2.  WAN with failover operates the same way.  Cable modem as tier 1, 3g wireless as tier 2.

    I have been able to get everything working by itself, but now I am struggling to pull it all together.  I had to hose all the firewall rules I had before my cable got reconnected, as it was trying to route the traffic across it, since it wasn't registered as "Down".

    I use an alias for all my devices that require US content.  10.0.0.70-10.0.0.79.  These are the devices that are going to need to go across the VPN.

    All other devices should go through the WAN (with failover) gateway.

    I am pretty sure it is a problem with either NAT, Firewall rules, or gateway monitoring.

    I attached a few pics.  I will gather some more info and keep trying but if anyone has any suggestions of what to try that would be awesome
    ![Screen shot 2013-07-19 at 9.24.15 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.24.15 AM.png)
    ![Screen shot 2013-07-19 at 9.24.15 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.24.15 AM.png_thumb)
    ![Screen shot 2013-07-19 at 9.23.33 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.23.33 AM.png)
    ![Screen shot 2013-07-19 at 9.23.33 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.23.33 AM.png_thumb)
    ![Screen shot 2013-07-19 at 9.27.47 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.47 AM.png)
    ![Screen shot 2013-07-19 at 9.27.47 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.47 AM.png_thumb)
    ![Screen shot 2013-07-19 at 9.27.52 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.52 AM.png)
    ![Screen shot 2013-07-19 at 9.27.52 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.52 AM.png_thumb)
    ![Screen shot 2013-07-19 at 9.34.14 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.34.14 AM.png)
    ![Screen shot 2013-07-19 at 9.34.14 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.34.14 AM.png_thumb)



  • Did you ever get this working??  I'm looking to do something very similar.



  • @joltman:

    Did you ever get this working??  I'm looking to do something very similar.

    I did.  There was a couple of ways that it can be done.  I assigned IP address for certain devices, aliased those devices, and forced them through the VPN.  Crude, but it worked.

    Later on, I got them to work by using an alias again, but using a host list file that had many IP addresses in it.  It wasn't so easy to find out the IP addresses of Netflix, Amazon EC2, Pandora, etc….  But it does work.



  • Would be great if you could share with us that alias :)



  • Yes.  Super please.  I could really use that alias.





  • I'm more curious how he was able to find all the IP addresses that he needed.  A lot of WireShark sniffing?



  • The list above is not perfect. those are some common sites that we know needed US IP to browse or stream properly no sniffing needed. hulu seems it checks your ip by huluim (not so sure about this) as some sites appearing in the lower right when Firefox tried to open the site.