One Gateway IP, multiple Routes and Monitors
first of all pfSense is a fantastic product. I use at home a virtualised cluster and make tests with pfSense at office ;)
But i have a little problem and no solution yet …
We use a MPLS-Connection to remote offices and have the following routing:
10.0.1.0/24 via Gateway 10.0.0.1 Tier1
10.0.2.0/24 via Gateway 10.0.0.1 Tier1
10.0.3.0/24 via Gateway 10.0.0.1 Tier1
to all Offices we have a Backup-Connection.
10.0.1.0/24 via Gateway 192.168.1.1 Tier2
10.0.2.0/24 via Gateway 192.168.1.2 Tier2
10.0.3.0/24 via Gateway 192.168.1.3 Tier2
I created at pfSense both Gateways and i can monitoring the Gateway and make a failover to Tier2 Gateway if the Tier1-Gateway fails.
Now Fails the Gateway at Office1 10.0.1.1 and i lost the connection to Office1. My Monitoring detects nothing, because my Gateways are online.
I would like to create 3 Gateways at pfSense with IP 10.0.0.1 and set the Monitoring IP to 10.0.1.1, 10.0.2.1 und 10.0.3.1. If then the Gateway at the remote Office fails, my monitoring detects this and i make a failover to Tier2, only for the remote office that fails.
But this is not possible, i can only create 1 Gateway with a Ip 10.0.0.1 - If i create a second Gateway with 10.0.01, an error occours - is this a limitation by GUI or the system behind?
Exists any way to work around this limitation, CLI oder anything else?
Thanks in advance and best regards
What you are wanting looks possible in apinger, which really just deals with monitor IPs. pfSense has "Gateway Groups" that consist of a set of Gateways with priorities (tiers). But really it seems to me that they are really "Monitor IP Groups". It would be possible to have multiple monitor IPs for each gateway. Each Monitor IP would potentially have its own advanced settings (loss, delay, down time…). The existing "Gateway Groups" could actually become a selection of the "Monitor IP entries", with a tier for each one. apinger reports which target (monitor) IP has a state change, pfSense can use this in a more refined way than now - passing that up to the various "service reload" commands that react to apinger alarms.
Then you can have different Gateway Groups that are prioritised on different sets of monitor IPs (although ultimately underneath the traffic is on the same gateways/interfaces). Particular OpenVPN instances, or policy-routing rules can then use a particular Gateway Group that responds as required to the failure of particular monitor IPs.
I can think of a use for this here in Nepal - sometimes links to the "rest of the world" internet go down, but our internal national ISP/s are working OK, so my VPN links between offices in the country will still work. In that case, I don't want to try to failover the VPN links to some slow backup link. On my main WAN gateway I could monitor an in-country ISP address, and use that in a Gateway Group for VPN failover. On my main WAN gateway I could also monitor an outside-Nepal IP, and use that in a gateway group for general policy-based routing of browser traffic. I could monitor my international mail server IP, and use that in a gateway group for policy-based routing of traffic to the mail server. The failover could detect (with a reasonable guess) what bit of the internet is unreachable on the main WAN, and just failover that bit to the backup link.
This is about having multiple networks/services/resources available over a single gateway, and detecting which particular network/service/resource is now unreachable, and allowing the firewall rules, VPN settings... to just failover the things that need to reach that network/service/resource.
How many people have a need for this?
And who has the time to code and test it?