Multi-WAN and router traffic clarification

  • Hi everybody,

    I need clarification about how traffic that originated from a pfSense (example OpenVPN connection) is managed.

    In a setup with two WAN interfaces without gateway and policy based routing, I can ping remote site from LAN computer, but if I try ping in pfSense's shell (via SSH) I got "no route to host". Indeed the two OpenVPN client connections configured on the same machine are not working.

    Keeping in mind that I need policy routing for splitting VPN connections and Failover Group for giving internet access to LAN computers, I have to setup two different machines (MultiWAN access and VPN routing) or there is a way to have a working configuration on a single pfSense?

    Thanks in advance

  • Since no one has replied, I believe it is not possible to have everything on a single machine, due how works pf itself.

  • If you have no default gateway, then the ordinary routing table will have no route to "general public internet", so ping from pfSense itself will not work.
    The traffic arriving on LAN, if it matches a policy route that feeds it into a gateway or gateway group will work - it is specifically sent on a particular route, not to the ordinary routing table.
    If you have multiple VPN links that connect to VPN servers in various places and you want to use those pipes for various traffic to get to the internet, then you should be able to put rules on LAN that match the traffic you want and feed it to the appropriate VPN gateway. You do need to assign an interface to each VPN to do this.
    Give detail of what you want to do and I expect it can be done.

  • Thank you for reply phil.davis,

    I have attached diagrams of the system that I'm trying to build up: two pfSense configuration works, one pfSense not works.

    PFS POS has two WAN interfaces (WAN1, WAN2) in failover group and two VPN connections (VPNPRY, VPNBCK) to headquarter office.

    The PC has "PFS POS" as default gateway and must use it for internet navigation and for communication with HQ Server (via VPN); VPN routing is managed by Quagga OSPF and I need to have VPNPRY on WAN1 and VPNBCK on WAN2.

Log in to reply