MultiWan failover setup.
I need someones help on figuring out how to do this. I have a t-mobile 3g usb data stick that i have connected to an asus router as its internet connection source and i have pfsense connected to my cable modem. my pfsense network is 192.168.1.0/24 and the asus router is 192.168.29.0/24. I want to setup pfsense such that when its wan/internet connection fails to automatically switch to use the 3g stick on the asus router..
If you have a more elegant solution i would love to hear it but i have tried several times to get the usb stick to work on pfsense and it never connect/gives some sim lock error, etc.. in the asus router it just works so that is my reason for using it/having it
Connect the LAN of the ASUS router to another port on your pfSense, and assign it as OPT1. Make OPT1 IPv4 DHCP-type interface. It will get an IP from ASUS router, just like any client on the ASUS router LAN (e.g. it might get 192.168.29.2).
Add a gateway group "Failover" with WAN tier 1, OPT1 tier 2.
Add or edit rules on LAN to pass traffic and select the "Failover" gateway group in the Advanced Gateway section of the rule/s. (If you want it for all, then edit the default pass all rule on LAN to specify the gateway group)
If you provide services to external clients (web server, incoming VPN connects…) then that is trickier and you need more port-forwarding and dynamic DNS names that switch with the gateway group...
I am assuming that in this setup i must have 3 nics, 1 for my cable modem, 1 that connects to the asus routher and 3rd connecting to local network. if i change the LAN of the asus such that it the same as my current lan and i assign it an ip address and turn off dhcp. is there anyway then to just type in the failover gateway ip address without setting up another interface opt1 or at least a way to accomplish my goal by using 2 instead of 3 nics. I really wish pfsense had better support for these usb sticks.
Delex last edited by
It might work, at least Pfsense allows for mutliple gateways in the same subnet. Just hook it up define the proper monitor IP's and let us know. DNS may be an issue as both networks will use different servers.
Alternatively you can use vlans to connect both Wan connections on the same pfsense interface.
Yes, I have done this before. Let's see if I can remember the steps! The idea is to keep all the LAN clients always talking to pfSense LAN IP as their default gateway - leave pfSense doing DHCP and giving itself as the default gateway.
a) Put the Asus LAN on your pfSense LAN, giving the Asus some other static IP address on pfSene LAN.
b) Turn off DHCP on the Asus.
c) Add a gateway on pfSense pointing to Asus LAN IP.
d) Switch on Manual Outbound NAT. Add a rule that will NAT anything from pfSense LANnet that is going to Asus gateway. (That will make any packets going out to the Asus have pfSense LAN IP as their source IP, which will mean the Asus will deliver any reply back to pfSense LAN IP, and pfSense can deliver it to the real LAN client - keeps all the packets for every state seen by pfSense).
e) Make gateway group/s for failure using WAN and Asus Gateway
f) Add rules on LAN to put traffic into the gateway group/s and that traffic should failover or load balance as desired.
would you mind helping me fill in the values in each field as i still cant get it to work and im not sur ei understand what the fields are asking for..
Do not NAT Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules.
Hint: in most cases, you won't use this option.
Choose which interface this rule applies to.
Hint: in most cases, you'll want to use WAN here.
Choose which protocol this rule should match.
Hint: in most cases, you should specify any here.
Enter the source network for the outbound NAT mapping.
Source port: (leave blank for any)
Use this option to invert the sense of the match.
Enter the destination network for the outbound NAT mapping.
Destination port: (leave blank for any)
Packets matching this rule will be mapped to the IP address given here.
If you want this rule to apply to another IP address rather than the IP address of the interface chosen above, select it here (you will need to define Virtual IP addresses on the interface first).
Enter the source port for the outbound NAT mapping.
No XMLRPC Sync
Hint: This prevents the rule on Master from automatically syncing to other CARP members. This does NOT prevent the rule from being overwritten on Slave.
You may enter a description here for your reference (not parsed).
SO i gave up long ago on this because i switched to using sophos utm which is amazing except their retarded license structure that has me over the limit so back to pfsense i go.. i almost fot everything working.. the only problem i have is on the backup WAN (3G) downstream works fine but no upload at all (uplink doesnt work) .. i know that its not the config of the device or the router because it works when u use the router as the default gateway in your ip setting on a computer and it all worked seamlessly on sophos.. any help?
Which hardware configuration are you trying to get working:
a) 3G stick directly in pfSense; or
b) 3G stick in Asus router, pfSense going out through Asus LAN to internet as failover.
(a) might have hardware support issues in FreeBSD/pfSense - I have never done 3G stick directly in pfSense myself.
(b) I'm sure will work as long as the Asus router and stick are working - I have that with a Tp-link device and 3G stick in my home as failover.
Post details of where you have got to and the various settings and rules you have for LAN, WAN and WAN2…