Gateways/Routes and pfSync and WAN failover

  • I have two questions for the pfSense team that do not directly fit under the other categories.

    I am looking for insight on how to accomplish these things or confirmation that the pfSense team can/will provide a solution for these issues via their support service or if I need to offer a bounty to get a solution and if these are being considered to be added/fixed later?

    1. When pfsync is setup to sync static routes, it there is no mechanism to deal with interfaces that do not exactly match on the gateway side. This is part of a larger issue with pfSense in that it does not directly support BGP setups in which case the WAN interface on fw1 does not have to match the WAN interface on fw2.

    I think the simple solution is to have an option for gateways and routes to "No XMLRPC Sync" like is available with firewall rules. However, it may not be that simple due to this note "This does NOT prevent the rule from being overwritten on Slave." Which to me means that if you have a uniq rule on the slave, it may be removed. If that is the case and gateway/route XMLRPC Sync has the same limitation, then more would be needed.

    1. This is also related to pfSense not being designed for BGP. If I have one uplink from two ISP's, connect one on the primary and the other on the secondary and setup for BGP, and there is no option for CARP, how can I have failover on a WAN interface?

    My thought is a script to check if the physical link is down and if it is up, check if the WAN statistics are acceptable. If the WAN link is down or the WAN statistics are not acceptable, then check the secondary for the same. If the secondary is good, activate either the "Temporarily Disable CARP" option or the "Enter Persistent CARP Maintenance Mode" option.

Log in to reply