I have a two WAN, two LAN configuration that has been working well for quite a while. It's now time to add the reason that I changed to pfSense, Failover.
The current configuration is that the business LAN routes to the business WAN, while the hobby LAN routes to the hobby WAN. What i need to add is to have the business LAN fail over to the hobby WAN if the business WAN fails. So far, it won't. When I put the business WAN out of service, nothing on the business LAN works.
As I understood the manual, I went to System | Routing | Gateways to create a new gateway (screen pix attached). The business WAN (RW) is tier 1 and the hobby WAN (Vianet) is tier 2. I then changed the firewall rules so that the business LAN would route to this new gateway (screen pix attached).
Obviously, I'm missing something that is required to get this to work. Any suggestions?
kapara last edited by
I see 3 gateways in the Scrnsht.
You need to create 2 gateway groups. 1 for each lan rules tab.
You need to reverse them.
Yes, the pfSense wizard created two gateways for a single WAN connection. I'm still confused about that, but on the theory that if it works, leave it alone, I've done nothing about it.
You are saying that I need to create two gateway groups. I don't want to have the hobby traffic spill over to the business wan, so I don't quite understand why I would create a gateway for that. Could you please explain it a bit more?
pf123user last edited by
I didn't use the wizard on my setup. I'm still having issues but hopefully this will get you a little closer. If anything I'm posting is wrong/incorrect I would please welcome someone to correct me.
As I understand it, go to System : Gateways and create your two gateways. If you have three currently either delete them all and start over or just fix the two and delete the 3rd random one.
This is where I think I'm having issues: One gw has to be marked as default so when my WAN1/default gw goes down, my WAN2 still tries to push traffic through the default gw, which is down –not 100% sure, have asked this question and not gotten a response yet.
I found a good video/DIY that suggested using something other than your ISP's gw or dns servers for your monitor IPs. I chose 22.214.171.124 & 126.96.36.199 (Google) as my monitor IPs.
So set up your two WAN GW's. Next, go over to the Groups tab and add two or three groups; two for simple failover, three for load balance + failover. I added three groups, group 1 is named "LB" and has both gateways (WAN1+WAN2) with equal priority (Tier 1). I believe, in theory this should be load balancing but again I could be wrong.
Next, I set up a second group called W1toW2, included both gw and set WAN1 to Tier 1 and WAN2 to Tier 2. That should be my first failover (your business to hobby I believe).
After that I added a third group called W2toW1, included both gw and set WAN2 to Tier 1 and WAN1 to Tier 2. That should be my second failover (your hobby to business, I believe).
Now when I go to Status : Gateways I can check and see that both are online. When I go to the Gateway Groups tab I can see that all three are online.
As I said, I've been having slight issues with this. My WAN1 is probably like your hobby wan, it's part of our "triple play" ISP bundle thing and my WAN2 is a FiOS line with 5 static IPs. I don't have any issues with NAT'ing inbound traffic (web server for example) so when my WAN2 is down and the web server's static IP is not available, my (3rd party) dynamic dns updater thing fails over and points the domain url to the home dynamic IP and all is good. I am however having issues with OUTBOUND traffic on failover. It seems to be something with the default gateway setting. I have my WAN1 set as default. When WAN1 goes down the only way I can get out is by manually changing the default gw over to WAN2. So I'm not doing my settings properly or I don't know how to make it just "know" and switch over.
Either way, hopefully that gets you started.
EDIT: Forgot to mention, you need to then go into System, Advanced, Miscellaneous tab and under LB section, check the "Enable default gw switching" checkbox.
I've tried everything you suggested, and a strange thing happened. For the first few minutes, the status showed that the test WAN was down, and I was able to ping 188.8.131.52. After that few minutes, the WAN status changed to "Pending", and the ping wasn't working. (I used the System | Routing | Gateway items to force the gateway down for testing purposes)
I tried a reboot with the WAN cable disconnected. The status shows "Unknown" and still the ping won't work. The System Log | System | Gateway showed that the WAN was down, but I'm wondering if pfSense really thinks it is.
Can you suggest any menu items or commands that I can try to diagnose the fail over?
CMB (Hero Administrator!) has said in another post
"Pending or unknown means apinger's status file has no data for the interfaces. apinger can be a real pain at times, I'd suggest going ahead and upgrading to 2.3-RC given you're in that situation as dpinger has replaced apinger and it functions sanely."
I'll wait for the release of 2.3 to see if that solves the problem.
After suggestions from pf2.0nyc and cmb, I have upgraded to 2.3-Release, and failover is working as I need it to. I even got lucky, and this morning the problem WAN failed, so everything is actually going out on the default WAN!
One addition of pf2.0nyc's posting. If you use Dynamic DNS, you may want to change the gateway it connects to. Connecting to a dead WAN isn't as useful as connecting to your new Gateway Group.
Attn pf2.0nyc: Unfortunately, my testing isn't likely to help you any. In my situation, I'm trying to fail over one WAN to another (default) WAN. Because the default WAN doesn't need to change, I can't add any useful information to your problem. My only suggestion would be to upgrade to 2.3-Release, and see if that changes anything. Thank you again for your detailed forum posting.
Final Update…I had the Wizard create my first network configuration. It created two interfaces, where there is only one. The first interface is 'name' and the second interface is 'name-DHCP'. While 'name' is my default WAN, it doesn't work as a failover interface. The second failover interface has to be 'name-DHCP'. I can't explain it, but it works this way, and didn't work when I selected the default WAN as the second failover interface.