Multi-WAN failover with access restrictions



  • I have a situation where a customer has WAN connections to WiFi, Cell model, and satellite phone, and I want to set up a failover system, but one that can filter clients (based on MAC address) permissions to certain WANS.  I don't need an Apple TV watching video over a sat connection  :o

    How would I go about this in pfSense?



  • I suggest getting a nice cup of coffee…

    Oh and RTFM! :-)

    Sorry but you opened yourself to that one!

    Check out the following article...  It is best to read up on it then ask questions after showing that you made some effort otherwise you will get no response.

    https://doc.pfsense.org/index.php/Multi-WAN



  • You are right, I did open myself up to that  :D.

    I definitely should have been more clear about my questions. I did read through the multi-wan setup, and for the most part understand what needs to be done to get it working with the exception of blocking certain MAC address from certain WANS.  Assuming I have 3 WAN gateways set up properly for failover, where all clients have access, what approach should I take to limiting certain MAC addresses?  My first guess would be to create aliases that contain them, but I'm not sure aliases work with them (I don't currently have a pfSense installation to play around with, it's been a couple years since I was at a company where we used it).  Maybe three groups – one for each wan -- called deny_access_cell, deny_access_sat, etc.  Then a rule that blocks the alias.  I started reading about floating rules, and got pretty confused about where the rules should go.

    Part of the challenge is I don't currently have any hardware with 4 ethernet ports to test this with, and I want to make sure it'll work before I buy the hardware.



  • It will be even the best method to ask one thing and then the next one, that all things would be able to be clear
    as possible to all users here in the forum. To ask all questions in one thread would be nice to in some situations
    but often it makes things more complicated for everybody that is involved except your self. Only my 2 cents.

    If you have three WAN interfaces and one LAN interface and you would not lead the LAN clients over specific
    WAN gateways, auth. by their MAC addresses, this will be two different things in my eyes, but able to realize
    for sure, but what I not understood is the following, why you want to filter at the WAN interface the MAC
    addresses coming from outside? As I was understanding it you will be identifying your LAN clients by
    their MAC addresses and route them then over a specific WAN interface or gateway. Can you please tell
    something more about that.

    In normal you will be setting up pfSense as the following for that actions in my eyes;

    • create three WAN interfaces and gateways
    • chose a proper load balancing method for that
      – Policy based routing
      -- service based routing
      -- session based routing
    • Install Squid with user auth. and create for each user an account and set up there the MAC address.
      (alternatively you will be able to deal with internal static IP addresses, thats also able to do)
    • set up the failover rules
      (please note, if both other WAN connections will be stopping their work all your traffic will be running over
      the last one and also the Apple TV over the SAT connection if this will be last working one)

    I would try out policy based routing in your case and then over MAC auth. and then if one or more WAN
    connections are failing all the clients would be able to route over the last one, that will be not able to do
    if the MAC address is bounded to one specific WAN interface as I know it.

    sample rules for load balancing and fail over (over the forum search function)
    nice HowTo for a multi WAN setup (little bit old but good explained with many pictures)