MPLS failover / same destination via different gateways



  • Hey guys,

    I've asked similar question before, didn't get anywhere… deployed 2.3 hoping that it may solve this, but apparently can't without your help.

    Basically I have 2 locations with 2 WANs each (MPLS and DSL). I need to failover to DLS when MPLS is down, and back when it's back.

    The problem I'm facing is that I can't add static route for 10.0.2.0/24 twice with any sort of metrics.

    Please help me out to accomplish the following:

    Site 1:  LAN (10.0.1.0/24) ------ (10.0.1.1 /24) pfSence (MPLS WAN: 172.16.1.2) ------ (172.16.1.1) MPLS Router ------ MPLS Cloud
                                                                                      (DLS WAN: x.x.x.2) ------ (x.x.x.1) DSL Modem ------ Internet

    Site 2:  LAN (10.0.2.0/24) ------ (10.0.2.1 /24) pfSence (MPLS WAN: 172.16.2.2) ------ (172.16.2.1) MPLS Router ------ MPLS Cloud
                                                                                      (DLS WAN: y.y.y.2) ------ (y.y.y.1) DSL Modem ------ Internet

    MPLS capable to route 10.0.1.0 to 10.0.2.0 if used as default gateway. I also can specify it as static route for 10.0.1.0 and 10.0.2.0 to be able to talk.
    DSL IPs are public static IPs and I can configure site-to-site IPsec (preferred) or OpenVPN using those and also have 10.0.1.0 and 10.0.2.0 communicate.

    How should I go about using MPLS and failover to VPN if MPLS is down? From what I understand I can't specify gateway group for static routes, nor should I add static routes for networks configured in IPsec or OpenVPN.

    Thank in advance for your help.



  • Anything guys?



  • Hi,

    I'll provide you with the same answer I was given (I basically asked the same here a while ago):

    pFsense is not capable of using ECMP or floating backup routes via static routing. You either use OSPF or use gateway groups.

    Hope this helps.



  • Hi, first sorry for my english.

    I have a similar scenario, and I resolved in this way.

    I create 2 VPN tunnel (peer to peer) one for ADSL (client and server both with the same setting) and the other one for MPLS (client and server both with the same setting) .
    This permit create an adicional interface per each tunnel. This interface need to be enable but leave in blank all the settings, the interface will use the IP address confgured in the Open VPN P2P (either client and server) only need to put a name and enable.

    Once you finish this the interfaces will appear at the dashboard, and if the tunnels are up they will you show the IP address used, dont forget open the ports used in firewall rules. This is only needed at server side of Open VPN. The client dont need listen port.

    The last you need to do is create a gateway group with the gateways associated OPENVPN dynamic gateways, in the same tier if you want load balancing or diferent tiers y you want failover.

    Once you create the gateway group, only need to assign it at one LAN roule in the firewall for example:

    in site 1 you need to create a rule that permit traffic from any source to dstination 10.0.2.0/24 use gatewaygroup (this "gateway group" you find at advanced setting inside the firewall rule).

    and in site 2 you need the opossiterule for example.
    permit traffic from any source to destination 10.0.1.0/24 use gatewaygroup.

    I worked a lot for this configuration. Both OpenVPN and VPN assigned interfaces dont need any firewall rules, leave it empty.

    Saludos, Max.

    Sorry again for the "English".


Log in to reply