I’ve done some searching, and some reading in the pfsense documentation. I think I’m understanding most of it, but I am trying to setup a multiple WAN connection sort of unconventionally, and the documentation doesn’t really match what I want to do.
Background:
I will be having 2 connections at home, one for standard internet usage throughout the house for me and the family, and the other (business class connection) specifically for my office which is paid for by my company (Static IP requirements for our customers so that I can be allowed specific access to environments… MSP).
Currently all my traffic is going over the business class connection, as it was installed a while ago, my residential connection is going to be installed within the next couple of weeks.
Hardware:
pfsense running on bare metal
2x 1GB interfaces for WAN
2x 10GB interfaces for LAN (different switches, in different physical locations)
3 VLANs currently, more to come, but only one for my office equipment
My Mission:
I’d like to have my office VLAN specifically routed over the business class WAN connection and ONLY that connection, and then every other VLAN routed over the residential VLAN, and if that fails, to go over the business class connection (or maybe only certain VLANs). The failover on the residential side isn’t necessary, just a “nice to have”.
My thoughts:
I know this would have to do with gateway groups and potentially setting the tiers up correctly… and some static routes, but I’m not sure exactly where to start with this.
The business class has a static IP, and that isn’t a problem, the issue is that the residential connection has a dynamically assigned IP, so it kinda throws me off a bit.
Any help would be appreciated, and please let me know if I missed something or if there’s already a post on this somewhere. I didn’t see much that really fit the bill.
Unders System - Routing - Gateways Groups , create a gateway group with the residential wan as a lower priority than the business wan.
Under System - routing - Gateways , make this the default gateway IP4. This will route all internet traffic using the nearly created gateway group.
On the office vlan firewall rule that allow access to the internet, click on Advanced Options and change the gateway to the business wan (not the gateway group)
It sounds like you have two near identical WANs, if your residential traffic is triggered to switchover to the the Business WAN if it fails, I suspect it will stay on it until triggered again, that is the Business connection goes down. You might be able to setup an alert to inform you that the residential WAN is down, unless using your Business WAN for personal use is fine.
You might have to play with your connections, if one is “always” faster perhaps setting the trigger to high latency would be better.
@Paul
Awesome, thank you! I think I was missing the firewall rule aspect… clearly not fully thinking everything through all the way :-). Makes perfect sense to me.
@neogrid
I’m not sure how I’m going to trigger yet, but that’s a solid point. Once I have my HomeAssistant or my Zabbix server back up and running I will see if I can setup an alert based on a trap or something. Good call. The fail back always seems to be the more interesting problem.
@Paul and @neogrid
Thank you both! I just got the residential WAN installed, and its working flawlessly, though I did have to swap priorities on the gateway group, but now everything is flowing to the residential, except the office VLAN which is perfect!
I’ll have to do some stress testing later once no one is home and I’m done working, just to test the fail-over/fail-back. and again, look into the monitoring a bit, but the basics are working well and that’s all I need for now!
The other thing that’s useful in general is the Watchdog service add-on which restarts failed services. If the WAN goes down it should automatically come up when available, however it doesn’t hurt to have it running.