Your videos are always very helpful - straight and to the point. I just read recently there is a long running and known issue with pfsense not properly reverting back to primary gateway - instead continuing to use backup. Are you aware of this? It seems to be working for you. I wonder how existing open connections are handled - perhaps the issue (I'm speculating I haven't read in any detail) is existing connections remain open using the gateway they were opened on? Until that socket is closed? This is obviously an issue when folks are using a metered connection for backup. I'd be interested in seeing some rule/routing configs based on current gateway - for instance to restrict traffic on failover to critical devices and/or services only.
Thanks for the feedback, there's another video on load balancing with failover done since that night explain how the gateway switching works, there's a delay until the connection becomes stable before it switches back. I also covered some of the policy based routing iirc correctly for rules
I have a question, I remotely manage a 6100 in another country and we are currently upgrading to a fiber connection. My only connection is through OpenVPN and if I start changing the WAN addressing and GW I am going to be disconnected, I am afraid to try and setup WAN with the new IP information and a new GW first because I am afraid of messing things up leaving me without a connection. If I were to add my new GW and new setting on the second WAN while leaving the current GW and WAN2 active will applying these settings somehow disrupt the current active connection? So paranoid I haven't even upgraded from ver 22 because not being local its too risky to attempt a firmware upgrade.
sir regarding in the last part of your video i am confused about in setting up in a firewall rules the gateway i tried the failover even im not set on the firewall rules the failover is also working so what is the difference if i set on the firewall rules?
You can set firewall rules up for policy based routing for your LAN. You can also specify the default gateway used by pfSense itself. For example if you have the default gateway for pfSense set to WAN1, and try to access it (the gui) remotely via WAN2, it won't respond as it tries to route through the default gateway (WAN1). If you use a gateway group, and set that as the default gateway for pfSense, it can respond to remote web requests to the gui via any IP. Hope that makes sense
There's a couple of options off the top of my head, one being to use a dynamic dns service and use the ddns client in pfsense to update the IP address when it changes. Another option would be to use a cloud provider with a static IP and vpn such as wireguard back to your server. You could even use haproxy on a cloud instance to handle the availability. What a great question! Something I'll take into account to cover.
@@sheridans yeah I'm already using the client inside of pfSense for the dynamic dns. Will that track the interface that is up or just settle for the primary interface and stick with it? Also thinking do I need to copy all the rules from wan1 to wan2 and mirror it for the port forwards. Or will the box figure that out itself? I have a cable connection and Fibre optic connection. I want to use the Fibre optic as my primary. And fail over to the cable. Both will have public facing ips. So hoping for a easy swap.
I'd copy the rules across, you'll need to do port forwarding on both IPs, you may be able to use interface groups, I haven't tried this actually. This is the best you'll get through pfSense load balancing/failover. True HA would require your isp to provide multiole internet connections with mpls which is expensive. Interesting idea to test tbh, I'll try to look at it as soon as i can.
@@sheridans that would be awesome. I don't think true high availability options will be within reach for a decent price anytime soon. And to be honest the Fibre line is very stable. But I have the cable as a free internet connection at this apartment in our contract. So I figured I would bridge the modem. Pass on the public ip to the pfsense and maybe in the rules set it up. I have not tried it yet. Still learning more advanced networking and tinkering. My servers and stuff really doesn't "need" ha or failover. But it's fun and I love to learn new stuff.
That is awesome.
Thanks for your content, i am thinking about getting a pfSense box to implement such failover with my 5G broadband subscription!
Good explanation 👍
Thanks 👍
Thanks
Glad it helped 👍
Your videos are always very helpful - straight and to the point.
I just read recently there is a long running and known issue with pfsense not properly reverting back to primary gateway - instead continuing to use backup. Are you aware of this? It seems to be working for you. I wonder how existing open connections are handled - perhaps the issue (I'm speculating I haven't read in any detail) is existing connections remain open using the gateway they were opened on? Until that socket is closed? This is obviously an issue when folks are using a metered connection for backup.
I'd be interested in seeing some rule/routing configs based on current gateway - for instance to restrict traffic on failover to critical devices and/or services only.
Thanks for the feedback, there's another video on load balancing with failover done since that night explain how the gateway switching works, there's a delay until the connection becomes stable before it switches back.
I also covered some of the policy based routing iirc correctly for rules
I have a question, I remotely manage a 6100 in another country and we are currently upgrading to a fiber connection. My only connection is through OpenVPN and if I start changing the WAN addressing and GW I am going to be disconnected, I am afraid to try and setup WAN with the new IP information and a new GW first because I am afraid of messing things up leaving me without a connection. If I were to add my new GW and new setting on the second WAN while leaving the current GW and WAN2 active will applying these settings somehow disrupt the current active connection? So paranoid I haven't even upgraded from ver 22 because not being local its too risky to attempt a firmware upgrade.
sir regarding in the last part of your video i am confused about in setting up in a firewall rules the gateway i tried the failover even im not set on the firewall rules the failover is also working so what is the difference if i set on the firewall rules?
You can set firewall rules up for policy based routing for your LAN. You can also specify the default gateway used by pfSense itself.
For example if you have the default gateway for pfSense set to WAN1, and try to access it (the gui) remotely via WAN2, it won't respond as it tries to route through the default gateway (WAN1).
If you use a gateway group, and set that as the default gateway for pfSense, it can respond to remote web requests to the gui via any IP.
Hope that makes sense
What happens if you have port forwards and run a server? Does the port forwards follow along with the no-ip adress?
There's a couple of options off the top of my head, one being to use a dynamic dns service and use the ddns client in pfsense to update the IP address when it changes.
Another option would be to use a cloud provider with a static IP and vpn such as wireguard back to your server. You could even use haproxy on a cloud instance to handle the availability.
What a great question! Something I'll take into account to cover.
@@sheridans yeah I'm already using the client inside of pfSense for the dynamic dns. Will that track the interface that is up or just settle for the primary interface and stick with it?
Also thinking do I need to copy all the rules from wan1 to wan2 and mirror it for the port forwards. Or will the box figure that out itself?
I have a cable connection and Fibre optic connection. I want to use the Fibre optic as my primary. And fail over to the cable. Both will have public facing ips. So hoping for a easy swap.
I'd copy the rules across, you'll need to do port forwarding on both IPs, you may be able to use interface groups, I haven't tried this actually.
This is the best you'll get through pfSense load balancing/failover. True HA would require your isp to provide multiole internet connections with mpls which is expensive.
Interesting idea to test tbh, I'll try to look at it as soon as i can.
@@sheridans that would be awesome. I don't think true high availability options will be within reach for a decent price anytime soon. And to be honest the Fibre line is very stable. But I have the cable as a free internet connection at this apartment in our contract. So I figured I would bridge the modem. Pass on the public ip to the pfsense and maybe in the rules set it up. I have not tried it yet. Still learning more advanced networking and tinkering.
My servers and stuff really doesn't "need" ha or failover. But it's fun and I love to learn new stuff.
Can you make video , without loading balancing and failover , thank you
This video covers failover in the first part and loadbalancing in the second part