Netgate is offering COVID-19 aid for pfSense software users, learn more.
Multi-WAN Terminology and Concepts¶
This section covers the terminology and concepts necessary to understand to deploy multi-WAN with pfSense® software.
A WAN-type interface is an interface through which the Internet can be reached, directly or indirectly. The firewall treats any interface with a gateway selected on its Interfaces menu page as a WAN. For example, with a static IP address WAN, Interfaces > WAN has a gateway selected, such as WAN_GW. If this gateway selection is not present, then the interface will be treated as a local interface instead. Do not select a gateway on the Interfaces menu entry for local interfaces. Dynamic IP address interfaces such as DHCP and PPPoE receive a dynamic gateway automatically and are always treated as WANs.
The presence of a gateway on the interface configuration changes the firewall
behavior on such interfaces in several ways. For example, interfaces with a
gateway set have
reply-to on their firewall rules, they are used as exit
interfaces for automatic and hybrid outbound NAT, and they are treated as WANs
by the traffic shaper wizard.
Local and other interfaces may have a gateway defined under System > Routing, so long as that gateway is not chosen under their interface configuration, for example on Interfaces > LAN.
Policy routing refers to a means of routing traffic by more than the destination IP address of the traffic, as is done with the routing table in most operating systems and routers. This is accomplished by the use of a policy of some sort, usually firewall rules or an access control list. In pfSense, the Gateway field available when editing or adding firewall rules enables the use of policy routing. The Gateway field contains all gateways defined on the firewall under System > Routing, plus any gateway groups.
Policy routing provides a powerful means of directing traffic to the appropriate WAN interface or other gateway, since it allows matching anything a firewall rule can match. Specific hosts, subnets, protocols and more can be used to direct traffic.
Remember that all firewall rules including policy routing rules are processed in top down order, and the first match wins.
Gateway groups define how a chosen set of gateways provide failover and/or load balancing functionality. They are configured under System > Routing, on the Gateway Groups tab.
Failover refers to the ability to use only one WAN connection, but switch to another WAN if the preferred connection fails. This is useful for situations where certain traffic, all traffic, should utilize one specific WAN connection unless it is unavailable.
To fail from one firewall to another, rather than from one WAN to another, see High Availability.
The Load Balancing functionality in pfSense allows traffic to be distributed over multiple WAN connections in a round-robin fashion. This is done on a per- connection basis. If a gateway that is part of a load balancing group fails, the interface is marked as down and removed from all groups until it recovers.
Monitor IP Addresses¶
When configuring failover or load balancing, each gateway is associated with a monitor IP address (Monitor IP). In a typical configuration, pfSense will ping this IP address and if it stops responding, the interface is marked as down. Options on the gateway group can select different failure triggers besides packet loss. The other triggers are high latency, a combination of either packet loss or high latency, or when the circuit is down.
What constitutes failure?¶
The topic is a little more complex than “if pings to the monitor IP fail, the interface is marked as down.” The actual criteria for a failure depend on the options chosen when creating the gateway group and the individual settings on a gateway.
The settings for each gateway that control when it is considered up and down are all discussed in Advanced. The thresholds for packet loss, latency, down time, and even the probing interval of the gateway are all individually configurable.
State Killing/Forced Switch¶
When a gateway has failed, pfSense can optionally flush all states to force clients to reconnect, and in doing so they will use a gateway that is online instead of a gateway that is down. This currently only works one-way, meaning that it can move connections off of a failing gateway, but it cannot force them back if the original gateway comes back online.
This is an optional behavior, enabled by default. For information on changing this setting, see Gateway Monitoring.
Default Gateway Switching¶
Traffic exiting the firewall itself will use the default gateway unless a static route sends the packet along a different path. If the default gateway is on a WAN that is down, daemons on the firewall will be unable to make outbound connections, depending on the capabilities of the daemon and its configuration. When Default Gateway Switching (Default Gateway Switching) is enabled, the default gateway for the firewall will be switched to the next available gateway if the normal default gateway fails, and then switched back when that WAN recovers.