Multi-WAN Terminology and Concepts

This section covers the terminology and concepts necessary to understand to deploy multi-WAN with pfSense® software.

Policy routing

Policy routing refers to a means of routing traffic by more than the destination IP address of the traffic, as is done with the routing table in most operating systems and routers. This is accomplished by the use of a policy of some sort, usually firewall rules or an access control list. In pfSense, the Gateway field available when editing or adding firewall rules enables the use of policy routing. The Gateway field contains all gateways defined on the firewall under System > Routing, plus any gateway groups.

Policy routing provides a powerful means of directing traffic to the appropriate WAN interface or other gateway, since it allows matching anything a firewall rule can match. Specific hosts, subnets, protocols and more can be used to direct traffic.


Remember that all firewall rules, including policy routing rules, are processed in top down order, and the first match wins.

Gateway Groups

Gateway groups define how a chosen set of gateways provide failover and/or load balancing functionality. They are configured under System > Routing, on the Gateway Groups tab.

See Gateway Groups for more.


Failover refers to the ability to switch from one or more WANs to an alternate WAN if the preferred connection fails. This is useful for situations where traffic should utilize one specific WAN connection unless it is unavailable.

See also

To fail from one firewall to another, rather than from one WAN to another, see High Availability.

Load Balancing

The Load Balancing functionality in pfSense software distributes connections over multiple WAN connections in a round-robin fashion. This feature operates on a per-connection basis. If a gateway that is part of a load balancing group fails, the interface is marked as down and removed from all groups until it recovers, thus a load balanced configuration effectively also includes failover functionality.

Monitor IP Addresses

When configuring failover or load balancing, each gateway is associated with a monitor IP address (Gateway Settings). In a typical configuration, the firewall will ping this IP address and if it stops responding, the gateway is marked as down. Options on the gateway group can select different failure triggers besides packet loss. The other triggers are high latency, a combination of either packet loss or high latency, or when the circuit is down.

What constitutes failure?

The topic is a little more complex than “if pings to the monitor IP address fail, the gateway is marked as down.” The actual criteria for a failure depend on the options chosen when creating the gateway group and the individual settings on a gateway.

The settings for each gateway that control when it is considered up and down are all discussed in Advanced Gateway Settings. The thresholds for packet loss, latency, down time, and even the probing interval of the gateway are all individually configurable.

State Killing/Forced Switch

When a gateway has failed, the firewall can optionally flush all states to force clients to reconnect, and in doing so they will use a gateway that is online instead of a gateway that is down. This currently only works one-way, meaning that it can move connections off of a failing gateway, but it cannot force them back if the original gateway comes back online.

This is an optional behavior, but it is not enabled by default since it is disruptive. For information on changing this setting, see Gateway Monitoring.

Default Gateway Switching

Traffic exiting the firewall itself will use the default gateway unless a static route sends the packet along a different path. If the default gateway is on a WAN that is down, daemons on the firewall will be unable to make outbound connections, depending on the capabilities of the daemon and its configuration.

The default gateway for the firewall can be set to a gateway group or set to an automatic mode, which will switch the default to the next available gateway if the normal default gateway fails, and then switched back when that WAN recovers. See Managing the Default Gateway for details.