Multi-WAN Terminology and Concepts¶
This section covers terminology and concepts necessary to understand the deployment of multi-WAN functionality with pfSense® software.
Policy routing refers to a means of routing traffic by matching a policy, typically involving firewall rules or access control lists. This type of routing can consider more factors than the destination IP address of the traffic, as is done with the routing table in most operating systems and routers.
In pfSense software the Gateway field available when editing or adding firewall rules enables the use of policy routing. The Gateway field contains all gateways defined on the firewall under System > Routing, plus any gateway groups.
Policy routing provides a powerful means of directing traffic to use an appropriate path, since anything a firewall rule can match may be used as criteria for making policy routing decisions. Specific hosts, subnets, protocols, ports, and more can be used to direct traffic.
Remember on per-interface rule tabs that all firewall rules, including policy routing rules, are processed in top down order, and the first match wins.
Gateway groups define how a chosen set of gateways provide failover and/or load balancing functionality. They are configured under System > Routing, on the Gateway Groups tab.
See Gateway Groups for more.
Failover refers to the ability to switch from one or more WANs to an alternate set of WANs if the preferred connections fail. This is useful for situations where traffic should utilize a specific WAN connection unless it is unavailable.
To fail from one firewall to another, rather than from one WAN to another, see High Availability.
The Load Balancing functionality in pfSense software distributes connections over multiple WAN connections in a round-robin fashion. This feature operates on a per-connection basis, not a per-packet basis. If a gateway that is part of a load balancing group fails, the interface is marked as down and removed from all groups until it recovers, thus a load balanced configuration effectively also includes failover functionality.
Monitor IP Addresses¶
When configuring failover or load balancing, each gateway is associated with a monitor IP address (Gateway Settings). In a typical configuration, the firewall will ping this IP address and if it stops responding, the gateway is marked as down. Options on the gateway group can select different failure triggers besides packet loss. The other triggers are high latency, a combination of either packet loss or high latency, or when the circuit is down.
What constitutes failure?¶
The topic is a little more complex than “if pings to the monitor IP address fail, the gateway is marked as down.” The actual criteria for a failure depend on the options chosen when creating the gateway group and the individual settings on a gateway.
The settings for each gateway that control when it is considered up and down are all discussed in Advanced Gateway Settings. The thresholds for packet loss, latency, down time, and even the probing interval of the gateway are all individually configurable.
State Killing/Forced Switch¶
When a gateway has failed, the firewall can optionally flush states to force clients to reconnect, and in doing so they will use a gateway that is online instead of a gateway that is down. This can be done for the entire state table or selectively for only gateways that are down. When clearing states for a specific gateway, it can only clear states created by policy routing rules.
This currently only works one-way, meaning that it can move connections off of a failing gateway, but it cannot force them back if the original gateway comes back online.
This is an optional behavior and it is not enabled by default as it can be disruptive. For information on changing this setting, see State Killing on Gateway Failure.
Default Gateway Switching¶
Traffic exiting the firewall itself will use the default gateway unless a static route sends the packet along a different path. If the default gateway is on a WAN that is down, daemons on the firewall will be unable to make outbound connections, depending on the capabilities of the daemon and its configuration.
The default gateway for the firewall can be set to a gateway group or set to an automatic mode, which will switch the default to the next available gateway if the normal default gateway fails, and then switched back when that WAN recovers. See Managing the Default Gateway for details.