Multi-WAN Terminology and Concepts¶
This section covers the terminology and concepts necessary to understand to deploy multi-WAN with pfSense® software.
A WAN-type interface is an interface through which the Internet can be reached, directly or indirectly. The firewall treats any interface with a gateway selected on its Interfaces menu page as a WAN. For example, with a static IP address WAN, Interfaces > WAN has a gateway selected, such as WAN_GW. If this gateway selection is not present, then the interface will be treated as a local interface instead. Dynamic IP address interfaces such as DHCP and PPPoE receive a dynamic gateway automatically and are always treated as WANs.
The presence of a gateway on the interface configuration changes the firewall behavior on such interfaces in several ways:
Firewall rules on these interfaces have
reply-toadded which returns connections coming in through that WAN back out via the same WAN where possible
These interfaces are used as exit interfaces for automatic and hybrid outbound NAT
These interfaces are treated as WANs by the traffic shaper wizard
Do not select a gateway on the Interfaces menu entry for local interfaces such as LAN.
Local and other interfaces may have a gateway defined under System > Routing, so long as that gateway is not chosen under their interface configuration, for example on Interfaces > LAN.
Policy routing refers to a means of routing traffic by more than the destination IP address of the traffic, as is done with the routing table in most operating systems and routers. This is accomplished by the use of a policy of some sort, usually firewall rules or an access control list. In pfSense, the Gateway field available when editing or adding firewall rules enables the use of policy routing. The Gateway field contains all gateways defined on the firewall under System > Routing, plus any gateway groups.
Policy routing provides a powerful means of directing traffic to the appropriate WAN interface or other gateway, since it allows matching anything a firewall rule can match. Specific hosts, subnets, protocols and more can be used to direct traffic.
Remember that all firewall rules, including policy routing rules, are processed in top down order, and the first match wins.
Gateway groups define how a chosen set of gateways provide failover and/or load balancing functionality. They are configured under System > Routing, on the Gateway Groups tab.
See Gateway Groups for more.
Failover refers to the ability to switch from one or more WANs to an alternate WAN if the preferred connection fails. This is useful for situations where traffic should utilize one specific WAN connection unless it is unavailable.
To fail from one firewall to another, rather than from one WAN to another, see High Availability.
The Load Balancing functionality in pfSense software distributes connections over multiple WAN connections in a round-robin fashion. This feature operates on a per-connection basis. If a gateway that is part of a load balancing group fails, the interface is marked as down and removed from all groups until it recovers, thus a load balanced configuration effectively also includes failover functionality.
Monitor IP Addresses¶
When configuring failover or load balancing, each gateway is associated with a monitor IP address (Gateway Settings). In a typical configuration, the firewall will ping this IP address and if it stops responding, the gateway is marked as down. Options on the gateway group can select different failure triggers besides packet loss. The other triggers are high latency, a combination of either packet loss or high latency, or when the circuit is down.
What constitutes failure?¶
The topic is a little more complex than “if pings to the monitor IP address fail, the gateway is marked as down.” The actual criteria for a failure depend on the options chosen when creating the gateway group and the individual settings on a gateway.
The settings for each gateway that control when it is considered up and down are all discussed in Advanced Gateway Settings. The thresholds for packet loss, latency, down time, and even the probing interval of the gateway are all individually configurable.
State Killing/Forced Switch¶
When a gateway has failed, the firewall can optionally flush all states to force clients to reconnect, and in doing so they will use a gateway that is online instead of a gateway that is down. This currently only works one-way, meaning that it can move connections off of a failing gateway, but it cannot force them back if the original gateway comes back online.
This is an optional behavior, but it is not enabled by default since it is disruptive. For information on changing this setting, see Gateway Monitoring.
Default Gateway Switching¶
Traffic exiting the firewall itself will use the default gateway unless a static route sends the packet along a different path. If the default gateway is on a WAN that is down, daemons on the firewall will be unable to make outbound connections, depending on the capabilities of the daemon and its configuration.
The default gateway for the firewall can be set to a gateway group or set to an automatic mode, which will switch the default to the next available gateway if the normal default gateway fails, and then switched back when that WAN recovers. See Managing the Default Gateway for details.