IPsec in Multi-WAN Environments

IPsec on pfSense® software can work well with multiple WAN connections.

Alternate / Non-Default WAN

When using Multi-WAN with IPsec, pick the appropriate Interface choice for the WAN-type interface to which the tunnel will connect. If the connection will enter via WAN, pick WAN. If the tunnel will use a different WAN, choose whichever OPT WAN interface is needed. The firewall will automatically add a static route to ensure that the traffic to the Remote Gateway uses the appropriate WAN.

Failover with Gateway Groups and Dynamic DNS

IPsec can fail between multiple WANs but it requires some coordination and relies upon gateway groups and dynamic DNS. If the first gateway goes down the tunnel will move to the next available WAN in the group. When the first WAN comes back up, the tunnel will be rebuilt there again.


Due to its reliance on DNS, this type of failover can take several minutes to establish a tunnel after failover or recovery.

First, setup a failover type gateway group with only one gateway per tier.

Next, choose the failover gateway group from the Interface list on the IPsec phase 1 configuration.

Next, setup a new dynamic DNS entry for a hostname using the same gateway group as its interface. There are numerous dynamic DNS providers available for this purpose. The firewall will update the Dynamic DNS entry with the active WAN IP address when a WAN fails or recovers.

On the remote side of the tunnel, set the peer address to be the new dynamic DNS hostname. This peer will track updates to the hostname so that it will know to accept traffic from the newly activated WAN.


If a peer happens to support multiple remote gateway addresses for a tunnel, and all WANs on the pfSense software side are static, that can be used instead of relying on DNS.

Failover with Routed IPsec and Dynamic Routing

In some environments it is possible to use routed IPsec (VTI) to achieve faster Multi-WAN failover.

This method uses one VTI IPsec tunnel per WAN connecting to the same number of WANs at the remote peer. These VTI tunnels are kept up at all times.

Dynamic routing is then setup on all of the tunnels using the FRR Package to select an active path to the remote endpoint. Depending on the protocols used (e.g. OSPF vs BGP) and settings, failover can happen in seconds instead of minutes.