Netgate is offering COVID-19 aid for pfSense software users, learn more.
Policy Routing Configuration¶
At this point, the firewall is prepared for Multi-WAN but it will not yet be used. Traffic will not properly fail over or be load balanced without policy routing firewall rules in place.
An exception to this is when using a gateway group or automatic failover for the default gateway (Managing the Default Gateway). In this case failover could still function without policy routing, but not load balancing.
Configuring Firewall Rules for Policy Routing¶
Setting a Gateway on a firewall rule will cause traffic matching the rule to use the chosen gateway or group, following the configured behavior of the group.
The easiest way to configure a firewall for policy routing is to edit the existing default pass rule for the LAN and select the gateway group there. With that set, any traffic matching the default pass rule on the LAN will use the chosen gateway or group.
To make that edit:
Navigate to Firewall > Rules, LAN tab
Click on the row with the default pass rule
Click Display Advanced under Extra Options
Select the desired gateway group from the Gateway drop-down list
Click Apply Changes
Only the most basic of deployments will be satisfied with that configuration, most configurations are more complex. Continue reading for more factors that can require additional configuration.
Bypassing Policy Routing¶
If there are other local interfaces, VPNs, MPLS interfaces, or traffic that must otherwise follow the system routing table, then that traffic must be configured to bypass policy routing. This is simple to do by making a rule to match the traffic in question and then placing that rule above any rules that have a gateway configured, because the first rule to match is the one that is used.
This can be generalized by making an alias for any RFC1918 traffic which would
cover all private networks, and then using that in a rule. The alias contains
In Figure Bypass Policy Routing Example Rules, local and VPN traffic bypasses policy routing, HTTPS traffic prefers WAN2, and all other traffic is load balanced:
Mixing Failover and Load Balancing¶
As shown in Figure Bypass Policy Routing Example Rules, failover and load balancing can be used at the same time by carefully ordering the rules on an interface. Rules are processed from the top down and the first match wins. By placing more specific rules near the top of the list, and the general “match all” style rules at the bottom, any number of different combinations are possible with rules using different gateways or groups.
Enforcing Gateway Use¶
There are situations where traffic should only ever use one gateway and never load balance or failover. In this example, a device must only exit via a specific WAN and lose all connectivity when that WAN fails.
First, set the Gateway on a firewall rule matching traffic from this device to a specific WAN Gateway. If that gateway is down, the rule will act as if the gateway was not set at all, so it needs to be taken a couple steps further.
Add a rule immediately below the rule matching the traffic, but set to reject or block instead. This rule must not have a gateway set.
Next, configure the firewall to omit rules for gateways that are down (Gateway Monitoring):
Navigate to System > Advanced on the Miscellaneous tab
Check Do not create rules when gateway is down
With that option enabled, the first rule will be omitted entirely, falling through to the next matching rule. This way, when the first rule is omitted automatically, traffic will be stopped by the block rule.