pfSense users:I need help with failover and VPNs

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
4 posts Page 1 of 1
by joss » Sat Sep 11, 2021 5:59 am
I am using a pfSense firewall on a generic x86 system. I have created a separate gateway for each of the Sonic VPNs, the main and the beta. However, I am having no luck in creating and then referencing a failover group with the main VPN being a tier 1 route and the beta a tier 2.

If I set the default gateway to WAN, I can access the internet, but only one of the gateways is active. In most cases it seems to be the beta VPN. The traffic on the other VPN gateway is minimal, I assume it is ping/protocol activity.

When the default gateway is changed to the gateway group and saved, things look OK. However, when I reboot the firewall both VPN gateways are down, showing only a "Pending" status. If I subsequently change the default gateway back to WAN, the two VPNs connect again.

To gather more info, I cleared the gateway logs and set the default gateway to the failover group. When I look at the log, I see the WAN and both VPNs. I can access sites, but the access is through the tier 2 (beta VPN) gateway. After rebooting the firewall, both VPNs are down and the gateway log records only show the WAN gateway.

Clearly I am missing a setting somewhere. I have looked a the Netgate docs and thought I covered everything.
gateway25.jpg
Gateway log following reboot
gateway25.jpg (82.04 KiB) Viewed 7092 times
by js9erfan » Sat Sep 11, 2021 11:13 am
I set this up a few years ago at a location without issue but I can say WAN needs to stay as your default gateway so the pfSense VPN clients have a valid route to Sonic's servers.

I've also noticed on occasion that after a pfSense reboot the gateway monitor shows the VPN clients as pending or offline but after a restart of the VPN client service they'll show connected (seems to be a glitch since they're routing regardless). For better reliability I recommend setting the IP monitor to something other than Sonic's VPN (8.8.8.8, etc.). Each gateway needs a unique monitor IP.

Keep in mind if you haven't already done so - each Sonic VPN client will need an interface, outbound NAT rules for each subnet you want to route over the VPN (i use the manual method - not auto/hybrid), an allow outbound firewall rule for the OpenVPN interface and an allow outbound firewall rule to the VPN gateway group for your LAN/VLAN rules. This is where you can configure selective routing to the gateway group for your LANS/VLANS and/or individual clients/devices. Otherwise your traffic by default will route over the WAN gateway. Lastly, I recommend setting the trigger level on the gateway group to 'packet loss or high latency'.

If you still run into issues some screenshots of your rules, interfaces and VPN logs would help.
by joss » Sat Sep 11, 2021 8:42 pm
Thanks js9erfan! It was my outbound LAN rules that were the issue. I had one outbound rule pointing to the single "PROD" Sonic VPN. Once I changed that to the gateway group the failover worked as expected.

In my previous blind attempts at fixing this I had modified the threshold to Server down, but I put it back to latency and packet loss as per your suggestion. I also had the default monitor IPs, which were the VPN IPs. Also per you suggestion I changed those to 8.8.8.8 and 208.67.222.222 (Open DNS server) for prod and beta VPNs respectively.

I tested by stopping the tier 1 server and checking my IP address at IP Chicken. It changed to the tier 2 server's IP. After restarting the tier 1 server, the IP reverted to the PROD VPN.

Again, thanks for your insights and help. Now it's off to backup and also document my settings.
by js9erfan » Sun Sep 12, 2021 7:51 am
No problem, good to hear you got it working.
4 posts Page 1 of 1

Who is online

In total there are 38 users online :: 0 registered, 0 hidden and 38 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 38 guests