Hello Walter, I dont see you mentioning allowing Gateway Switching from the advanced menu.
Under System-Advanced-Miscellaneous you have the option to allow the default gateway switching. Without that, once a WAN is down, the system will still try to send the packets through the default gateway, even if that gateway is down. Vassilis Walter Parker wrote on 05.12.2013 00:57: > Hi, > > I've got a pfSense router with a WAN connection that has 4 interfaces: > > WAN - A 200 mbs connection. This is on a /20 subnet and the other side > is the default route. > LAN - This is a static routed /24 network from the company providing the > 200 mbs WAN connection > COMCAST - This is a static routed /28 network from Comcast. > > I set the WAN interface with a route back to Provider A, and the COMCAST > interface with a route back to the Comcast gateway address. I created > two gateway groups, one that the WAN network as Tier1 and COMCAST as > Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. > The instructions on the wiki say firewall rules must be add changed to > use these groups rather than the system routing. I tried changed the > allow all route to use the gateway group (rather than the default of *), > but this didn't seem to route packets out the COMCAST link when the WAN > link was down. > > I did a little bit of testing: I used the ping test and was able to ping > the outside world when using WAN as the interface, but when I changed > the interface to COMCAST, I could only ping the Comcast gateway (as if > the packets would not route). From an external host, I was able to do an > ICMP ping to the COMCAST interface, but was not able to do a UDP ping or > make a TCP connection. > > Questions: > > I think I missed a step in the whole "add a firewall rule for the > gateway group" process, which seem more like a "solution left as > exercise for the reader", what do I need to do to get gateway groups > working on the firewall? > > When using ping, when I pick the interface, does it work like a Cisco, > where the source IP is the interface address and the next hop router > would be interface's router, in this case the Comcast gateway? > > When I have squid running a bound to the LAN interface, I'd like the > system use which ever WAN/COMCAST interface is currently up and working. > I want that to be the WAN interface unless it is down. > > When the WAN interface is down, I'd like to be able to ssh/https to the > COMCAST interface address to see what is gong wrong. Can I set up the > system to work like this? > > > Thank you for any ideas as to what I might has done wrong, > > > Walter > > > > > > > -- > The greatest dangers to liberty lurk in insidious encroachment by men of > zeal, well-meaning but without understanding. -- Justice Louis > D. Brandeis > > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
