On 11/3/14 6:48 pm, Justin Edmands wrote:
The current rules all read * for the Gateway. Do all of my current LAN, OpenVPN, and IPSec rules need to be altered to include the Gateway as the new Failover1 rule?
Those that rely on the WANs, yes. Rules to allow traffic to pass between your VPNs and LANs do not need the gateway to be changed. It's worth noting that incoming rules (i.e. WAN rules) should not have their gateway changed either.
Do I need to clone each and every rule to have: rule 1 of 2 say WAN_FailoverGroup1 -and- rule 2 of 2 say WAN_FailoverGroup2
No - you don't want two copies of each rule. Assuming you've two connections: WAN1 and WAN2, you'd define a single gateway group - let's call it 'Failover1to2' for example. WAN1 would be Tier 1 and WAN2 would be Tier 2. You would then modify each outbound traffic rule to use 'Failover1to2' as the gateway.
If both connections are similar speed/performance, you might want to do a little policy-based routing. You could define a second gateway group 'Failover2to1' which reverses the tiers. This might be useful for traffic you want to keep off your 'main' WAN connection (I use this to send SIP and SSH traffic over the second WAN here, so that performance doesn't suffer when the primary connection is heavily loaded).
Kind regards, Chris -- This email is made from 100% recycled electrons _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
