OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of infinisean »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - infinisean

Pages: [1]
1
Virtual private networks / Re: IPSec Tunnel with Dual WAN Failover GW_Group
« on: October 06, 2024, 07:01:58 pm »
The obvious answer that you are missing, is you can't do that.
The remote side has to have a "remote-peer" IP configured which it connects to.... when that ISP goes down, the WAN interface with the "remote-peer" goes down, so any tunnels which connect to it go down as well.

The answer is to have a second tunnel configured to point to the "remote peer" IP of the second ISP's WAN interface.

That way when the first ISP / Interface goes down, and the tunnel along with it, the secondary tunnel will become the new route to your LAN subnet.

2
General Discussion / Dual ISP LB/Failover using L2L VPNs to external VPS?
« on: October 06, 2024, 03:26:15 pm »
Hi All,

I am trying to make Dual-ISP failover / load-balancing work (more reliably) and I had an idea...  I'm hoping the collective expertise of this group can help me avoid wasting a ton of unnecessary time... either by poking holes in the idea (if it is not possible with OPNsense) or by pointing me to the documentation sections relevant and any tips you all have had, if you've done something similar...

Does anyone know if opnsense can use two L2L VPNs, one from each WAN/ISP interface, terminating on an internet endpoint I control (in this case, a VPS server with root access)... and have the two VPN links act as two, equal-priority WAN links, so that the connections can provide failover and also increased bandwidth (connection-based-semi-load-balanced, not simple packet-round-robin)?

I figure with two static, public IPv4 addresses on the VPS, I can set a static-default-route on each WAN interface pointing to one of those two static IPs on the VPS, with no other default route outbound.   That way, all traffic would only be able to make it out to the net once at least one VPN session was up.

I figured openvpn setup on the VPS twice (once for each of the static, public IPs) would be all that is needed there... but I'm also wondering if there might be an easier way with wireguard or tailscale, perhaps... with less cumbersome configuration (such as making the two VPN connections act as a single, logical interface, like an ether-channel, so the firewall did not need specific rules pointing to one interface or the other, the VPNs would handle the traffic distribution transparently...)

I'm eager to hear anyone's experiences if they have successfully configured something similar to this, and how they approached it, any road-blocks/solutions they found, how well it worked, etc.

Thanks for reading!

-Sean

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2