WAN failback/recovery doesn't clear states (UDP?)

Started by feld, September 21, 2025, 01:30:53 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 21, 2025, 01:30:53 AM
I posted about this in the forum for the previous series here, but I don't think this feature is actually working correctly for UDP or there's some other subtle bug going on.

I have several outbound Wireguard VPN tunnels that go through this pfSense firewall from my servers behind it. The Wireguard tunnels will failover to my 5G backup connection if my fiber goes down, but they never switch back to the fiber connection when the fiber comes back up. I have both gateways in the group configured correctly with failover and failback. The only way I can get the tunnel to move back to the fiber is to manually restart the Wireguard services on this servers.

Has anyone else encountered this behavior?
September 29, 2025, 01:17:25 PM #1
These options only work for states created using a reply-to/route-to for the specific gateway. The configd log and system log have log messages regarding this so you can see if states are being killed(found) by pfctl when the switch occurs.

https://github.com/opnsense/core/blob/efed0ea116349f3f7b650175f69bd9918a3a3242/src/etc/rc.syshook.d/monitor/20-recover#L50
https://github.com/opnsense/core/blob/efed0ea116349f3f7b650175f69bd9918a3a3242/src/etc/rc.syshook.d/monitor/20-recover#L68

The log messages are from the system log and the UUID can be tracked in the configd (backend) log to find the actual pfctl job and its result message.


Cheers,
Franco
Print
Go Up Pages1
User actions