Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Multi-Wan VPN Failover
« previous
next »
Print
Pages:
1
[
2
]
Author
Topic: Multi-Wan VPN Failover (Read 11638 times)
Gcon
Newbie
Posts: 15
Karma: 2
Re: Multi-Wan VPN Failover
«
Reply #15 on:
December 06, 2019, 02:30:54 pm »
I don't think you'd want to have a single FQDN (firewall.domain.com) with multiple A records representing your WAN links. DNS servers randomise the order of the IPs returned in a lookup, so it becomes non-deterministic. Even if the order didn't matter, then the DNS client randomly picks an IP - usually the first one - and then tries that. There's no guarantees that that the client will try the second IP - that would depend on how the DNS client application is programmed. The test would be to try it in a lab and see what happens. It all sounds a bit messy though.
OPNsense 19.7 has release notes "IPsec Route based mode (VTI)". I'm looking into that feature to see what it provides as I used to use Virtual Tunnel Interfaces extensively with Cisco back when I was using those edge devices for VPN and found them to be quite handy - especially when used with GRE headers and running RIPv2 over the top.
Logged
kapara
Jr. Member
Posts: 97
Karma: 3
Re: Multi-Wan VPN Failover
«
Reply #16 on:
March 12, 2020, 07:24:39 pm »
I don't understand why this cannot be a simple solution.
One of my situations:
Site A is in a Datacenter with a single redundant internet connection with static IP assigned to OpnSense.
Site B has 2 wan connections with static IP addresses.
I have 2 IPsec VPN configurations in both firewalls so that I can use VPN failover but I must manually disable and enable the connections but it works.
Why cant this be automated? For example:
Site A: Pings both remote WAN interfaces. If remote WAN1 stops responding it disabled the VPN to remote WAN1 and enables VPN to remote WAN2.
Site B: If WAN1 goes down it disables P1 and P2 VPN to Site A using WAN1 and enables P1 and P2 using WAN2
If WAN1 comes back online Site B can send a command to SiteA notifying it that WAN1 is back online and to disable its VPN to the WAN2 and enable VPN to WAN1.
You could even have a solution that communicates via ssl between the 2 firewalls using the gateway group so that the information transfer does not have to happen over the VPN tunnel.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Multi-Wan VPN Failover
«
Reply #17 on:
March 12, 2020, 09:47:48 pm »
Did you read the last post? You can use routed IPSec with GRE tunnel and BGP inside ...
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
kapara
Jr. Member
Posts: 97
Karma: 3
Re: Multi-Wan VPN Failover
«
Reply #18 on:
March 13, 2020, 12:05:24 am »
Is there any documentation on how to do this or is it a figure it out on your own scenario?
Logged
kapara
Jr. Member
Posts: 97
Karma: 3
Re: Multi-Wan VPN Failover
«
Reply #19 on:
March 19, 2020, 06:24:15 pm »
You mean this?
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
I do not see any references to GRE or BGP
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Multi-Wan VPN Failover
«
Reply #20 on:
March 19, 2020, 09:23:55 pm »
Just play around with it, bgp is so flexible, there is no Standard way
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages:
1
[
2
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Multi-Wan VPN Failover