Wednesday, October 31, 2012

pfSense: Remote Network Point to Point Link to VPN Over DSL Failover


The scenario: 

You have two locations with Internet connections and a dedicated point-to-point connection between the two and two pfSense systems performing all routing at both sites.  You desire the two sites remain connected should the dedicated connection fail.

The solution:

Create a pfSense configuration with failover from the point-to-point connection to a site-to-site VPN utilizing the existing Internet connections at each site.

Steps:

1.  Create an OpenVPN Server on the main pfSense and Client setup on the remote pfSense (I used pre-shared keys).  DO NOT set a route option in the Advanced box as most instructions for configuring OpenVPN will suggest nor should you have a static route to your remote network defined under System -> Routes.  Also note that  IPSec can not be used in this scenario as it doesn't create a new adapter that we can work with in the firewall rules and gateways.

2.  Check and see that the VPN turns on and connects via Status -> OpenVPN before proceeding.  If it does not then troubleshoot your Internet connectivity and OpenVPN settings.

2.  Go to Interfaces -> Assign and add Interface OPT3 with Network port ovpns1 on both the server and the client pfSense systems.

3.  On both your local and remote pfSense add a new Firewall Rule allowing all protocols from any source to to any destination under both OPT3 and OpenVPN.

4.  On both your local and remote pfSense add OPT3 as a Gateway under System -> Routing -> Gateways leaving the Gateway and other options blank.

5.  On both your local and remote pfSense create a new Group under System -> Routing -> Groups.  The group will define your dedicated connection as Tier 1 and OPT3 as Tier 2.  My trigger level is set to Member Down.

6.  On both your local and remote pfSense create a new Firewall Rule under LAN which has all traffic from all sources bound for the remote network use the new Gateway Group (under Advanced) you created in Step 5.

7.  Test - unplug the point-to-point connection, monitor things under Status -> Gateways, wait a minute or so, and hopefully you will still be passing traffic albeit through the VPN.

Please Note:  Upgrading from pfSense 2.0.x to 2.1.x breaks this configuration - I am working to resolve the issue.  The issue I am running into is that the OpenVPN connection gets established but the routing and gateway monitoring for that link fails and never shows as UP in the Gateway groups.  Deleting the OPT3 interface and its gateway then recreating them fixed the issue.