Project

General

Profile

Actions
Copy link

Bug #16611

open

WireGuard MultiWAN Not Failing Back to Tier 1

Added by steven warner 5 months ago. Updated about 16 hours ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Gateways
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
amd64

Description

When using a GW group for WAN failover, WireGuard will fail to Tier2 when the Tier1 GW is down. However, when Tier1 is restore, WireGuard does not revert back to Tier1.

re-opening issue 11630. This issue still occurs in 25.11.

Files

Screenshot_20260424_194047.png (71.7 KB) Screenshot_20260424_194047.png Kris Phillips, 04/25/2026 12:41 AM
Actions
Copy link
 #1

Updated by Kris Phillips 5 months ago

Hello Steven,

Do you have state killing on lower priority gateways selected under System --> Advanced --> Misc?

Actions
Copy link
 #2

Updated by steven warner 5 months ago

Hi Kris - Yes that setting is set as you asked. The Wireguard tunnel stays firmly gripped on the lower tier gateway when the higher priority tier restores, while other traffic correctly migrates.

Actions
Copy link
 #3

Updated by Chris Palmer 4 months ago

I also see this behavior at my location here.

Actions
Copy link
 #4

Updated by steven warner 4 months ago

I can add linbks to other reports from reddit etc... I believe this really happens. Big problem when your backup WAN is on a metered link...

Actions
Copy link
 #5

Updated by Azamat Khakimyanov 3 months ago

Tested on 25.11.1-RELEASE

I was able to reproduce this issue and as a workaround I added Floating Firewall rule:

Interfaces: Any
Direction: Out
Protocol: UDP
Destination: <WireGuard Server IP>
Destination Port: <WireGuard Port> (for example, 51820)
Gateway: <Failover Gateway group>

and in System->Advanced-> Miscellaneous I chose 'State Killing on Gateway Recovery: Kill all states for lower-priority gateways'.

After I added these settings, whenever WAN1 went down, WireGuard started using WAN2. When WAN1 came back up, WireGuard successfully switched back to WAN1.

Actions
Copy link
 #6

Updated by Kris Phillips 2 months ago

  • Status changed from New to Confirmed

State Killing on Gateway Failures set to "Flush all states on gateway failure" will cause a full flush, which "fixes" the problem. However, with "State Killing on Gateway Recovery" set to "Kill all states for lower priority gateways" set, it should fall back to the higher tier WG gateway and it does not.

Marking as Confirmed, as we have at least 3 accounts and someone from TAC confirming this issue.

Actions
Copy link
 #7

Updated by Kris Phillips 19 days ago

Tested on 26.03. This issue is still present. Setting "Only kill policy routing states for lower priority gateways" and failing over to a secondary WAN, then restoring the primary WAN continues to allow Wireguard to use the secondary WAN.

In my lab environment where WAN2 is 192.168.5.5 on my firewall:
19:39:05.755788 IP 192.168.5.5.51820 > 192.168.5.254.51820: UDP, length 64
19:39:05.755977 IP 192.168.5.254.51820 > 192.168.5.5.51820: UDP, length 64
19:39:06.090072 IP 192.168.5.254.51820 > 192.168.5.5.51820: UDP, length 64

As you can see from the attached screenshot, WAN2 is no longer the default gateway, but Wireguard continues to use it anyway after failback.

Updating Affected Plus Version to 26.03.

Actions
Copy link
 #8

Updated by Marcos M 8 days ago

As I understand it WireGuard sticks to the old address even after a more preferred route is available. To address this we could simply restart the service; doing so would affect all tunnels but perhaps that's better than sticking to the old address. As a test the following patch will restart the service after gateway recovery: Show

Actions
Copy link
 #9

Updated by steven warner 8 days ago

Marcos M wrote in #note-8:

As I understand it WireGuard sticks to the old address even after a more preferred route is available. To address this we could simply restart the service; doing so would affect all tunnels but perhaps that's better than sticking to the old address. As a test the following patch will restart the service after gateway recovery: {{collapse
[...]
}}

For me this would minimally be acceptable. Obviously seamless gateway transition would be preferred.
I'll test this patch - that you.

Actions
Copy link
 #10

Updated by steven warner 8 days ago

I get this error:

PHP ERROR: Type: 1, File: /usr/local/pkg/wireguard/includes/wg_service.inc, Line: 194, Message: Uncaught Error: Call to undefined function cli_set_process_title() in /usr/local/pkg/wireguard/includes/wg_service.inc:194
Stack trace:
#0 /usr/local/pkg/wireguard/includes/wg_service.inc(113): wg_service_cli_start()
#1 /etc/inc/pkg-utils.inc(734) : eval()'d code(1): wg_service_cli_restart()
#2 /etc/inc/pkg-utils.inc(734): eval()
#3 /etc/rc.start_packages(66): sync_package()
#4 {main}
thrown @ 2026-05-06 13:56:14

Did I do it right?

Actions
Copy link
 #11

Updated by Marcos M 7 days ago

There was an error with the old patch, I updated my previous post with a new version.

Actions
Copy link
 #12

Updated by steven warner 5 days ago

Marcos M wrote in #note-11:

New patch "works". I.e. it does kick WG off the backup interface - but there seems to be a lot of resets occurring, the disruption is worse than I expected.

A better solution would have WG transition seamlessly between interfaces. Obviously.

Will continue testing to see if I can locate the source of the unexpected disruptions. But THANK YOU for making this patch. I have already invested a lot of time in trying to fix this issue and none of the workarounds have been 100%.

Actions
Copy link
 #13

Updated by Jim Pingle about 16 hours ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from Gateways to Gateways
  • Affected Plus Version deleted (26.03)
Actions
Copy link

Also available in: Atom PDF