Project

General

Profile

Actions

Feature #8546

closed

Ability to download pfSense updates via another gateway

Added by Stéphane Lapie over 6 years ago. Updated almost 6 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
-
Start date:
05/31/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

I am mainly using pfSense in a CARP+HAproxy scenario (with a WAN and a LAN interface), and have to face a little conundrum.

Default gateway is located on the WAN interface and used for the following purposes :
  • Downloading updates and anything on the public Internet
  • Providing front-facing service

I have another gateway on the LAN interface that could go on the Internet if I needed to.

Given HAproxy has a nasty knack for not coming back online after an update, and because CARP comes back before HAproxy is started, causing downtime,
I need to shutdown the WAN interface to force failover safely and cleanly, but if I do that I lose my default gateway.

Right now the acrobatic way is to wait for the reboot to be about to kick in, and to rush with doing the WAN port shutdown in time.

Needless to say, this is a bit suboptimal so I was wondering about alternatives :
  1. Either define a route for the pfsense repositories?
  2. Add the ability to create multiple route tables?
    • Have the default OS use the LAN gateway
    • Have HAproxy run in its own FIB and make it use the WAN gateway
  3. Implement source routing so that anything coming from WAN gateway has to go back via WAN gateway, but use the LAN gateway as default?
Actions #1

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Duplicate

This is already covered by other things here, and likely is already solved on 2.4.4 by the new feature where you can set a gateway group as default and control order/preference by tiers in the group.

Actions #2

Updated by Stéphane Lapie over 6 years ago

Understood, thank you very much.

Actions #3

Updated by Stéphane Lapie almost 6 years ago

Going back on this issue to give an update :
Actually, I ended up implementing that by explicitly setting a gateway on the WAN interface, and setting the default route as the other gateway.

This translates to firewall rules containing a reply-to (em0 x.y.z.w) statement which implements what I really needed : access coming in to HAproxy via the WAN interface, goes back via the same interface.

Doing this, I can now shut down the WAN interface without any problem while doing an upgrade.

Actions

Also available in: Atom PDF