I'll try to write a howto later, but I haven't tested failover. In fact, my WAN interface goes directly to my ISP, and my OPT1 is an openvpn connexion to an alternative ISP.
Default gateway is WAN, but when the VPN connexion is established, the default gateway becomes OPT1.
So my goal was to route some addresses to WAN instead of OPT1 from the pfsense itself, because I use squid as transparent proxy, so http traffic is generated by pfsense, and so standard firewall rules (from LAN) can't be applied.
In my case here is how I got it to work:
1) add a floating rule with specific address as destination, and WAN gateway to force traffic on this gateway instead of OPT1
2) add a virtual IP alias on WAN interface, in WAN network range
3) add an outbound NAT rule, interface OPT1, source any, destination "the same specific address", NAT address "the virtual IP"
This last point is important, because if you only set the floating rule, traffic is sent from WAN interface, but with OPT1 address as source.
My english is not very good, so here is an example.
Imagine you want to reach http://my-i-p.com/ from WAN instead of VPN (OPT1) interface:
my-i-p.com ip address is 220.127.116.11
1) See step1 picture for floating rule
2) My WAN ip address is 192.168.0.1, let's add a virtual IP (for example 192.168.0.30) on this interface: see step2 picture
3) See step3 for NAT rule
Hope that helps you
This works on 30th november build. But it doesn't work with latest build (16th january).
It's very strange:
- I didn't change anything in my configuration
- I can't ping any address through WAN (i.e. 18.104.22.168)
- When I launch tcpdump, I see ping and echo reply, so the packet is sent and received back, but ping command doesn't see it
- When I revert back to 30th november it works again
Any idea ?