Netgate® is pleased to announce that pfSense® Plus software version 24.03 will include an enhanced gateway recovery process, with options to reset connections made through a backup gateway while the primary gateway is offline. This feature will allow connection fail-back to a primary gateway after downtime, should the primary and secondary have unbalanced bandwidth (ex. primary has 10Gbps, and backup is 1Gbps).
In the failover process within a gateway group, if one gateway has a failure, all new connections will be routed through the backup gateway, and the connections going through the failed gateway may be reset, allowing them to reconnect via the backup gateway.
When a failed gateway in a failover group comes back online, the admin will have the option to reset all of the connections made through the backup gateway while the primary was offline (by killing their states).
This capability is particularly valuable when one gateway in a group configured for failover has high bandwidth and the other gateway has less bandwidth (perhaps even a metered connection). Keeping connections alive on the backup gateway may not be desirable once the high-bandwidth gateway is back online.
Note: This feature is exclusive to pfSense Plus software version 24.03.
Gateway Monitoring options are found at System > Advanced, Misc tab.
States from the firewall itself are unaffected. The configured failover gateway group determines the state-killing behavior for states created by policy routing rules.
All states on lower-priority gateways are killed when a higher-priority gateway returns to an online state.
States of the same Address Family as the gateway group are killed for lower-priority gateways.
States from policy routing rules
Controls the default state-killing behavior for states created by policy routing rules using a failover gateway group. This behavior may also be controlled per gateway group. If unchecked (default), policy routing states on lower-priority gateways are killed when a higher-priority gateway recovers.
New gateway group configuration options are found at System > Routing, Gateway Groups tab.
Conclusion
The goal of a high-availability failover group is to ensure as little network disruption as possible. The gateway recovery feature enables the administrator to fail-back the connections once the primary gateway comes back online, maximizing performance & availability for the user base.
Netgate continues to listen to our customers, enhancing the pfSense Plus software experience to add capabilities while maintaining the industry’s best price/performance ratio and the lowest TCO.