pfSense Multi-WAN - Multiple Internet Connections

Multi-WAN in pfSense enables the use of multiple internet connections with controlled traffic distribution across them. A Multi-WAN configuration addresses two primary objectives: improving fault tolerance through automatic switchover to a backup link when the primary fails (failover) and increasing aggregate throughput by utilizing multiple links simultaneously (load balancing). pfSense supports an arbitrary number of WAN interfaces - production deployments with ten or more links are well established.

Core Components

The Multi-WAN architecture in pfSense is built on three interrelated mechanisms.

Gateway Monitoring

pfSense continuously monitors the state of each gateway by sending probe packets to a designated monitoring IP address. By default, ICMP packets are sent to the ISP gateway address. Each gateway has configurable thresholds for packet loss and latency that determine when the gateway is marked as down.

Monitoring parameters are configured under System > Routing > Gateways when editing a specific gateway. Key parameters include:

Warning:

It is recommended to use a public DNS server (such as 8.8.8.8 or 1.1.1.1) as the Monitor IP instead of the ISP gateway address. The ISP gateway may continue responding to ICMP probes even when upstream connectivity is lost, leading to incorrect link status detection.

Gateway Groups

Gateway Groups are the central Multi-WAN mechanism. A gateway group combines two or more gateways and defines the traffic distribution logic through tier assignments and weight values.

Tier behavior:

• Same tier - gateways operate in parallel with traffic balanced across them (load balancing). If one gateway fails, traffic is automatically redistributed to the remaining gateways on the same tier.
• Different tiers - the gateway on the lower-numbered tier takes priority. Higher-tier gateways activate only when all gateways on the previous tier become unavailable (failover).

Combining both approaches enables complex topologies. For example, two links on Tier 1 provide load balancing with automatic failover to a backup link on Tier 2 when both primary links fail.

Gateway Groups are configured under System > Routing > Gateway Groups.

Policy Routing

Creating a Gateway Group alone does not affect traffic routing. The group must be assigned to a firewall rule in the Gateway field. Only then will traffic matching that rule be routed through the specified gateway group.

Policy routing allows directing different traffic types through different links. For instance, VoIP traffic can be routed through a dedicated low-latency link while general traffic uses a load-balanced group.

Infrastructure Requirements

Correct Multi-WAN operation depends on the following prerequisites:

• Diverse link paths - multiple connections of the same type from the same ISP often share a single physical path. A path failure would simultaneously affect all links, negating the Multi-WAN benefits. Using different connection types (fiber, copper, LTE) from different providers is recommended.
• Proper DNS configuration - each WAN interface should have its own DNS server. pfSense routes DNS queries through the gateway assigned in the DNS server settings.
• Outbound NAT configuration - when using multiple WAN interfaces, each WAN must have a corresponding outbound NAT rule. In automatic and hybrid modes, these rules are generated automatically.

In This Section

• Load Balancing - configuring Gateway Groups for traffic distribution across links, weight settings, sticky connections, and diagnostics
• Failover - configuring automatic switchover to a backup link, gateway monitoring, testing, and recovery behavior

Related Sections

• Outbound NAT - configuring address translation for multiple WAN interfaces
• Firewall Rules - assigning Gateway Groups in rules for policy routing
• pfSense VPN - using VPN tunnels in Multi-WAN configurations