Occasionally, you need more than one external network connections. If one outside (WAN, Internet, whatever you want to call it) fails, your router should automatically swap to a second.

OpnSense has done an excellent job of setting this up.

This is just a recipe. If you want to know what is going on, RTFM. It is a good document with a lot of detailed information.

Anyway, here is my “quick and dirty”

Using a Protectli (https://protectli.com/) Vault with 4 ports

• WAN Port - Connected to Internet Provider via their modem (or their router in pass-through mode)
• LAN Port - My LAN
• OPT1 Port - Connected to a GL-iNet Puli Cellular Router
• OPT2 Port - Wireless Access Point (separate subnet). I am not setting this up in this document

• Choose a separate Monitor IP for each WAN connection. In my case, I'm using 9.9.9.9 for the primary WAN, and 1.1.1.1 for the failover, but it can be any two reliable targets. Google at 8.8.8.8 and 8.8.4.4 is good.
• If you are doing any N2N (site-to-site) VPN's from your router, collect the subnet range for all targets, in other words, all of the remote LAN's you connect to over the VPN. Hint: Open each VPN connection and just copy the ranges from there.

1. Add monitor IP's
   1. System | Gateways | Configuration
   2. For each gateway
      1. Disable Gateway Monitoring: UNCHECK
      2. Monitor IP: enter the IP you chose for this gateway
      3. Mark Gateway Down: UNCHECK
      4. Save
   3. When done, you should see all columns filled in, RTT, RTTd, Loss
2. Set up Gateway Group
   1. System | Gateways | Group
   2. Add Group
   3. Name: WANGROUP
   4. set the primary gateway to be Tier1
   5. Set the secondary to be Tier2
   6. Set Trigger Level to be Packet Loss
   7. Put in a description like Failover Group
   8. Save

• System | Settings | General
• For each gateway
  • Enter one or more separate DNS server
  • They must NOT be the same, for some reason

1. Create VPN Alias (only if you have router based N2N VPN)
   1. Firewall | Alias
   2. New Alias (Plus sign)
   3. Name: vpn_subnets
   4. Type: Network(s)
   5. Categories: MultiWAN
   6. Content: put all remote VPN subnets, hint, separate with comma's, example, 192.168.1.0/24,10.10.10.0/23
   7. Description: All remote VPN networks we access
   8. Save
2. Firewall | Rules | LAN
   1. IF you are setting up for VPN
      1. Clone rule which has description “Default allow LAN to any rule”
      2. Change Gateway to the gateway group you defined (WANGROUP in these instructions)
      3. Change description by appending “Modified ” (so you can tell which one you changed)
      4. Save
      5. Go to original rule (above the one you just changed, we hope). This must be before the “Modified” one in the list
      6. Change Destination to the alias you created before (vpn_subnets)
      7. Change Description to something like “Route VPN traffic through default gateway”
      8. Save
   2. If you are NOT setting up for VPN
      1. Edit rule which has a description of “Default allow LAN to any rule”
      2. Change gateway to the gateway group you defined (WANGROUP in these instructions)
   3. Add a new firewall rule above the one or two you have created here
      1. Action: Pass
      2. Interface: LAN
      3. TCP/IP Version: ipv4
      4. Protocol: TCP/UDP
      5. Source: Any
      6. Destination: Single host or network
      7. Destination: your LAN IP of the router, ie 192.168.1.1/32
      8. Destination Port Range: DNS - DNS
      9. Category: DNS
      10. Description: Local Route DNS
      11. Gateway: Default
      12. Save
   4. Apply Changes

1. Open a window and start pinging something.
2. Open your routers WebUI
   1. Reports | Traffic
   2. Ensure both WAN and Failover WAN are on (I turn off LAN for this so I can see what is going on)
3. Shut down the primary WAN (I'm lazy, so I just unplug the network cable)
   1. You may see your ping's skip a few numbers.
   2. You'll see the WAN traffic die, to be picked up by the Failover WAN
   3. Run any additional tests
   4. Note: VPN may die, and it may take 15 seconds to a minute for the VPN connection to realize it has to reconnect. You can force restart the VPN connection to speed things up.
4. Bring your primary WAN back online
   1. Again, pings may skip a little
   2. You'll see Failover WAN's traffic die down and picked up by primary
   3. Note: your VPN connections

• https://docs.opnsense.org/manual/how-tos/multiwan.html
• https://docs.opnsense.org/manual/multiwan.html
• https://docs.opnsense.org/manual/gateways.html