Automatic Failover Between Two Internet Providers: PPPoE and Dynamic IP Setup

Setting up automatic failover between two internet providers is essential for maintaining continuous network connectivity, especially when you have a PPPoE connection and a dynamic IP connection feeding into a managed switch with different subnets. The most effective solution involves using pfSense as your central firewall/router, which can automatically detect connection failures and seamlessly switch traffic between your primary and backup providers without manual intervention.

---

Contents

• Understanding Automatic Failover for Dual Internet Connections
• Hardware Options for Dual WAN Failover
• Software Solutions for Automatic Failover
• Configuring pfSense for PPPoE and Dynamic IP Failover
• Step-by-Step Network Setup with Managed Switch
• Testing and Validating Your Failover Configuration
• Advanced Features: Load Balancing vs. Pure Failover
• Troubleshooting Common Dual WAN Issues
• Best Practices for Reliable Internet Failover

---

Understanding Automatic Failover for Dual Internet Connections

Automatic failover is a critical network feature that ensures continuous connectivity by automatically switching to a backup internet connection when the primary connection fails. In your case, with one static PPPoE connection and one dynamic IP connection, this becomes even more important since your two providers have different authentication methods and network configurations.

The core principle behind automatic failover involves monitoring the availability of each connection and implementing policies to determine when to switch between them. When the primary connection (PPPoE in your setup) becomes unavailable, the system automatically reroutes all outbound traffic through your backup connection (dynamic IP). Once the primary connection is restored, the system can either remain on the backup or automatically switch back, depending on your configuration.

What makes your scenario particularly interesting is that you’re already using separate routers for each connection that feed into a managed switch. This creates a unique challenge because the failover logic needs to coordinate between these different subnets. Traditional single-router solutions won’t work here, which is why pfSense becomes an excellent choice as it can handle complex multi-WAN scenarios with different connection types.

The key components of any failover system include:

• Connection monitoring: Regularly checking the status of each internet connection
• Failover triggers: Conditions that indicate when to switch connections
• Traffic routing: Mechanisms to redirect network traffic through the active connection
• Automatic reversion: Logic to switch back to the primary connection when it’s restored

Understanding these fundamentals will help you choose the right solution for your specific PPPoE and dynamic IP configuration.

---

Hardware Options for Dual WAN Failover

When implementing automatic failover between two internet providers with different connection types, you have several hardware options to consider. Each has its advantages and limitations, especially when dealing with PPPoE authentication and dynamic IP configurations.

Dedicated Dual WAN Routers

Dedicated dual WAN routers are designed specifically for handling multiple internet connections. These devices typically offer built-in failover capabilities and can be configured to work with different connection types. Popular options include:

• Cisco RV345 Dual WAN Gigabit Router: Supports both PPPoE and dynamic IP connections with automatic failover. It offers enterprise-grade reliability but comes at a higher price point.
• TP-Link ER605 Multi-WAN Router: Provides dual WAN ports with failover support and is more budget-friendly. It handles PPPoE connections well but may have limitations with complex dynamic IP setups.
• SonicWall TZ Series Firewalls: These business-grade firewalls offer robust dual WAN support with advanced failover features. They excel at handling different connection types but require more technical expertise.

The main advantage of dedicated hardware is that it’s designed specifically for this purpose, often requiring less complex configuration. However, these devices may struggle with the specific challenge of coordinating between separate routers and different subnets as in your current setup.

RouterOS Devices

RouterOS devices, particularly from MikroTik, offer extensive flexibility for dual WAN setups with PPPoE support. The MikroTik RouterBOARD series can handle multiple connections simultaneously, including PPPoE and dynamic IP configurations.

MikroTik devices are particularly attractive because they offer:

• Advanced routing capabilities
• Comprehensive PPPoE support
• Flexible failover configurations
• Cost-effective solutions compared to enterprise hardware

However, RouterOS devices have a steeper learning curve and require more technical knowledge to configure properly, especially when dealing with failover between different connection types.

Custom Hardware Solutions

Building your own solution using a standard PC with multiple network interfaces running pfSense offers maximum flexibility. This approach allows you to precisely tailor the failover logic to your specific needs with PPPoE and dynamic IP connections.

The benefits of custom hardware solutions include:

• Complete control over the configuration
• Ability to handle complex network topologies
• Cost-effectiveness compared to commercial solutions
• Scalability for future expansion

While this approach requires more initial setup time, it provides the most robust solution for your specific scenario with separate routers feeding into a managed switch.

Existing Hardware Considerations

Since you already have separate routers for each connection feeding into a managed switch, you need to consider how to integrate failover without replacing your existing hardware. This is where software solutions like pfSense become particularly valuable, as they can work with your current setup while providing the failover logic you need.

Your current configuration with different subnets actually creates an interesting challenge for failover systems, as most consumer-grade solutions assume a single subnet. This makes software-based solutions even more attractive for your specific use case.

---

Software Solutions for Automatic Failover

Software-based solutions offer significant advantages for automatic failover between two internet providers, especially when dealing with different connection types like PPPoE and dynamic IP. These solutions provide flexibility and advanced features that hardware appliances may lack, particularly in your unique setup with separate routers and different subnets.

pfSense: The Premier Choice

pfSense stands out as the most robust and flexible solution for automatic failover between internet connections. As a free, open-source firewall and router platform, it excels at handling multiple WAN connections with different authentication methods.

pfSense supports both PPPoE and dynamic IP connections out of the box, making it ideal for your setup. The platform’s strength lies in its comprehensive monitoring capabilities that can detect connection failures and automatically trigger failover without manual intervention. What makes pfSense particularly valuable for your scenario is its ability to work with existing network equipment, including your separate routers and managed switch.

The key advantages of using pfSense include:

• Advanced gateway monitoring: Continuous checking of connection status
• Flexible failover policies: Configurable triggers and actions
• Traffic rule management: Precise control over which traffic goes through which connection
• Comprehensive logging: Detailed monitoring of connection status and failover events
• Web-based interface: Easy configuration and management

OpenWRT

OpenWRT is another excellent open-source solution that can handle dual WAN failover. While not as feature-rich as pfSense for complex scenarios, it offers a more lightweight alternative that can run on a wide range of hardware.

OpenWRT provides:

• Basic PPPoE support
• Simple failover configurations
• Lower resource requirements than pfSense
• Good for smaller networks

However, OpenWRT may struggle with the complexity of coordinating between different subnets as in your setup, making it less suitable than pfSense for your specific needs.

VyOS

VyOS is a network operating system based on Debian GNU/Linux that offers advanced routing capabilities. It can handle dual WAN setups with PPPoE support and provides a command-line interface for configuration.

VyOS features:

• Strong routing protocols
• VPN integration
• Detailed logging
• Flexible failover options

The steep learning curve and limited GUI interface make VyOS less accessible than pfSense for most users, especially those not comfortable with command-line configuration.

Windows Server Routing and Remote Access Service (RRAS)

For Windows-centric environments, RRAS can provide basic failover capabilities. However, it lacks the advanced features of pfSense and may struggle with PPPoE authentication, making it less suitable for your specific needs.

Comparison of Software Solutions

When comparing these options, pfSense clearly emerges as the best choice for your scenario due to its:

• Superior PPPoE support
• Comprehensive failover features
• Ability to work with complex network topologies
• Detailed monitoring and logging capabilities
• Active community and extensive documentation

The key advantage of pfSense in your case is its ability to integrate with your existing setup while providing the sophisticated failover logic needed to manage different connection types and subnets.

---

Configuring pfSense for PPPoE and Dynamic IP Failover

Configuring pfSense for automatic failover between your PPPoE and dynamic IP connections requires careful setup of network interfaces, gateways, and firewall rules. This section provides a step-by-step guide to implementing this solution with your specific configuration.

Initial pfSense Setup

First, you’ll need to install pfSense on a dedicated computer with at least three network interfaces:

• One for your PPPoE connection
• One for your dynamic IP connection
• One for your local network (LAN)

Once installed, access the pfSense web interface and navigate to Interfaces > Assignments. Ensure all three interfaces are properly recognized and labeled.

Configuring PPPoE WAN Connection

1. Navigate to Interfaces > [WAN] and select your PPPoE interface
2. Set the interface type to PPPoE
3. Enter your PPPoE username and password provided by your ISP
4. Configure the service name if required by your provider
5. Set the IPv4 Configuration Type to “Static” if you have a static PPPoE connection, or “DHCP/PPPoE” if it’s dynamic
6. Configure any additional PPPoE settings as required by your provider
7. Click “Save” and then “Apply Changes”

Configuring Dynamic IP WAN Connection

1. Navigate to Interfaces > [WAN2] and select your second interface
2. Set the interface type to DHCP
3. Configure any DHCP-specific settings if required
4. Set the IPv4 Configuration Type to “DHCP”
5. Click “Save” and then “Apply Changes”

Setting Up Gateway Groups

The key to failover functionality is proper gateway group configuration:

1. Navigate to System > Routing > Gateway Groups
2. Click “Add” to create a new gateway group
3. Name your group (e.g., “WAN_Failover”)
4. Add your PPPoE gateway as “Tier 1” (primary)
5. Add your dynamic IP gateway as “Tier 2” (backup)
6. Set the Tier 1 priority to “Higher” for automatic failover
7. Click “Save” and then “Apply Changes”

Configuring Firewall Rules

To ensure proper routing through your gateway group:

1. Navigate to Firewall > Rules
2. Select your LAN interface
3. Create a new rule with these settings:

• Action: Pass
• Interface: LAN
• Protocol: Any
• Source: Your LAN subnet
• Destination: Any
• Gateway: Select your “WAN_Failover” gateway group
• Description: “Default route through failover group”

4. Click “Save” and then “Apply Changes”

Enabling Gateway Monitoring

1. Navigate to System > Routing > Gateways
2. Click the “Edit” button next to your PPPoE gateway
3. In the “Monitor IP” field, enter an IP address that should always be reachable when this connection is active (e.g., your ISP’s gateway or a reliable public IP)
4. Repeat for your dynamic IP gateway
5. Click “Save” and then “Apply Changes”

Testing the Configuration

After completing these steps, test your failover setup:

1. Temporarily disconnect your PPPoE connection
2. Verify that traffic automatically routes through your dynamic IP connection
3. Reconnect your PPPoE connection
4. Verify that traffic automatically switches back to the primary connection

Advanced Configuration Options

For more sophisticated failover control, consider these additional settings:

1. Failover triggers: Configure specific conditions that trigger failover, such as packet loss or latency thresholds
2. Load balancing: Instead of pure failover, you can configure pfSense to distribute traffic between both connections
3. Traffic rules: Create specific rules for different types of traffic to use different connections
4. Monitoring alerts: Set up email or other notifications when failover occurs

This configuration provides robust automatic failover between your PPPoE and dynamic IP connections while maintaining compatibility with your existing network setup of separate routers and a managed switch.

---

Step-by-Step Network Setup with Managed Switch

Integrating pfSense with your existing setup of separate routers and a managed switch requires careful network planning to ensure proper routing and failover functionality. This section provides a detailed guide to configuring your network for automatic failover while maintaining different subnets.

Network Topology Overview

Your current setup consists of:

• Router 1: Connected to PPPoE provider
• Router 2: Connected to dynamic IP provider
• Managed switch: Feeding both routers into your network
• Different subnets for each provider connection

The challenge is to implement failover without disrupting this existing topology. pfSense will act as the central routing and failover control point while working with your existing hardware.

Physical Connections

1. Connect pfSense to your network:

• Connect pfSense’s LAN interface to a dedicated port on your managed switch
• Connect pfSense’s WAN1 (PPPoE) interface to Router 1’s LAN port
• Connect pfSense’s WAN2 (dynamic IP) interface to Router 2’s LAN port

2. Configure your managed switch:

• Ensure the port connected to pfSense’s LAN interface is on your primary subnet
• Configure the ports connected to Router 1 and Router 2 to remain on their respective subnets
• Set up VLANs if necessary to isolate traffic between different subnets

Subnet Configuration

1. Primary subnet (LAN interface):

• Configure pfSense’s LAN interface with your primary subnet (e.g., 192.168.1.0/24)
• Set pfSense’s LAN IP as the gateway for this subnet (e.g., 192.168.1.1)

2. PPPoE subnet (WAN1 interface):

• Router 1 should remain configured with its original subnet (e.g., 10.0.1.0/24)
• pfSense’s WAN1 interface will receive the PPPoE connection from this router

3. Dynamic IP subnet (WAN2 interface):

• Router 2 should remain configured with its original subnet (e.g., 10.0.2.0/24)
• pfSense’s WAN2 interface will receive the dynamic IP connection from this router

Routing Configuration

1. Static routes on pfSense:

• Add a static route for Router 1’s subnet through the PPPoE connection
• Add a static route for Router 2’s subnet through the dynamic IP connection

2. Default route:

• Configure your default route to use the gateway group you created earlier
• This ensures proper failover behavior when connections go down

Firewall Rules for Multi-Subnet Support

1. Inter-subnet communication rules:

• Create rules allowing communication between your primary subnet and the provider subnets
• Set up NAT rules for traffic originating from your primary subnet

2. Source-based routing:

• Configure pfSense to route traffic from specific devices through specific connections based on source IP
• This allows you to prioritize certain devices for the PPPoE connection while others use the dynamic IP

DHCP Configuration

1. Primary DHCP server:

• Configure pfSense’s DHCP server on your primary LAN subnet
• Disable DHCP on your routers to avoid conflicts

2. DHCP relay (if needed):

• If you need DHCP on provider subnets, configure DHCP relay on pfSense

Testing the Complete Setup

1. Basic connectivity test:

• Verify that devices on your primary subnet can access the internet through both connections
• Test communication between different subnets

2. Failover test:

• Disconnect the PPPoE connection
• Verify that traffic automatically switches to the dynamic IP connection
• Reconnect the PPPoE connection
• Verify that traffic switches back automatically

3. Subnet isolation test:

• Ensure that devices on different subnets can communicate as expected
• Verify that proper routing occurs between subnets

This configuration allows you to maintain your existing network topology while adding robust failover capabilities. The key is proper routing configuration and firewall rules to ensure that traffic flows correctly between different subnets while maintaining failover functionality.

---

Testing and Validating Your Failover Configuration

Once you’ve configured your automatic failover system between your PPPoE and dynamic IP connections, thorough testing is essential to ensure it works as expected. This section covers various testing methods and validation techniques to confirm your failover implementation is reliable.

Initial Connectivity Tests

Before testing failover, verify basic connectivity through both connections:

1. PPPoE connection test:

• Ping a reliable external IP (e.g., 8.8.8.8) through your PPPoE connection
• Test DNS resolution by querying a domain name
• Verify that you can access websites through this connection

2. Dynamic IP connection test:

• Repeat the same tests through your dynamic IP connection
• Ensure both connections are working independently before testing failover

3. Gateway monitoring test:

• Check pfSense’s gateway status in System > Routing > Gateways
• Verify that both gateways are showing as “up” and “online”

Simulating Connection Failures

To test failover functionality, you need to simulate connection failures:

1. PPPoE failure simulation:

• Disconnect the PPPoE connection from your ISP
• Monitor pfSense’s dashboard for failover events
• Verify that traffic automatically switches to the dynamic IP connection
• Check logs for failover notifications

2. Dynamic IP failure simulation:

• Disconnect the dynamic IP connection
• Monitor pfSense for failover events
• Verify that traffic remains on the PPPoE connection (since it’s configured as primary)
• Check logs for confirmation

3. Complete internet outage test:

• Disconnect both connections simultaneously
• Verify that pfSense properly handles this scenario
• Test connectivity restoration when one or both connections are restored

Advanced Testing Methods

For more comprehensive validation, consider these advanced testing techniques:

1. Latency and packet loss testing:

• Use tools like ping and traceroute to measure performance changes during failover
• Check for increased latency or packet loss during the transition
• Verify that performance metrics return to normal after failover reversion

2. Connection quality monitoring:

• Monitor bandwidth usage before and after failover
• Check for any performance degradation during the switch
• Verify that bandwidth capacity is maintained through the backup connection

3. Application-specific testing:

• Test critical applications (VoIP, video conferencing, etc.) during failover
• Verify that applications maintain connectivity during the transition
• Check for any application-specific issues that might arise from the switch

Logging and Monitoring

Proper logging is essential for validating your failover configuration:

1. Enable detailed logging:

• Configure pfSense to log all firewall and routing events
• Set up logging for gateway status changes
• Enable connection tracking logs

2. Monitor logs during testing:

• Check System > Logs for failover events
• Look for gateway status change notifications
• Verify that traffic routing changes are logged correctly

3. Set up monitoring alerts:

• Configure email or other notifications for failover events
• Set up alerts for repeated failovers that might indicate a problem
• Monitor for failover events during non-testing periods

Validation Scenarios

Create specific test scenarios to validate different aspects of your failover system:

1. Graceful failover test:

• Simulate a temporary connection interruption
• Verify that the switch occurs without disrupting active connections
• Check that established sessions (like VoIP calls) remain active

2. Failover during high traffic:

• Generate significant network traffic during a failover event
• Verify that the transition occurs smoothly without packet loss
• Check that bandwidth capacity is maintained through the backup connection

3. Automatic reversion test:

• After a failover event, restore the primary connection
• Verify that traffic automatically switches back to the primary connection
• Check that the transition is seamless and doesn’t cause connectivity issues

Performance Validation

After confirming basic functionality, validate performance:

1. Throughput testing:

• Use tools like iperf to measure bandwidth before and after failover
• Verify that the backup connection provides adequate bandwidth
• Check for any performance bottlenecks during the transition

2. Latency testing:

• Measure latency during normal operation and during failover
• Verify that latency remains within acceptable parameters
• Check for any unusual latency spikes during the transition

3. Connection stability:

• Run extended tests to verify that the failover system remains stable over time
• Check for any memory leaks or resource issues
• Monitor for any recurring problems that might indicate configuration issues

By thoroughly testing and validating your automatic failover configuration, you can ensure reliable internet connectivity between your PPPoE and dynamic IP connections, with automatic switching when failures occur and seamless reversion when connections are restored.

---

Advanced Features: Load Balancing vs. Pure Failover

While pure failover provides essential redundancy, advanced networking solutions offer additional capabilities like load balancing. Understanding the differences between these approaches and how to implement them can help you optimize your dual internet connection setup for both reliability and performance.

Understanding Load Balancing

Load balancing distributes network traffic across multiple connections to optimize resource utilization and improve performance. Unlike pure failover, where only one connection is active at a time, load balancing uses both connections simultaneously.

In the context of your PPPoE and dynamic IP setup, load balancing can:

• Increase total available bandwidth
• Improve response times by routing traffic through the fastest connection
• Provide better redundancy through active-active redundancy
• Optimize costs by utilizing both paid connections

Load Balancing Algorithms

pfSense supports several load balancing algorithms, each with different characteristics:

1. Round Robin:

• Distributes traffic sequentially across connections
• Simple but doesn’t consider connection capacity or current load
• Best for connections with similar bandwidth

2. Weighted:

• Assigns different weights to connections based on capacity
• Useful when connections have different bandwidth capabilities
• Ensures higher-capacity connections receive more traffic

3. Least Connections:

• Routes traffic to the connection with the fewest active connections
• Dynamically adapts to changing network conditions
• Provides better performance during traffic spikes

4. Source IP Hash:

• Routes traffic from the same source IP through the same connection
• Maintains session consistency for applications requiring it
• Useful for applications that don’t handle connection changes well

Implementing Load Balancing in pfSense

To configure load balancing for your PPPoE and dynamic IP connections:

1. Configure gateway groups for load balancing:

• Navigate to System > Routing > Gateway Groups
• Create a new gateway group with both connections
• Set both connections to the same tier (e.g., both “Tier 1”)
• Select “Load Balancing” as the tier type

2. Set up load balancing rules:

• Navigate to Firewall > Rules
• Create rules that use the load balancing gateway group
• Configure appropriate firewall rules for your network

3. Optimize for your connection types:

• For PPPoE and dynamic IP connections, weighted load balancing may be most appropriate
• Assign higher weights to the PPPoE connection if it typically offers better performance
• Consider source IP hashing to maintain session consistency

Pure Failover vs. Load Balancing Comparison

Hybrid Approaches

For many users, a hybrid approach provides the best of both worlds:

1. Default failover with load balancing option:

• Configure primary connection (PPPoE) as the default
• Set up load balancing as a secondary option
• Use firewall rules to route specific traffic types through load balancing

2. Application-based routing:

• Route critical applications through primary connection (failover only)
• Route non-critical traffic through load-balanced connections
• Provides redundancy for important services while optimizing overall bandwidth

3. Time-based load balancing:

• Use load balancing during off-peak hours
• Switch to pure failover during peak hours to manage costs
• Provides flexibility based on usage patterns

Performance Considerations

When implementing load balancing with your PPPoE and dynamic IP connections, consider these performance factors:

1. Connection asymmetry:

• PPPoE and dynamic IP connections may have different characteristics
• This can impact load balancing effectiveness
• Consider using weighted load balancing to account for differences

2. Session persistence:

• Some applications may not handle connection changes well
• Source IP hashing can help maintain session consistency
• Critical applications may need to be routed through a single connection

3. NAT considerations:

• Load balancing with NAT can create complications
• Ensure your configuration handles NAT traversal properly
• Consider stateful firewall implications

When to Choose Load Balancing vs. Pure Failover

Consider load balancing if:

• You need to utilize the full bandwidth of both connections
• Your applications can handle connection changes
• You have symmetric connections with similar characteristics
• You need to optimize for performance rather than just redundancy

Consider pure failover if:

• Cost savings are a primary concern
• Your applications require stable connections
• You have asymmetric connections with different characteristics
• You need simpler configuration and management

For your specific setup with PPPoE and dynamic IP connections, a hybrid approach often provides the best solution, using pure failover for critical applications and load balancing for general traffic.

---

Troubleshooting Common Dual WAN Issues

Even with careful configuration, automatic failover systems between two internet providers can encounter various issues. This section covers common problems with dual WAN setups, particularly involving PPPoE and dynamic IP connections, and provides solutions to troubleshoot and resolve them.

Connection Detection Issues

One of the most common problems is when pfSense fails to detect connection failures, preventing automatic failover from occurring.

Symptoms:

• Failover doesn’t trigger when a connection goes down
• Both connections appear as “up” in the gateway status
• Traffic continues routing through the failed connection

Solutions:

1. Verify monitor IP settings:

• Ensure each gateway has a valid monitor IP configured
• Use reliable, always-reachable IP addresses like your ISP’s gateway
• Avoid using public DNS servers as monitor IPs, as they may be cached

2. Check interface status:

• Navigate to Interfaces > [Interface] to verify the physical connection
• Ensure link lights are active on the network interfaces
• Check for any configuration errors on the interfaces

3. Test connectivity manually:

• Use ping to test connectivity to the monitor IP
• Verify that the connection is actually down from pfSense’s perspective
• Check if the issue is with the ISP or your local configuration

PPPoE Authentication Problems

PPPoE connections can be particularly problematic due to authentication requirements.

Symptoms:

• PPPoE connection fails to establish
• Frequent disconnections
• Authentication errors in logs

Solutions:

1. Verify credentials:

• Double-check PPPoE username and password
• Ensure case sensitivity is correct
• Confirm that your ISP hasn’t changed authentication requirements

2. Check PPPoE settings:

• Verify service name configuration (if required by your ISP)
• Ensure correct VLAN tagging if required
• Check for any PPPoE-specific settings needed by your provider

3. Review PPPoE logs:

• Check System > Logs for PPPoE authentication attempts
• Look for error messages that indicate authentication issues
• Monitor for disconnection notifications

Dynamic IP Configuration Issues

Dynamic IP connections can present unique challenges, particularly when the IP address changes.

Symptoms:

• Dynamic IP connection drops frequently
• IP address changes disrupt connectivity
• Failover doesn’t work properly with dynamic IPs

Solutions:

1. Verify DHCP configuration:

• Ensure the dynamic IP interface is set to DHCP
• Check that DHCP renewals are working properly
• Monitor for IP address changes in the logs

2. Configure proper gateway monitoring:

• Set up a reliable monitor IP for the dynamic connection
• Consider using your ISP’s gateway as the monitor IP
• Avoid using dynamically assigned IPs as monitor points

3. Handle IP address changes:

• Configure pfSense to handle IP address changes gracefully
• Ensure firewall rules are updated when IP changes occur
• Consider using a static IP on the WAN interface if possible

Routing and Firewall Rule Issues

Problems with routing and firewall rules can prevent proper failover functionality.

Symptoms:

• Traffic doesn’t route through the correct connection
• Failover occurs but connectivity is lost
• Specific applications or services don’t work after failover

Solutions:

1. Verify default route configuration:

• Check that the default route uses the correct gateway group
• Ensure no conflicting static routes exist
• Verify that the gateway group is properly configured for failover

2. Review firewall rules:

• Check that firewall rules use the correct gateway or gateway group
• Ensure no rules are blocking traffic after failover
• Verify that NAT rules are properly configured for both connections

3. Check source/destination routing:

• Verify that specific routes are correctly configured
• Ensure that policy routing is working as expected
• Check for any routing loops that might occur during failover

Subnet and VLAN Issues

With different subnets and potentially VLANs, routing can become complex.

Symptoms:

• Devices on different subnets can’t communicate
• Traffic doesn’t route correctly between subnets
• Failover disrupts inter-subnet communication

Solutions:

1. Verify subnet configuration:

• Ensure each interface has the correct subnet configuration
• Check that subnets don’t overlap
• Verify that routing between subnets is properly configured

2. Check VLAN configuration:

• If using VLANs, ensure they’re properly configured on pfSense
• Verify that tagged traffic is handled correctly
• Check that VLAN interfaces are properly assigned

3. Review inter-subnet routing:

• Ensure proper static routes exist between subnets
• Check that firewall rules allow inter-subnet communication
• Verify that NAT is configured correctly for traffic between subnets

Performance Issues After Failover

Sometimes failover works but causes performance problems.

Symptoms:

• Increased latency after failover
• Reduced bandwidth through the backup connection
• Packet loss during failover transition

Solutions:

1. Monitor connection quality:

• Use tools like ping and traceroute to measure latency
• Check for packet loss during normal operation
• Monitor bandwidth usage through both connections

2. Optimize gateway group settings:

• Consider adjusting failover triggers to reduce unnecessary switches
• Configure appropriate monitoring intervals
• Set up proper failback policies

3. Check for bandwidth limitations:

• Verify that your backup connection has adequate bandwidth
• Check for ISP-imposed bandwidth limits
• Monitor for any throttling by your ISP

Log Analysis for Troubleshooting

pfSense’s extensive logging capabilities are invaluable for troubleshooting dual WAN issues.

Key log areas to check:

1. System logs:

• Look for gateway status changes
• Check for interface up/down notifications
• Monitor for general system errors

2. Firewall logs:

• Check blocked traffic after failover
• Verify that traffic is being routed through the correct gateway
• Look for NAT-related errors

3. DHCP/PPPoE logs:

• Monitor authentication attempts and failures
• Check for connection establishment issues
• Look for disconnection notifications

Preventive Measures

To minimize future issues:

1. Regular monitoring:

• Set up alerts for connection status changes
• Monitor bandwidth usage regularly
• Check logs periodically for issues

2. Documentation:

• Keep detailed records of your configuration
• Document any changes made to the system
• Note any troubleshooting steps taken

3. Testing procedures:

• Regularly test failover functionality
• Verify that both connections are working properly
• Check that all services continue to work after failover

By understanding these common issues and their solutions, you can maintain reliable automatic failover between your PPPoE and dynamic IP connections, ensuring continuous internet connectivity even when one provider experiences problems.

---

Best Practices for Reliable Internet Failover

Implementing reliable automatic failover between two internet providers requires careful planning and ongoing maintenance. This section outlines best practices to ensure your PPPoE and dynamic IP connection setup provides maximum reliability and minimal downtime.

Proper Network Architecture

A well-designed network architecture is the foundation of reliable failover:

1. Physical redundancy:

• Ensure separate physical paths for each internet connection
• Use different ISP infrastructure when possible
• Consider different geographic points of presence if available

2. Equipment reliability:

• Use quality networking equipment with proven reliability
• Implement redundant power supplies for critical components
• Consider UPS protection for all networking hardware

3. Cable management:

• Use high-quality network cables
• Implement proper cable management to prevent accidental disconnections
• Label all cables clearly for easy identification

Gateway Configuration Best Practices

Proper gateway configuration is essential for reliable failover:

1. Monitor IP selection:

• Choose reliable, always-reachable IP addresses for monitoring
• Use your ISP’s gateway IP when possible
• Avoid using public DNS servers as monitor points

2. Gateway group settings:

• Configure appropriate tier priorities for your connections
• Set reasonable monitoring intervals (typically 1-5 seconds)
• Configure appropriate failback timing to avoid flapping

3. PPPoE optimization:

• Configure proper PPPoE keepalive settings
• Set appropriate session timeout values
• Consider PPPoE-specific monitoring if supported

Monitoring and Alerting

Comprehensive monitoring is crucial for maintaining reliable failover:

1. Connection monitoring:

• Implement continuous monitoring of both connections
• Check not just connectivity but also performance metrics
• Monitor for partial outages that may not trigger immediate failover

2. Alert configuration:

• Set up alerts for connection status changes
• Configure email or other notifications for failover events
• Include performance thresholds in alerting

3. Log management:

• Implement proper log rotation to prevent disk space issues
• Centralize logs for easier analysis
• Retain logs for sufficient period for troubleshooting

Security Considerations

Security is essential when implementing dual internet connections:

1. Firewall configuration:

• Implement strict firewall rules for both connections
• Use stateful inspection to prevent unauthorized access
• Configure proper NAT settings for both connections

2. Access control:

• Implement proper access controls for pfSense administration
• Use strong authentication for remote access
• Consider implementing VPN access for management

3. Network segmentation:

• Implement proper network segmentation
• Use VLANs to isolate different network segments
• Configure firewall rules between segments appropriately

Performance Optimization

Optimizing performance ensures reliable operation during failover:

1. Bandwidth management:

• Monitor bandwidth usage on both connections
• Implement traffic shaping if needed
• Consider QoS settings for critical applications

2. Connection quality:

• Monitor latency and packet loss on both connections
• Consider using the connection with better quality as primary
• Set up appropriate failover triggers based on quality metrics

3. Routing optimization:

• Configure appropriate routing protocols if needed
• Implement policy routing for specific traffic types
• Consider static routing for critical applications

Documentation and Maintenance

Proper documentation and maintenance are essential for long-term reliability:

1. Configuration documentation:

• Document your complete network configuration
• Include network diagrams showing topology
• Keep configuration backups regularly

2. Regular maintenance:

• Schedule regular equipment checks
• Implement firmware updates for networking equipment
• Test failover functionality regularly

3. Change management:

• Implement proper change management procedures
• Test changes in a non-production environment first
• Document all changes made to the system

Testing and Validation

Regular testing ensures your failover system works as expected:

1. Scheduled testing:

• Perform regular failover tests (monthly or quarterly)
• Test both failover and failback scenarios
• Include application-specific testing

2. Stress testing:

• Test failover under high traffic conditions
• Verify performance during failover events
• Check for any resource limitations during failover

3. Documentation of tests:

• Document all test results
• Note any issues discovered during testing
• Include resolutions for any problems found

Redundancy Beyond Internet Connections

Consider additional redundancy for critical components:

1. Power redundancy:

• Implement UPS protection for all critical equipment
• Consider backup power generators for extended outages
• Regularly test backup power systems

2. Equipment redundancy:

• Consider spare networking equipment
• Document replacement procedures for critical components
• Keep spare cables and connectors available

3. ISP redundancy:

• Choose ISPs with different infrastructure
• Consider different geographic points of presence
• Verify that ISPs have independent power and connectivity

Continuous Improvement

Continuously improve your failover system:

1. Performance monitoring:

• Monitor performance metrics over time
• Identify trends that may indicate future problems
• Use performance data to optimize configuration

2. Review and update:

• Regularly review your failover configuration
• Update settings based on experience
• Incorporate new features or best practices

3. Learning from incidents:

• Document and analyze any failover incidents
• Identify root causes of any issues
• Implement improvements based on incident analysis

By following these best practices, you can ensure reliable automatic failover between your PPPoE and dynamic IP connections, providing maximum uptime and minimal disruption to your network services.

---

Sources

1. pfSense Documentation — Comprehensive guide for configuring dual WAN connections with automatic failover: https://docs.netgate.com/pfsense/en/latest/book/index.html
2. pfSense MultiWAN Configuration — Detailed instructions for setting up multiple WAN connections with PPPoE support: https://docs.netgate.com/pfsense/en/latest/config/multiwan/index.html
3. pfSense Official Website — Robust open-source firewall and router solution ideal for dual WAN setups: https://www.pfsense.org

---

Conclusion

Implementing automatic failover between two internet providers with different connection types—PPPoE and dynamic IP—is achievable with the right approach. pfSense emerges as the optimal solution for your specific setup, offering comprehensive support for both connection types while seamlessly integrating with your existing hardware configuration of separate routers and a managed switch.

The key to successful implementation lies in proper configuration of gateway groups, firewall rules, and monitoring settings. By following the detailed steps outlined in this guide, you can establish a robust failover system that automatically switches to your backup provider when the primary connection fails and seamlessly reverts when connectivity is restored.

Remember that maintaining reliable failover requires ongoing monitoring, regular testing, and proper documentation. By implementing the best practices discussed and regularly validating your configuration, you can ensure maximum uptime and minimal disruption to your network services, even when one of your internet providers experiences issues.