Failover on PFsense 2.6
-
Hi All
My failover stopped working after upgrading to Pfsense 2.6. I have two ISPs configured as failover, tier 1 and tier 2. When my default ISP goes down, it does not switch to the second ISP, but in 2.5.2 it works perfectly. Therefore, I've rolled back to 2.5.2. Please, what's the problem and how can I solve it?
Thank you -
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
K Klaus2314 referenced this topic on
-
How were you testing that?
Does the gateway group in Status > Gateways show the tier1 gateway as off-line and the tire2 gateway on-line?
Ultimately what should change is the referenced gateway in the firewall ruleset by the failover alias. You can check that in /tmp/rules.debug.
Steve
-
@stephenw10 Yes, tier 1 is always on and tier 2 is always off. When any of the cables are removed and plugged back in, it shows pending until I restart the Pfsense server. Even if one tier is on and another tier cable is removed, it does not switch.
-
Do you see any errors in the system, routing or gateway logs?
-
@stephenw10 Ooops, I've rolled it back to Pfsense 2.5.2 since it was worrying us for three days. I will install PFSense 2.6 on another server and get you the logs.
-
@stephenw10 also, after enabling captive portal in pfsense 2.6, I can't ping any DNS, e.g. 8.8.8.8 or 9.9.9.9, domain names, but I can browse the internet.
-
Do you have a rule allowing ping?
Can you resolve against external DNS servers?
This seems unrelated to faoilover though. It should be in a separate thread.
Steve
-
@stephenw10 Yes, all the rules allow ping.
-
This post is deleted! -
@stephenw10 I've raised in a separate thread
-
@stephenw10 Please, Steve, any update on how to solve the failover issue?
-
Not without more info.
We need to see the routing, gateway and general system logs covering a failover event.
I would check the rules file directly to make sure the correct gateway is being applied.
Steve
-
@stephenw10 Steve, I did but there was no error logs
-
I wouldn't expect there to be any errors. But I would expect to see the gateway fail-over and associated scripts logged.
Steve
-
I just had an issue on 2.6 where our internet went down completely and the gateway stayed up and never went down to trigger the failover. I pinged from PFSense through the gateway that was bad and it had 100% packet loss, but the gateway still showed green and thus we never switched over to the backup internet. This worked perfectly fine before the 2.6 upgrade. Our gateway is set to ping 8.8.8.8 and that is what I tested from the box.
-
Are you also using 8.8.8.8 for DNS? Is it on the same gateway? You might have a conflicting static route.
Do you see the state for the gateway pings on the correct interface?
Are your two WANs using different gateway IPs?Steve
-
@stephenw10 I'm not using 8.8.8.8 for DNS. I am actually using our local Active Directory DNS, two local DNS servers and a 3rd and 4th listed DNS on our two other gateways(U-Verse and DSL) I did notice however, that our two local DNS servers we had set did not have a gateway selected for them anymore, this used to be set before the upgrade I had thought. All WAN's are using different gateway IP's. We have Cable Internet(one having trouble), Fiber(main failover and what covers our VOIP) then U-Verse and DSL still hanging around(soon to be removed as we rarely use them).
-
@stephenw10 said in Failover on PFsense 2.6:
Do you see the state for the gateway pings on the correct interface?
The only way I can imagine it still showing as up would be if it's somehow sending the pings from the wrong WAN. As well as checking the state you can run a packet capture to be sure which NIC they are leaving from.
Steve
-
@stephenw10 I'm actually not seeing any pings in the state for that interface. I captured the packets on the interface found nothing to 8.8.8.8, i found one ping from the gateway to the interface IP but that was it. There were various other pings to it from outside, some from inside from my monitoring server but that was it.
-
@stephenw10 I am seeing under routes for that gateway to 8.8.8.8 > gatewayIP that the uses is not going up at all the Fiber interface on 8.8.4.4 is going up but the WAN2 sits on 1999303 and doesn't move.
