Failover on PFsense 2.6

stephenkwabena

@stephenw10 Ooops, I've rolled it back to Pfsense 2.5.2 since it was worrying us for three days. I will install PFSense 2.6 on another server and get you the logs.

stephenkwabena

@stephenw10 also, after enabling captive portal in pfsense 2.6, I can't ping any DNS, e.g. 8.8.8.8 or 9.9.9.9, domain names, but I can browse the internet.

stephenw10

Do you have a rule allowing ping?

Can you resolve against external DNS servers?

This seems unrelated to faoilover though. It should be in a separate thread.

Steve

stephenkwabena

@stephenw10 Yes, all the rules allow ping.

stephenkwabena

This post is deleted!

stephenkwabena

@stephenw10 I've raised in a separate thread

stephenkwabena

@stephenw10 Please, Steve, any update on how to solve the failover issue?

stephenw10

Not without more info.

We need to see the routing, gateway and general system logs covering a failover event.

I would check the rules file directly to make sure the correct gateway is being applied.

Steve

stephenkwabena

@stephenw10 Steve, I did but there was no error logs

stephenw10

I wouldn't expect there to be any errors. But I would expect to see the gateway fail-over and associated scripts logged.

Steve

stafast

I just had an issue on 2.6 where our internet went down completely and the gateway stayed up and never went down to trigger the failover. I pinged from PFSense through the gateway that was bad and it had 100% packet loss, but the gateway still showed green and thus we never switched over to the backup internet. This worked perfectly fine before the 2.6 upgrade. Our gateway is set to ping 8.8.8.8 and that is what I tested from the box.

stephenw10

Are you also using 8.8.8.8 for DNS? Is it on the same gateway? You might have a conflicting static route.
Do you see the state for the gateway pings on the correct interface?
Are your two WANs using different gateway IPs?

Steve

stafast

@stephenw10 I'm not using 8.8.8.8 for DNS. I am actually using our local Active Directory DNS, two local DNS servers and a 3rd and 4th listed DNS on our two other gateways(U-Verse and DSL) I did notice however, that our two local DNS servers we had set did not have a gateway selected for them anymore, this used to be set before the upgrade I had thought. All WAN's are using different gateway IP's. We have Cable Internet(one having trouble), Fiber(main failover and what covers our VOIP) then U-Verse and DSL still hanging around(soon to be removed as we rarely use them).

stephenw10

@stephenw10 said in Failover on PFsense 2.6:

Do you see the state for the gateway pings on the correct interface?

The only way I can imagine it still showing as up would be if it's somehow sending the pings from the wrong WAN. As well as checking the state you can run a packet capture to be sure which NIC they are leaving from.

Steve

stafast

@stephenw10 I'm actually not seeing any pings in the state for that interface. I captured the packets on the interface found nothing to 8.8.8.8, i found one ping from the gateway to the interface IP but that was it. There were various other pings to it from outside, some from inside from my monitoring server but that was it.

stafast

@stephenw10 I am seeing under routes for that gateway to 8.8.8.8 > gatewayIP that the uses is not going up at all the Fiber interface on 8.8.4.4 is going up but the WAN2 sits on 1999303 and doesn't move.

stephenw10

I assume you are seeing a state for pings to 8.8.8.8 somewhere though?

Otherwise check the gateway logs for the dpinger entries on WAN. You should see the values it's being started with.

Steve

stafast

@stephenw10 nope nothing in the states for 8.8.8.8, just DNS queries for one of the devices that is manually set to that DNS using that interface. As for the gateway logs there are no dpinger entries past 3/7 which I believe is from before I upgraded PFSense.

stafast

@stephenw10 I'll try restarting dpinger, see if that does anything.
Restarted and got these for each interface:

send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr

not sure if it fixed it or if that's just a normal thing when restarting, only time will tell really when it goes down next. I was wondering why when our internet went down for 45min over the previous weekend that it was completely down, turns out just never failed over to the other WAN.

stephenw10

That's normal except it should show the interface address for bind_addr. Did you just omit that?

Check the main system logs for that time, are there any errors shown that might indicate dpinger did not start?