Failover doesn't work.

darkcorner

WAN1 has been standing still for hours, but traffic does not go through WAN2 although it is online.
Status Gateways would seem to confirm that everything is OK

viragomann

@darkcorner
Did you try a new connection like a ping to 8.8.8.8 from a local device to rule out its on states bounding to a gateway?

darkcorner

@viragomann
I have tried a ping to 8.8.8.8 and google.com
From WAN2 they work, from WAN1 and LAN they don't.
I also tried to swap Tier1 and Tier2 in the two failovers, but it didn't help.

viragomann

@darkcorner
Did you state the failover group as default gateway in System > Routing > Gateways?

And are your rule configured to use the default gateway?

darkcorner

@viragomann
I have three groups of Gateways ...

and therefore the Default is on Automatic

I have defined three rules

The weird thing is that here in my lab if I unplug a cable or set Gateway1 to Down, the failover works. There is only a brief pause of a few seconds.
In the office, with the FWA line down, the failover on the ADSL does not work.

viragomann

@darkcorner
The rules should work, even if I don't see your intention for the two failover rules.

Did your WAN2 ever work?
Possibly the outbound NAT is not configured properly?

crucialguy

Your gateway groups etc look alright, the problem is your rules on the above pic in my opinion. Also check your outbound NAT as mentioned above.

But the pic above is showing you've just got IPv4 TCP. You're not permitting any UDP traffic at all.

darkcorner

@crucialguy said in Failover doesn't work.:

But the pic above is showing you've just got IPv4 TCP. You're not permitting any UDP traffic at all.

Oops, you are right. I need to change the rule to TCP / UDP

darkcorner

@viragomann said in Failover doesn't work.:

@darkcorner
The rules should work, even if I don't see your intention for the two failover rules.

Did your WAN2 ever work?
Possibly the outbound NAT is not configured properly?

If I take pfSense and bring it to my laboratory it works perfectly, while in the office WAN2 is Online, but the traffic is blocked.
The difference is that the Carrier ISP is different and I wonder if Vodafone (in the Office) does not have some limitation with the DNS that bother pfSense. If, on the other hand, I connect the office network directly to the Vodafone router, thus bypassing pfSense, navigation is allowed instead.

In the Vodafone router there is the option to enable DNSSEC. In DNS Resolver there is the same option.
I wonder if this could be the cause of the problem and, in this case, both must be activated, neither or only one of the two and which of the two.

darkcorner

Yesterday WAN1 was reactivated and at the same time WAN2 resumed operation, including failover between the two lines.
It becomes difficult now to determine the cause, if it is my wrong configuration of pfSense or in the ISP control unit where both lines are surely attested.
It's definitely a DNS problem, but I can't figure out what it is.

The router of WAN1 has as DNS those of the ISP. The WAN2 router has Google DNS instead.
The old firewall, connected directly to the WAN2 router, also uses Google's DNS.
pfSense used until yesterday 8.8.8.8 on the WAN1 NIC and 8.8.4.4 on the WAN2 NIC.
I can imagine pfSense found 8.8.8.8 from WAN2, but then tried to resolve the names again using 8.8.8.8 from WAN1.

At this point it would be useful to know a "best practice" to configure DNS with Load Balancing and two Failovers.

viragomann

@darkcorner said in Failover doesn't work.:

pfSense used until yesterday 8.8.8.8 on the WAN1 NIC and 8.8.4.4 on the WAN2 NIC.

Is there any reason for binding the DNS servers to a specific interface?

Also this servers are only used by the DNS Forwarder or by the Resolver if it's in forwarding mode. And apart from this, on pfSense itself.

darkcorner

@viragomann said in Failover doesn't work.:

@darkcorner said in Failover doesn't work.:

pfSense used until yesterday 8.8.8.8 on the WAN1 NIC and 8.8.4.4 on the WAN2 NIC.

Is there any reason for binding the DNS servers to a specific interface?

Also this servers are only used by the DNS Forwarder or by the Resolver if it's in forwarding mode. And apart from this, on pfSense itself.

Because in the General Setup/DNS Server Settings, I see: "When using multiple WAN connections there should be at least one unique DNS server per gateway."