Failover routing

aldo

we have 500 - 1000 us for a failover routing solution for pfsense.
I would be considered on the tools used and the practicality of deployment with a dynamic routing protocol
feel free to post some ideas of how this could be done and we can start
depositing some funds to make some progress.

alan 8)

sullrich

When you say dynamic failover routing protocols, would carp count?

If so, I can help you with a fully redundant solution. Contact me at sullrich@gmail.com

pcatiprodotnet

Would the already built in OLSR.org mesh software suffice for this? I gathered from the forums that it just needs a GUI.
If OLSR gui or other development suggestions appeal to us, we would add $300 hundred or more to this bounty.
We want pfSense to do something like this…
http://www.oreillynet.com/pub/a/etel/2006/02/10/free-mesh-networking-with-metrix-pebble.html?page=2
And, does olsr route IP only or any protocol (ie. pass ethernet traffic as a common ethernet switch would)

Pete C.
Internet Professionals, LLC
pc@ipro.net

aldo

possibly see the next post for an outline of exactly what we are trying to achieve

aldo

Dynamic failover routing.

The idea that we are looking for is proberly not carp scott. But I will outline it to you and you can judge for your self.

Wan1–------------------------|
|
Pfsense ------------- lan
|
Wan2(internal ospf network)--

If wan 1 is up use this route and broadcast this route via ospf or similar via wan 2 to allow other nodes to use this gateway.

If wan1 is down broadcast the fact and use the ospf routing table for finding the next gateway on wan2.

I was thinking that if the gateway feature was used in pfsense to assess wheather wan1 was active if it was not use wan2.

There are other pfsense boxes at the edge routing points of the ospf network.

lan
|
|
Wan1--------pfsense
|
|
Wan2(ospf)------ospf network------|
|
|
|
Lan |
| |
Wan1--------pfsense |
| |
| |
Wan2(ospf)-------ospf network-----|---(etc)
|
|
Lan |
| |
| |
Wan1--------pfsense |
| |
| |
Wan2(ospf)-------ospf network-------

And so on and so forth there are about ten routes on the ospf network Varying in size and type. The core ospf network works fine. But to use Pfsense on the edge boxes would be great.

Looks forward to a reply. If you don’t think it is what you where think let me know and I will post it to this bounty section.

jeroen234

olsr can do this
you need a pfsense server with 3 network cards
wan,lan,opt1

give all the pfsense opt1 network cards ipadress in the same network range
open a shell on the pfsense server
cd /usr/local/etc
nano olsrd.conf
type this in:

DebugLevel 2
IpVersion 4
ClearScreen yes

HNA IPv4 routes

syntax: netaddr netmask

Example Internet gateway:

0.0.0.0 0.0.0.0

Hna4
{
# Internet gateway:
# 0.0.0.0 0.0.0.0
# more entries can be added:
# 192.168.1.0 255.255.255.0
#10.141.254.0 255.255.255.0
10.141.250.0 255.255.255.0
0.0.0.0 0.0.0.0
}

close the file with control + X
the 10.141.250.0 in the file is the local lan network you want to broadcast to the olsrd mesh so that clients on a other olsrd pfsense server can conect to that
the 0.0.0.0 in the file is telling the olsrd mesh that tiss olsrd node has a internet conection and that olsrd pfsense servers can use that one if don't have 1 or lost one

start olsrd
olsrd -i xl0 >> /dev/null &
replace xl0 with youre opt1 card

aldo

do the other boxes with the ospf netowrk need to have oslr as well i guess to allow for the routing to go cleanly
is there anyway of importing oslr routes into ospf to stop a redesign of an already functioning ospf network.

looks like you might have an answer is this theroy or practical. does it really work what sort of hardware requirements

jeroen234

all the pfsense servers need to run olsrd witch is all ready on the pfsense server instald by default
more info on olsrd you find here:
http://www.olsr.org/
olsrd is most used on wireless networks
so that you can put a node on a high tower and forget about the routing stuf
you do only the local routing stuf
the rest olsr will find out by him self
if one node breaks down the olsrd network will route the routes around the problem
if a new node is installed and has a faster route then a -> b then the network will use the faster route
so it's not only reporting of it has internet or not
its also reporting witch nodes it can see and how fast the route to them is and wat routes a laying behind the olsrd network node that don't use olsrd like the local lan network
so that that can be conect from all the olsrd servers

youre network will look somving like this:

lan 10.0.0.0/24
|
|
Wan1–------pfsense 1
|
|
192.168.1.1 opt1 (olsrd)------olsrd network ------|
|
|
|
Lan 10.0.1.0/24 |
| |
Wan1--------pfsense 2 |
| |
| |
192.168.1.2 opt1(olsrd)---------olsrd network-----|---(etc)
|
|
Lan 10.0.2.0/24 |
| |
| |
Wan1--------pfsense 3 |
| |
| |
192.168.1.3 opt1(olsrd)--------olsrd network--------|
|
|
Lan 10.0.3.0/24 |
| |
| |
-pfsense 4 |
| |
| |
192.168.1.4 wan(olsrd)--------olsrd network-------

pfsense server 1 on 192.168.1.1 will report
it has internet and a direct route to 10.0.0.0/24
a route to node 192.168.1.2
a route to node 192.168.1.3
a route to node 192.168.1.4
a route to 10.0.1.0/24 via 192.168.1.2 / 192.168.1.3 / 192.168.1.4
a route to 10.0.2.0/24 via 192.168.1.3 / 192.168.1.2 / 192.168.1.4
a route to 10.0.3.0/24 via 192.168.1.4 / 192.168.1.2 / 192.168.1.3
a route to 0.0.0.0 via 192.168.1.2
a route to 0.0.0.0 via 192.168.1.3

pfsense server 2 on 192.168.1.2 will report
it has internet and a direct route to 10.0.1.0/24
a route to node 192.168.1.1
a route to node 192.168.1.3
a route to node 192.168.1.4
a route to 10.0.0.0/24 via 192.168.1.1 / 192.168.1.3 / 192.168.1.4
a route to 10.0.2.0/24 via 192.168.1.3 / 192.168.1.1 / 192.168.1.4
a route to 10.0.3.0/24 via 192.168.1.4 / 192.168.1.1 / 192.168.1.3
a route to 0.0.0.0 via 192.168.1.3
a route to 0.0.0.0 via 192.168.1.1

pfsense server 3 on 192.168.1.3 will report
it has internet and a direct route to 10.0.2.0/24
a route to node 192.168.1.1
a route to node 192.168.1.2
a route to node 192.168.1.4
a route to 10.0.0.0/24 via 192.168.1.1 / 192.168.1.2 / 192.168.1.4
a route to 10.0.1.0/24 via 192.168.1.2 / 192.168.1.1 / 192.168.1.4
a route to 10.0.3.0/24 via 192.168.1.4 / 192.168.1.1 / 192.168.1.2
a route to 0.0.0.0 via 192.168.1.1
a route to 0.0.0.0 via 192.168.1.2

pfsense server 4 on 192.168.1.4 will report
it has a direct route to 10.0.3.0/24
a route to node 192.168.1.1
a route to node 192.168.1.2

a route to node 192.168.1.3
a route to 10.0.0.0/24 via 192.168.1.1 / 192.168.1.2 / 192.168.1.3
a route to 10.0.2.0/24 via 192.168.1.3 / 192.168.1.1 / 192.168.1.2
a route to 10.0.1.0/24 via 192.168.1.2 / 192.168.1.1 / 192.168.1.3
a route to 0.0.0.0 via 192.168.1.1
a route to 0.0.0.0 via 192.168.1.2
a route to 0.0.0.0 via 192.168.1.3

pfsense server 4 don't has internet and use pfserver 1,2 or 3 for its internet conections depending on witch one it can reache fast

if ospf can read the kernal routes then it can use the routes that olsrd add's or removes from the kernal routing tabels

olsrd self don't read from these tabels it has tabels with routing info and info of time it takes to make a conecting to a node on a route
and witch nodes has witch routes to witch nodes etc etc

pcatiprodotnet

…[olsr] will always use ipadresses…
Is there any way to get OLSR to pass regular ethernet (MAC) traffic, such as using VPN over OLSR all done in pfSense, or other trick?
Another possibility if the above won't work: Can pfSense in Bridge mode also do "spanning tree protocol"? If so, is this possible solution worthy?
Thank you for the helpful replies,
-Pete

sullrich

@pcatiprodotnet:

Another possibility if the above won't work: Can pfSense in Bridge mode also do "spanning tree protocol"?

Yep, on non-wireless bridges it does this by default.

@pcatiprodotnet:

If so, is this possible solution worthy?

Not really sure.

pcatiprodotnet

on non-wireless bridges it does this by default.
How do you enable it on Wireless bridges? And, is using it over wireless known to be problematic?

sullrich

Why would you want it on wireless?

pcatiprodotnet

Why would you want [spanning tree protocol] on wireless?
I though it might route wireless bridged ethernet traffic around down wireless nodes. I guess not.

My Goal: LANs in multiple buildings all linked together by ethernet Bridge over wireless Mesh (I assume olsr.org is the best).

Perhaps using OLSR plus "ethernet over IP" (such as VPN) to pass ethernet MAC traffic wirelessly between sites, all accomplished in pfSense, could make it appear to every PC in every building that they are on the same "local" ethernet LAN. Is this posssible? If so, how do I configure pfSense to do this?

Thanks, -pc

aldo

we are using a routed networ rather than a bridge network.
we have nodes with there own internet connection and a large
netowrk to link them all together.

if an internet connection fails on a node then we manually reconfigure
the routes onto our ospf backbone to use another route.

if you network is in anyway going to grow use routing and not bridging
it will be far more stable in our experiance.

each of our nodes support 30 -100 wireless clients

we presently have 8 nodes and a 20 box backhaul system.

I think there are issues with oslr and ospf. from my recent reviews it seems that
oslr routes in the kernal are not recognised correctly by ospf. (but don't really know as
we dont really have any knowledge of oslr)

We where thinking of working with the load balancing pool features in pfsense.
but this might not work to well either because it does not seem to touch the
routing table. Is this true.

Maybe if we can consilidate some thoughts a little better we can do something here.
are there many more thoughts from the core team. would this be worth you spending
your time on. or are we a little to far over in the left field.

we have no choice but to spend money on it so i would love to give some to the
fine pfsense team

pcatiprodotnet

if you network is in anyway going to grow use routing and not bridging it will be far more stable in our experiance.
Thanks for the tip aldo! I'm a Programmer, but new to networking/wireless, and I appreciate any expert advice.
I had desired Bridging so a single Captive Portal could control all clients, but that may not be a good idea either.
-Pete

aldo

you could still do this with routing. if you dont use nat on one side of the network
just route through it. captive portal could still work for you.

i know the drama of design is a far differnet one that the doing of it though
continually fraught with try to do stuff but not spent money.

i think i would prefer to be a prgrammer then maybe your only limitation is
how large your brain is.

good luck i willl take some time with oslr in the next week and see what
it can do. i think it might be more powerful than i think, even if it
is a very immature product

jeroen234

@pcatiprodotnet:

…[olsr] will always use ipadresses…
Is there any way to get OLSR to pass regular ethernet (MAC) traffic, such as using VPN over OLSR all done in pfSense, or other trick?
Another possibility if the above won't work: Can pfSense in Bridge mode also do "spanning tree protocol"? If so, is this possible solution worthy?
Thank you for the helpful replies,
-Pete

olsrd will work on vpn just use the vpn interface as the interface for olsrd then on both sides of the vpn
if the interface can route then olsrd can work on it

pcatiprodotnet

Is an olsr node capable of accepting RIP route information on its non-olsr interface?
Thanks, -pc

jeroen234

yes but olsrd will not read the kernal routes
so info from rip can be rewirten by olrsd

just like rip is rewriting the kernal routes that olsrd has put in

aldo

just wondering about wheather anyone has come up with any great ideas here. it seems one of the core issues ould lie in how pfsense managed a dynamic routing table.
do we think that the changes made to olsrd would allow this to happen or that olsrd only works well within a subnet.

has anyone had any time to test what scott has done so far. i am an ospf bgp player so this olsrd is new to me. we would definately consider it if it looks like it might be a practical solution.