Help with dual WAN setup
-
This is likely to be a long post. I've included as much detail as I thought necessary below. If you need more, I'll be happy to provide it.
Brief problem description: I appear to lose connectivity on some client connections after an arbitrary amount of time.
I've installed pfSense (version 1.2-RC2) on a generic box, 1 GHz machine with 1 GB of RAM. Hundred gig hard drive. I have two cable modems, both from the same ISP, feeding into the box. LAN goes out to an internal switch. I set everything up as described in the MultiWanVersion1.2 document at http://doc.pfsense.org/index.php/MultiWanVersion1.2, with a few changes:
1. My WAN and WAN2 (OPT1) connections have static addresses rather than the dynamic IPs that it appears that the document describes. I couldn't make it work at all if the external interfaces obtained their IP addresses from DHCP.
2. Under WAN Configuration, the document says to use the address 192.168.0.1 /32. That didn't work until I changed it to /24. I thought this odd, but the doc says to use /24 on the WAN2(OPT1) interface, so I figure one of them is a typo?
3. The WAN and WAN2 addresses are 192.168.0.201 and 192.168.1.201, respectively.Other than the three things above, the IP addresses and names, load balancer pools, and firewall rules are exactly as in the document.
This all appears to work, at first….I think. I can ping through both interfaces. I can access Web sites. Failover works--if I pull the plug on WAN (which was getting traffic), then WAN2(OPT1) gets the traffic. I can't say for sure if load balancing is working. Why? Well, doing a traceroute from a client machine always gives me timeout on the first two hops. The pfSense machine never shows up on the traceroute. I turned on logging, but didn't see what I expected in the logs from the web interface. And the traffic graphs are ... well, I can't get enough traffic through to my clients for the graphs to be useful.
I'll be working with the system and all of a sudden all my requests time out. Windows doesn't tell me that the connection went down, but things stop responding. If I release and renew my DHCP lease (ipconfig /release followed by ipconfig /renew), things start working again. Usually. Sometimes I have to reboot the machine. Then things stay up for a little while before they go down again.
I know that the routers I'm using are less than ideal. If I can get pfSense running reliably I'll go out and get good routers (suggestions?). For now I'm using two LinkSys cable/DSL routers. One is a BEFSR41 and the other is a WRT54G. They are pretty solid units as long as I don't try to run them at capacity. I have the DMZ Host option set on both--the DMZ Host address is the same as the WAN (and WAN2(OPT2)) addresses in the pfSense machine. Basically, all traffic goes through the LinkSys router unfiltered. As I said, this appears to work. In fact, it's the only way I could get it to work.
Both routers are running in Gateway mode rather than Router mode.
So any idea why I'm having this trouble losing client connectivity? Any help appreciated.
Jim
-
Jim, your point 2 is correct, thanks for pointing this out - I've fixed the document.
If you are using sticky sessions, then you won't see much change in routing from a single client, use http://whatismyip.com/ from different PCs and you should see your two ISP addresses come up resonably often.
Also to monitor what is going on use pingplotter, leave this running and see if it reports the connection down when you loose web browsing.
I've noticed this version of pfSense doesn't show in traceroute, don't know why though.
When you loose web browsing, is DNS lookup still working?
Not much wrong with the linksys box - I used one for ages, and they have a good reputation.
-
Thanks for the reply. When I get to the office I'll try the whatismyip.com trick.
When I lose web browsing, I seem to lose everything else. ping doesn't work. I'm pretty sure I lose DNS. I'll check more carefully when it happens again, but as I recall I am able to communicate with the pfSense box, but I can't go outside of it. Which is weird, because other machines will be able to browse.
The LinkSys boxes are good if you're not trying to run a sustained 7+ megabits through them. My web crawler would cause the WRT54G to lock up. I'd have to cycle power on it. Haven't tried the crawler on the BEFSR41.
Jim
-
Okay. A little more information, and I'm still confused.
Load balancing does appear to be working. I managed to get the grc.com ShieldsUp site from both IPs using two different client computers.
Still having connectivity problems. I ran pingplotter and when I lost connectivity, everything went. No DNS–nothing. However, I was able to hit the web configurator on the pfSense box and then everything came back.
I honestly don't know where the problem might be. I'm grasping at straws.
-
Problem solved, I think. It looks like the problem was with DNS. I disabled the "Allow DNS server list to be overridden by DHCP/PPP on WAN" check box. I'm not sure why I had to do that, but once I did and rebooted the machine, things started working.