Private link aggregation/failover

kylehutson

Thanks for the reply.

I've seen that document, but everything looks like it's made for having 2 WAN links. I could set that up, but it seems to me that we might have issues with asymmetric routing in that case (e.g., I send out a request that goes out on WAN, and the response comes in via OPT1, so it gets sent to the bit-bucket).

Is my assumption here wrong? If I just allow all traffic anywhere, will pfSense care about asymmetric routing? Or can I prevent asymmetric routing by having both pfSense boxes with both a WAN and OPT1?

In case you can't tell, I'm in the early planning stages here and have to hardware yet to test with. If I don't get any definitive answers here, I'll just put together a test lab and try it out.

Hmmm…. can I give pfSense multiple gateways with different priorities? Maybe that would be the easiest way to configure, if it's possible.

elvisnld

The multi gateway is something i have to fiddle with myself too, in a lab that is.
Still, that part has been upgraded a lot in 2.0

Asymmetric routing is a good point!.

• take care that the clients on each side only know the pfsense as their gateway (should allready be the case, i presume)
• You can set that in the config (routing policy's) but can't recall how to explain right now.

But yes it's most certainly possible!
Sorry i can only say it's possible, and not having a 123 solutions right now.

I'll have a look in the forum/google :)

M.

elvisnld

Have a look at a slighly different link from the previous one

http://doc.pfsense.org/index.php/File:MultiWanPoolsOview.png

And inside that, the pools i mentioned earlier: http://doc.pfsense.org/index.php/File:MultiWanPoolsOview.png

And have a look at the "sticky connections" part.

Maybe it's different from multi-wan because you've got more like a site-site (link a vpn).

Here http://www.tek-tips.com/viewthread.cfm?qid=1173868&page=101 is an example of what looks like what you want. Unfortunattely no answers there i think, and cisco based :(

From a BSD forum regarding this topic:

You need reply-to statements (for pf) for your 'pass in' rules to enforce symmetric routing on incoming connections. You'll probably also want an if-bound state policy.

Hope someone has beter leads for you then me.
Perhaps a lab setup will get you going faster.

Mario

GruensFroeschli

The way i read your diagram you created a switching loop and the whole thing will explode ;)
(assuming your WLAN-bridge is layer2 transparent).

The problem i see, is that you have only a single IP on the pfSenses on both sides.
There is no way to create a rule to send traffic over one link or the other.
What you need is some kind of separate subnet for both links.

Something like this:

pfSense1
                            /         
Link_T1 [192.168.62.1/30]      Link_WLAN [192.168.62.9/30]
              |                                            |
              |                                            |
              |                                            |
  T1_1 [192.168.62.2/30]                  WLAN_1 [192.168.62.10/30]
              |                                            |
              |                                            |
    (some transfer_subnet)            (some transfer_subnet)
              |                                            |
              |                                            |
  T1_2 [192.168.62.5/30]                  WLAN_2 [192.168.63.13/30] 
              |                                            |
              |                                            |
              |                                            |
Link_T1 [192.168.62.6/30]      Link_WLAN [192.168.63.14/30]
                            \            /
                            pfSense2

elvisnld

GruensFroeschli,

You are right, i thougd of that -basic thing- afterwards.
It's note sane to use the same subnet for everything  ::)

If he changes that, will pfsense 'automaticly' do a correct  return path when routing? (i think so)

M.

GruensFroeschli

I the pfSense has two separate interfaces for each link, AND you do NAT into the link, then yes the answer would return over the correct link.
However i assume NAT in this scenario would not be wanted.

What i would do: create a failover pool on both sides using primary the WLAN link and secondary the T1.
Use as monitor IPs the respective IP of the pfSense on the other side.
I would create a route for the subnet on the other side via the T1.

Like this the pfSenses can communicate with the user-subnet on the other side via the slow reliable link,
and the clients use the WLAN link when it's up.

elvisnld

You said it very clear there!  ;D

This means the whole setup falls under the Multi-wan type regarding howto's ..

kylehutson: success!  ;)

kylehutson

As far as having one IP rather than two - my thinking was that it would be better to give routes (from the 192.168.60 side - mirror for the other side) to 192.168.61 via either 192.168.62.6 or 192.168.62.2. Since the Cisco routers would be on a 172.16 network, there is no loop.

Now let me throw another wrench in the works…
Currently access to the Internet is via another gateway on the 192.168.60 network. Will the failover scenario you are proposing interfere with normal Internet access? (i.e., by going to a failover, can you say "I'm just routing these particular subnets, and not a default gateway"?)

I think the equipment is all in the same room (sorry, the location for this is a couple hours drive from here - I can find out for certain if need be), so I could also put the Internet gateway on 'pfSense 1'. Is that a good idea? bad idea?

I'm starting to think the only way I'm really going to find out is to find a pile of old machines, setup a test environment, and start playing, especially considering this is a remote location, and I don't want to have to make more trips than necessary.

GruensFroeschli

As far as having one IP rather than two - my thinking was that it would be better to give routes (from the 192.168.60 side - mirror for the other side) to 192.168.61 via either 192.168.62.6 or 192.168.62.2. Since the Cisco routers would be on a 172.16 network, there is no loop.

Ah oke. So the cisco devices (for the T1 link) actually route.
I assumed they are layer2 transparent but use layer3 to transport frames. (similar to an OpenVPN bridge).

Well then it would work.
But you would still transmit a lot of unnecessary traffic over the WLAN link. (Since it's one big broadcast-domain)
I generally try to avoid WLAN-Layer2-bridges.

Now let me throw another wrench in the works…
Currently access to the Internet is via another gateway on the 192.168.60 network. Will the failover scenario you are proposing interfere with normal Internet access? (i.e., by going to a failover, can you say "I'm just routing these particular subnets, and not a default gateway"?)

Yes you specify a destination in a firewall rule. If the rule matches, the pool is used.
–> Essentially it's a special case of policy-routing.
I would set up your rules something like this:

Alias: private_subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Alias: used_subnets: 192.168.60.0/24, 192.168.61.0/24

• pass; source: local subnet; destination: "used_subnets"; gateway: failover-pool  --(send locally used subnet via the pool)
• pass; source: local subnet; destination: "!private_subnets"; gateway: default      --(destination: NOT private_subnets, "aka the internet")
• (invisible block all rule)              --(block everything else)

Yeah a test-setup will be probably the best.

kylehutson

Thanks GruensFroeschli! I think I'm ready to start playing.