Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Incoming connections failed when main WAN connection fails in a failover config

    Scheduled Pinned Locked Moved Routing and Multi WAN
    13 Posts 5 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ Offline
      jimp Rebel Alliance Developer Netgate
      last edited by

      So you're saying that during normal operation, you have port forwards on OPT1 that work. And when you are failed over to OPT1, these same port forwards do not work?

      Or are you expecting your traffic coming in to WAN to fail over to OPT1 as well when WAN is down?

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • M Offline
        Miguelino
        last edited by

        Hello jimp. When WAN fails, the process of failover runs OK and all the outbound traffic goes for the OPT1, but all the NAT entries associated to OPT1 not running. For example, i have open the port 25 open in opt1, in normal operation runs OK, but if the WAN fails, nat pot 25 fails for incomming connections although the OPT1 is working.

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          If a connection fails when WAN is down, it's likely something is still trying to use WAN or relying on something reachable by WAN in some way.

          We'd need a lot more detail (screenshots of all of your NAT rules, 1:1 nat, outbound NAT, load balancer config, lan rules, wan rules, wan2 rules, and so on).

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • M Offline
            Miguelino
            last edited by

            Yes, i think the same. I read in this forum some post with this problem but nobody answer this question. I have configured the pfsense with the lan rules ok. The last rule, says that all lan subnet traffic goes for the default gateway (i see this configuration in other post) but although i change the default gateway for the OPT1, the same problem occurs.

            Monitoring nat rules y can see that incoming connections that are made from the outside are arrived to pfsense, but i think the pfsense is unable to route to remote host either for the load balancer rule and the default gateway rule.

            1 Reply Last reply Reply Quote 0
            • G Offline
              gergero
              last edited by

              I already faced the same problem with an incoming openvpn connection on opt1 interface - sometimes it did just not work. After completely messing up my firewall rules, modifying state type on some rules  I finally switched back to a configuration which seems to function.
              Today I have replaced "apinger" with the patched version, maybe it is worth a try. Unfortunately I cannot say whether apinger had failed when I had the incoming connections problem, or not.

              Edit: apinger-problem is solved, but it ist NOT responsible for the incoming connetions problem.
              In my state table I have messages like these:

              tcp 	10.3.1.11:1192 <- 84.xxx.xxx.xxx:2133 	CLOSED:SYN_SENT 	
              tcp 	10.3.1.11:1192 <- 84.xxx.xxx.xxx:2134 	CLOSED:SYN_SENT
              

              When WAN and OPT1 are both up on boot time, the incoming connection seems to pass. But when WAN is down on boot time, the incoming connection on OPT1 fails.

              1 Reply Last reply Reply Quote 0
              • M Offline
                moondevil
                last edited by

                HI all I have same problem. I use pfsense version 1.2.3 RELEASE.

                I have
                LAN 192.168.0.0/24
                WAN ( DHCP)
                OPT1 (static IP)

                in rules i set : * LAN net * * * *
                I not set load balancing i change my local outbound internet manually.    
                in OPT1 rules I open 80 port going to PC from my local network. Everything work fine but,
                When WAN is offline my inbound connections not work. I try to open 80 port from external network but not work.
                I not setup 1:1, static routes, Load Balancing.

                PS: When WAN is offline then I login via putty in pfsense i try to ping external IP adress but i cant.
                Please help me.

                1 Reply Last reply Reply Quote 0
                • S Offline
                  sot010174
                  last edited by

                  I have the same issue. If I disable load balancing everything works just fine. But obviously it will require someone to actualy change the LAN out rule manually

                  OPT1 = DHCP
                  WAN = PPPOE

                  Running 1.2.3…

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    sot010174
                    last edited by

                    OPT1 = Internet 1
                    WAN = Internet 2
                    default lan rule = failover pool (sequence internet1/internet2)

                    An important update. I've managed to get the failover working. Well, sort of… I've noticed that when I traceroute from a machine on the LAN subnet, packets go on the WAN route, regardless of the gateway selected on the default rule. When WAN goes down, incoming connections fails (even on OPT1 ip) and pfsense won't failover to OPT. Outbound traffic works a bit wierd. Sometimes hosts can get on the internet directly(?).

                    So, remaining in that state (WAN DOWN, OPT and LAN UP) I ssh'ed into the pfsense box, and I checked the routing table. The default route still pointed to the dead WAN's gateway IP address. Thus, I manually deleted the default route and entered the OPT1 gateway in its place.(EDITED: AND CHANGED THE DEFAULT LAN GATEWAY TO OPT1) TA-DA! everything worked OK. Re-enabling the WAN interface caused the default route getting overwritten with the WAN gateway.

                    So, why won't pfsense change the default route? :-\

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      sot010174
                      last edited by

                      This will be my last update to this thread (unless someone updates it of course :-) ):

                      I've built another pfsense box, but this time around I've used the latest snapshot of pfsense 2.0 beta5. Everything works as a charm. Seems really a bug in 1.2.3.

                      Bye for now. 8)

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        moondevil
                        last edited by

                        @sot010174:

                        I manually deleted the default route and entered the OPT1 gateway in its place.(EDITED: AND CHANGED THE DEFAULT LAN GATEWAY TO OPT1) TA-DA! everything worked OK. Re-enabling the WAN interface caused the default route getting overwritten with the WAN gateway.

                        So, why won't pfsense change the default route? :-\

                        HI Man can you please tell me how you manually change default gateway with OPT1 gateway on Pfsense. PLease post here commands. Thanks

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          sot010174
                          last edited by

                          Of course. BACKUP THE CONFIG FIRST FOR SAFETY.

                          First you should access the box via the console or ssh.  'netstat -rn' will display current routes. you should see 'default' on the first lines of the command output. Thats the default route. In my case, the default route pointed to the WAN(dead) gateway. So, I typed route del default. Then I entered the OPT route with 'route add default 201.xx.xx.xx' (OPT gateway IP address). Now you should divert the lan traffic to the OPT exclusively as leaving the LAN out gateway as the failover circuit doesn't seem to work.

                          recap
                          Backup.
                          ssh into the box
                          netstat -rn and check the default route
                          route del default
                          route add default {interface gateway ip}
                          modify LAN out rule to the NIC selected in the previous step.
                          Test everything.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            moondevil
                            last edited by

                            thanks man.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.