Dual WAN with Failover Not Working
-
It's somewhere in the general settings. That checkbox is only for pfSense's traffic itself to failover. Conditional routing for LAN clients will still failover regardless. This is why you must specify a gateway for each DNS server. That way DNS forwarding works even if gateway switching is disabled.
-
Here is my routing table and gateway status.
Notice that in STATUS>GATEWAYS it is still showing that it's pinging on WANGW (WAN 1) even though Internet traffic is disabled for that gateway.
 -
Here is Firewall Rule for LAN, Gateway Groups, and Gateways.
-
Here is my General Setup…
Also, I cannot find the checkbox for gateway switching.
Hopefully these screenshots help; please let me know if another shot would help.
THANKS!
 -
Also, just for informational purposes… here is a Visio diagram of the setup I have for testing purposes of dual WAN with failover. I have to do this in a lab environment to prove the concept before I can do this for a client and have their site taken down.
On "Router 1" in the diagram, I can physically disconnect that ethernet cable to the pfSense WAN and the pfSense WILL failover to the OPT WAN (WAN2); however, as noted in the diagram, when I create a firewall rule on "Router 1" to block any/all Internet traffic the pfSense does not see this... it thinks it can still ping its monitor IP even though the client PC and the pfSense ping tool cannot ping the monitor IP. In essence, the pfSense is failing over for physical loss but NOT packet loss.
Hope this may add some clarity too.
 -
Anyone??
I'd like to get the pfSense working… just for proof of concept, I tried the exact same network schema setup with a Cisco RV042 Dual WAN router and it worked beautifully with about 10 min of setup.
Please help.
Thanks,
Steve
-
Here is my General Setup…
Also, I cannot find the checkbox for gateway switching.
Hopefully these screenshots help; please let me know if another shot would help.
THANKS!
That b'cos you're looking at the wrong menu. It's under System -> Advanced -> Misc " Allow default gateway switching"
Give this thread a read http://forum.pfsense.org/index.php/topic,64612.msg350227.html#msg350227
I've explained fail-over clearly in there. Good Luck! -
I found gateway switching but checking that box hasn't made this work either.
Also, srk3461, I think I've done what your other article says to do… What am I doing wrong? Do I need to have all 3 groups and LAN rules even if I'm NOT load balancing?
-
First make it work with a single pfSense box with two public IP WAN interfaces so you understand exactly how to configure pfSense. Then build your (unnecessarily) complex network around it.
-
Nothing works better for fail-over than two of the same ISP…
-
-
:( Ok. I understand that one doesn't want dual WAN from the same ISP/modem in a production environment but I have to TEST this in a lab environment before I can put it in a production setting where it doesn't work! This "unnecessarily complicated" network as you say is essentially the exact same setup as having 2 modems from 2 ISPs.
Why does the pfSense NOT fail over to WAN2 when the Internet traffic on WAN1 goes out? And for proof of concept, I used a Cisco RV042 in the same "unnecessarily complicated" network and the Cisco worked.
I think there is a software flaw with pfSense and the dual WAN failover. You guys using it say it works, but are you dropping physical link for it to fail, because that does work. Dropping Internet packets does not work though!!!!!
I'm begging for help from you guys, so please help if you can; I don't need the sarcasm or rude comments.
-
So, you are saying failover from packet loss doesn't work?
How are you simulating packetloss?
-
Failover pased on a packet loss threshold does work. It works by default.
-
If failover isn't working based on simulation of packet loss then:
Either its broken or
The settings are wrong or
Packet loss is not being done effectively to cause a failover.
Thats why I'm asking how are the packets being dropped.
-
On router 1 in my diagram above, I have an outbound firewall rule that blocks all outbound Internet traffic, thus creating Internet packet loss on WAN 1. I know the packet loss is happening too because the pfSense diag ping tool will have 100% loss, but gateway status will still show it pinging.
In a "real" production setting, I would test this by removing the coax cable from the cable modem because simply unplugging the power to the modem would be link state down, which doesn't happen when the Internet goes down.
-
Are you sure those packets you are blocking are being dropped silently and not rejected with a reply?
REJECT
Prohibit a packet from passing. Send an ICMP destination-unreachable back to the source host [unless the icmp would not normally be permitted, eg. if it is to/from the broadcast address].
DROP (aka DENY, BLACKHOLE)
Prohibit a packet from passing. Send no response. -
When I ping from the workstation behind the pfSense I get response timed out, 100% loss. I believe that is correct, right?
-
Do you own a server on the net anywhere?
What I would do is maybe set up a couple Centos boxes with public IP you can ping.
Use those IPs as your monitor IPs.If you shut down the Centos box (no blocking anything), then that will be for sure packet loss.
You and a buddy could set up one at your home and one at his if you want to have control over two "gateway" IPs to use.I know this sounds like unnecessary work, and it may be, but at least you will know its not your method of inducing packet loss that is flawed.
I suppose you could do the same thing entirely in lab environment with no outside internet.I don't know if pfsense would know the difference in a packet dropped silently, rejected, or an unreachable offline server. It might.
Since you didn't tell me if you are dropping packets silently, I assume you aren't sure. -
DROP (aka DENY, BLACKHOLE)
Prohibit a packet from passing. Send no response.I'm doing a DENY rule in the firewall. I don't think that I need to switch to pinging 2 of my own servers on the Internet (unless you are thinking about something that I'm not) because this setup works in the exact same setup with the Cisco RV042, and the RV042 fails over.
