Multi-WAN: Load Balancing and Fail-over Setup
-
hi guys,
i´ve got a problem with failover,too.
There are two WAN connections on my pfsense. i create a gateway group, named "MultiWAN":Then i select the "Allow default gateway switching" button.
Next i edit the default LAN-Firewall-ACL, and choose "MultiWAN" as my gateway.
At least i create dns server entries on both WAN connections at the "general setup" tab.When i disconnect the "ADSL" WAN (Tier1) than i can´t get access to the internet, over "Telekom_ISP" (Tier2) as shown on the picture above.
Anybody have a idea?Greetings
-
Try set Trigger Level: Member Down
-
thanks for your answer!
I choose option "member down", disconnect WAN "ADSL" and tested the internet connection –> don´t work for me.
Any other idea? More settings of my pfsense:firewall acl:
gateway switching:
dns server for my gateways:
greetings
-
Under General Setup=> DNS Servers=> use gateway try set none
-
i do that! But this is not the solution…
More informations:Disconnect ADSL WAN:
Check the log:
successfully ping from pfsense directly over WAN Telekom_ISP (in example named as company connect, but means telekom_isp):
So pfsense reach "www.google.de" about the fallback line… when i try to go online with several clients i get a timeout.
When i try to ping "www.google.de" from a client i get a timeout, and when i ping a ip address (e.g. a dns server ip) that do not work,too. -
That would indicate your firewall gateway rules are incorrect, or that your client DNS is not making it past.
What happens when you try to ping 173.194.35.183 directly from a client?
-
Looks reasonable. What other LAN rules do you have?
Maybe your traffic is matching an earlier rule, which is not pushing the traffic into the gateway group? -
That would indicate your firewall gateway rules are incorrect, or that your client DNS is not making it past.
What happens when you try to ping 173.194.35.183 directly from a client?
My clients first dns server is pfsense. when both gateways are connected every dns request works great.
When i try a ip as ping command i get a timeout, too.
i do that in the last step. i choosed a dns server ip to test that. -
Looks reasonable. What other LAN rules do you have?
Maybe your traffic is matching an earlier rule, which is not pushing the traffic into the gateway group?i´ve got the "anti-lockout rule" before the gateway group acl. And i´ve got a acl rule before the gateway group rule, that give full access in another subnet.
On the last acl for the other subnet the default gateway is not my gateway group so thats maybe the problem as you written.i try that and give feedback, thank you guys!
-
the change of acl firewall priority doesn´t solve the problem. I do a update of version 2.1.1 (before 2.1) but this do not solve the problem, too. Anybody have a idea?