Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2x2 WAN - 2 PPPoE Providers - 2 pfSense Boxes

    Routing and Multi WAN
    2
    11
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alfredo
      last edited by

      Hallo; anybody???

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can't do that properly with PPPoE handled on pfSense, not unless your ISP lets both boxes login at the same time on both lines (or if you actually have four lines).

        PPPoE and CARP do not mix well. You're almost better off allowing the modems to handle PPPoE and doing proper CARP on small private subnets between the modem and the pfSense WAN(s). Setup 1:1/DMZ in the modem to the CARP VIP. Not pretty since it involves an extra layer of NAT, but you'd end up with more stable failover and multi-WAN for most cases.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          alfredo
          last edited by

          Hi Jimp,

          Thanks for your response. Yeah; am not to keen on Double NAT. Indeed, the a DMZ behind our Vigor 130 Modems would still be behind a 'forced' NAT. I have found another solution; what do you think?

          START/STOP PPPoE on Second BOX:

          
Browse to /etc/rc.carpbackup 
at the bottom of the file type the following: 

	mwexec_bg("ifconfig igb0 down");
	mwexec_bg("ifconfig igb5 down");
	log_error("### CARP BACKUP :: Stopped PPPoE on WAN1/igb0 and WAN2/igb5 :: GAASTRA ###");

?>

Browse to /etc/re.carpmaster 
at the bottom of the file type the following:

	mwexec_bg("ifconfig igb0 up");
	mwexec_bg("ifconfig igb5 up");
	mwexec_bg("/usr/local/sbin/pfSctl -c 'interface reload igb0'");
	mwexec_bg("/usr/local/sbin/pfSctl -c 'interface reload igb5'");
	log_error("### CARP MASTER :: Restarted PPPoE on WAN1/igb0 and WAN2/igb5 :: GAASTRA ###");

?>

          It kinda seems to work; but am not quite sure yetโ€ฆ

          What do you think

          Thanks

          Alfredo

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Anything short of static IP addresses on the WANs with HA is asking for trouble. You can hack it up all you want but it won't ever be truly stable with such a configuration.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              alfredo
              last edited by

              Thanks; so you think double NAT/DMZ is better than starting/stopping PPPoE in such case? We are using all kinds of IPSec and OpenVPN Tunnelsโ€ฆ

              Would there be any way to make this 'hack' more elegant?

              Thanks

              Alfredo

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The only way to turn that type of setup into one compatible with CARP is as I mentioned โ€“ using static private addresses on pfSense and doing the PPPoE login on the CPE.

                Some providers will even route you a /29 or so over PPPoE, if the modem can handle that as well then you'd be perfect. Probably an extra cost for the addresses but it's the only way to do that with PPPoE and avoid NAT.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • A
                  alfredo
                  last edited by

                  Just communicated with the PPPoE Provider and they mentioned that the next plan up - with more than 1 IP Address - is 10 times the priceโ€ฆ ;D

                  The Problems with double NAT I think are:

                  • Modem has very SLOW CPU - about 1/100th compared to our Huge (8 core i7 - 16GB) pfSense boxes. We think that it might bog down our many IPSec and OpenVPN tunnels. The Manufacturer - DrayTek - mentioned this to us over the phone and recommended to only use it in bridge-mode.
                  • Wouldn't double NAT add another layer of data packet header alteration; which would also permanently slow down our tunnels.
                  • Am not 100% sure, but would this extra NAT layer also affect data packet size with resulting permanent consequences because of stripping?
                  • There is also a significant amount VOIP traffic behind our pfSense boxes.

                  As such, I was wondering, if you could look at the above code snippets once more, and conclude that they are not too bad for this setup considering all the disadvantages of double NAT. Or would you have some comments/improvements/suggestions to the snippets better.

                  One thing I am sure of: many-many pfSense fans are facing this same issue.ย  ;)

                  Thanks,

                  Alfredo

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    That's unfortunate. As I said though, you're welcome to hack things up however you want, but personally I wouldn't trust it in such a configuration and it's not something I want to get involved in.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • A
                      alfredo
                      last edited by

                      Alright; we have tried the official CARP Solution for our 2x2 WAN taking double NAT as a drawback.
                      We have setup 3 Gateway groups as shown in most documents: WAN1 and WAN2 Load Balancing (member down), If WAN1 fails, switch to WAN2 (Packet Loss), and If WAN2 fails, switch to WAN1 (Packet Loss). At each of our 3 LANs, we have set the bottom 3 rules to match above groups. We have set gateway monitoring to 8.8.8.8 for WAN1 and 8.8.4.4 for WAN2.

                      Now comes the problem. When we unplug WAN1, the DNS does not work anymore for the clients. Surfing by IP address does work. So it must be a DNS issue. Could you tell us what is wrong?

                      System Log Below:

                      Jan 13 18:59:45 fw1 php-fpm[55656]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                      Jan 13 18:59:45 fw1 php-fpm[55656]: /rc.newipsecdns: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_AND_WAN2
                      Jan 13 19:00:36 fw1 php-fpm[47415]: /rc.dyndns.update: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_TO_WAN2
                      Jan 13 19:00:37 fw1 php-fpm[55787]: /rc.filter_configure_sync: MONITOR: GW_WAN1 is down, omitting from routing group WAN2_TO_WAN1
                      Jan 13 19:00:51 fw1 php-fpm[55656]: /rc.newipsecdns: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:00:51 fw1 php-fpm[55656]: /rc.newipsecdns: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_TO_WAN2
                      Jan 13 19:01:42 fw1 php-fpm[47415]: /rc.dyndns.update: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:01:42 fw1 php-fpm[47415]: /rc.dyndns.update: MONITOR: GW_WAN1 is down, omitting from routing group WAN2_TO_WAN1
                      Jan 13 19:01:43 fw1 php-fpm[55787]: /rc.filter_configure_sync: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:01:43 fw1 php-fpm[57451]: /rc.filter_configure_sync: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_AND_WAN2
                      Jan 13 19:01:57 fw1 php-fpm[55656]: /rc.newipsecdns: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:01:57 fw1 php-fpm[55656]: /rc.newipsecdns: MONITOR: GW_WAN1 is down, omitting from routing group WAN2_TO_WAN1
                      Jan 13 19:02:48 fw1 php-fpm[47415]: /rc.dyndns.update: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:02:49 fw1 php-fpm[57451]: /rc.filter_configure_sync: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:02:49 fw1 php-fpm[57451]: /rc.filter_configure_sync: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_TO_WAN2
                      Jan 13 19:03:03 fw1 php-fpm[55656]: /rc.newipsecdns: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:03:03 fw1 php-fpm[55656]: /rc.newipsecdns: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_AND_WAN2
                      Jan 13 19:03:56 fw1 php-fpm[57451]: /rc.filter_configure_sync: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:03:56 fw1 php-fpm[57451]: /rc.filter_configure_sync: MONITOR: GW_WAN1 is down, omitting from routing group WAN2_TO_WAN1
                      Jan 13 19:04:09 fw1 php-fpm[55656]: /rc.newipsecdns: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:04:09 fw1 php-fpm[55656]: /rc.newipsecdns: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_TO_WAN2
                      Jan 13 19:05:02 fw1 php-fpm[57451]: /rc.filter_configure_sync: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:05:11 fw1 php-fpm[55656]: /rc.newipsecdns: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:05:11 fw1 php-fpm[55656]: /rc.newipsecdns: MONITOR: GW_WAN1 is down, omitting from routing group WAN2_TO_WAN1
                      Jan 13 19:06:17 fw1 php-fpm[55656]: /rc.newipsecdns: Could not send the message to it-helpdesk@telekom.de โ€“ Error: could not connect to the host "smtp.office365.com": ??
                      Jan 13 19:06:17 fw1 php-fpm[55656]: /rc.newipsecdns: MONITOR: GW_WAN1 is down, omitting from routing group WAN1_AND_WAN2

                      Screen-Shot-2016-01-13-at-20.06.png
                      Screen-Shot-2016-01-13-at-20.06.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • A
                        alfredo
                        last edited by

                        This has helped us solve the problem:

                        TIPS:
                        [1] Diagnostics/Misc
                        Go to Status -> Interfaces
                        Go to Diagnostics -> Routes
                        https://forum.pfsense.org/index.php?topic=43982.15

                        In System -> General Setup
                        a. Uncheck:
                        Allow DNS server list to be overridden by DHCP/PPP on WAN
                        REF: https://forum.pfsense.org/index.php?topic=43982.0
                        b. Try setting "Use gateway" to none for the Google DNS servers

                        [2]
                        DNS Resolver -> Set "Enable Forwarding Mode:" to true:
                        Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN configurations unless default gateway switching is enabled.
                        REF: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

                        [3]
                        System -> Advanced -> Miscellaneous -> Load Balancing
                        Set Enable default gateway switching to true:
                        If the default gateway goes down, switch the default gateway to another available one. This is not enabled by default, as it's unnecessary in most all scenarios, which instead use gateway groups.
                        REF: https://forum.pfsense.org/index.php?topic=72445.0
                        REF: https://forum.pfsense.org/index.php?topic=45081.0

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.