Interface Shutdown - similar to Cisco Command
-
Hello all,
Been a user of Cisco Routers / Firewalls / as well as many others for many years
Have been using PFSense for over 7 years now, done decent setups e.g. multisite / fail over / OpenVPN / IPSec etc….The site I refer to in this post is running the latest version of PFSense.
I had a recent issue in an international PFSense connected Wide Network (which has been running for a couple of years now), where the ISP on the Primary WAN link was bouncing/flapping (due to a fault with the ISP). As per normal fail over systems in place, secondary ISP kicked in, basically everything failed over, however with the Primary WAN link flapping like it was and no favorable Tech ETA in sight, it was recommended that we disable (shutdown) the Primary WAN interface. As no one technical was onsite, we could not just remove the WAN Link NTU.
Now whilst I have been using PFSense for many years, this was the first time that I needed to perform this action.
Now on Cisco Equipment I would normally issue a SHUTDOWN on the interface, in most cases, job done.
So when it came to the PFSense, the only option available is to Disable the WAN Interface - a bit extreme and fraught with possible issues.
Any better ways of doing this????
Ideally what we are trying to achieve is a soft shutdown of the link so that we have control, and should the ISP correct the issue, be able to bring it back online.
Thinking through it, what I am trying to achieve is a place a firewall block on the WAN interface, blocking all ports/traffic, which would mean that the WAN link (Primary) would see the Gateway down, and force the failover functionality implemented.
Agreed, I could go and do this on the firewall, but thinking through it, ideally the better way is a single Tickbox which performed the following operations
- Blocked all traffic on this Interface (avoids changing rules on the fly)
- Performed a service restart on OpenVPN / IPSEC (forcing them to drop/restart)
- Performed a State Reset on any connections on the Primary WAN interface
- Updated routes (if required)
Any thoughts would be appreciated....have looked around the web for last few days and found a few asking similar, but no real answers
Regards
Bob
-
Perhaps I'm missing something, but what's the difference between doing a shutdown and disabling the interface? They both do the same thing. When you want to restore the interface, you enable the interface, just as you'd have to do a no shut on the Cisco gear. The only difference I can see is with Cisco, if you don't write the configuration, a reboot will restore the interface. I don't think that would work with pfSense.
-
You can also mark a gateway 'offline' (gateway settings)
-
JKnott,
Thanks for the prompt reply.
No I don't think you are missing anything, your expectation was exactly the same as mine. Disable the interface, and all should be good.
As part of the Failover, I am using the Gateway group in the
- OpenVPN configuration
LAN Rules - pointing it to the Gateway Group
Users have access to the Internet no issues - they have failed over correctly
However
Inbound OPEN VPN connections fail
Outbound OpenVPN Connections fail
Inbound Forwarded traffic fails (actually comes in, but does not return traffic)One of the issues, is that with disabling the Interface, this interface is no longer present as part of the Gateway Grouping
What does resolve the issues above isEnabling the interface (but removing the Physical WAN Connection (NTU connection)
or
Manually changing the Default Gateway to the secondary WAN Link (yes I am aware of the Automatic Default Gateway switch, however it clearly states it should not be necessary if Gateway Groups are used).Hence my question…..it appears that disabling the Primary WAN, appears to "screw" up the Gateway Groups.
Now having said that, I want to setup a LAB enviroment and check each item again (most of the above was on a system that was down). Alternatively, I may get a chance to perform a test on this exact system, when I have technical assistance back at the main PFSense
Any thoughts (or corrections) are appreciated....
Regards
Bob
- OpenVPN configuration
-
Heper,
Thanks for that…..one I had not considered and will probably perform exactly what I need....
In fact as I was typing, on that same system, I just marked the Gateway Offline and put the Gateway Default back to the Primary Link (which has been marked as down)
The results were
- Forwarded Ports to the Secondary WAN link - responsive
Inbound OpenVPN connections working
Outbound OpenVPN Connections working
Everything else working as it should in a failover situation.
Heper,
Thanks that appears to do exactly what I need…..
Regards
Bob
- Forwarded Ports to the Secondary WAN link - responsive