Failover does not work

DaddyGo

@econst said in Failover does not work:

Why all the other people's guides? Makes it confusing.

I would stick to the Netgate guides and max... Lawrence Youtube, these are sure resources

+++edit:

Raffi_

@econst said in Failover does not work:

Will this way automatically switch back when the failed member is reconnected?

Yes, when the failed member is reconnected pfsense will automatically switch NEW connections to the reconnected tier 1 gateway if its status is up. Notice how I emphasise new connections, because any existing states that were created on the tier 2 gateway will remain connected through that link until the states expire, either organically or manually closed by each client/server or by you going into the firewall states and killing them.

Why all the other people's guides? Makes it confusing. Did you read the one I sent?

I looked through that guide really quickly and it made everything way more complicated than it has to be. I would suggest you remove anything that guide told you to do. You shouldn't need any special firewall rules. Also, you don't have to put anything in the monitor IP address. By default leaving it blank for each gateway will ping your gateway address and normally that's the best option. Unless your gateway doesn't like responding to ping, then you may need another external address. You would know that right away though if you're getting no response.

econst

@DaddyGo I ack your previous comments on redundancy, but there are times when only one link goes down. That's what I am trying to mitigate.

I'll give it a try and let you know. Thanks again.

econst

@Raffi_ I have seen situations that if you don't put an external IP for the monitor IP and just use the local gateway address, when the link drops the gateway would still respond to the pings.

Raffi_

@econst said in Failover does not work:

@Raffi_ I have seen situations that if you don't put an external IP for the monitor IP and just use the local gateway address, when the link drops the gateway would still respond to the pings.

Interesting, yes in that case use the external address if that works best for you.

DaddyGo

@econst said in Failover does not work:

if you don't put an external IP for the monitor IP and just use the local gateway address, when the link drops the gateway

There are many different opinions on this:

• 1. it is possible to specify these known DNS server IPs (8.8.8.8 1.1.1.1. 9.9.9.9) as monitor IPs = my answer is absolutly NO
• 2. ISP GW IP as a gateway monitor, realistic solution, but what about
     the VPN IP GW

therefore, I have established an external connection on one of our VPSs and are responding to PING from it

it is important not to get too far from NGFW as it will degrade the measurement results (RTT, RTTsd, Loss, Status)

BTW:
and influences the assessment of GW status

Raffi_

@DaddyGo said in Failover does not work:

it is possible to specify these known DNS server IPs (8.8.8.8 1.1.1.1. 9.9.9.9) as monitor IPs = my answer is absolutly NO

In the past I have used 8.8.8.8 or 8.8.4.4 for years without issues. It may not be the best practice, but what is best and what works aren't always the same. What works for someone may not work for another. I guess that's why there are many opinions on it as you said. If there was one answer which was always correct, everyone would use that.

Edit, @econst In other words, if whatever monitor setting you have is working, leave it alone.

econst

Thanks again guys. I'll try it later and let you know.

DaddyGo

@Raffi_ said in Failover does not work:

In the past I have used 8.8.8.8 or 8.8.4.4 for years without issues. It may not be the best practice, but what is best and what works aren't always the same.

Yes, sure.... - but

I used this for a long time... DNS server PING response... for GW monitor
(btw: some ISPs block PING requests that are constantly pointing to DNS servers)

but I realized that the response time of DNS servers varies depending on their load, so I don't get exact values about the status of my GW

in the same data center where we have pfSense devices, I created a VPS for this purpose and also log GW(s) monitor PINGs on it

• so I kills two birds with one stone
  I get a concrete picture of our GW status from several directions

Raffi_

@DaddyGo said in Failover does not work:

in the same data center where we have pfSense devices, I created a VPS for this purpose and also log GW(s) monitor PINGs on it

Yes, that is a very good solution since those resources are available to you. I wish I could do the same.
My "data center" is a tiny closet with very low cost switches and a few home-brew servers from leftover systems. That's just my situation and having to make the most out of it. Therefore, if it works that's what I use. I have had cases when 8.8.8.8 would not respond to ping for brief moments or had increased delay, but the simple solution to that is making minor adjustments to packet loss/ delay threshold values. I'm not using external DNS currently for monitoring, but I can say that it worked fine for the purpose of my failover setup with minor tuning when I was using it. Let's just call it the poor man's monitoring solution :)

DaddyGo

@Raffi_ said in Failover does not work:

Let's just call it the poor man's monitoring solution :)

I understand

I am lucky, -enough to work as a freelance "IT guy" for companies that entrust me with their supervision, of course then I also "run" my own things as these things are entrusted to me

so at their expense, I also get private resources...
I think this is called "symbiosis" in biology, hihihihi - I hope so

in my reading this is the monitoring solution