Problem with Load Balancing - Failover

  • Greetings,

    I recently decided to implement Load Balancing - Failover on the pfSense machines in my branch offices to facilitate redundant connectivity.  These machines are running pfSense 1.2 and I have a DSL or Cable modem connected to the OPT1 port and a PtP T1 on the WAN.

    I created the failover pools according to this document:
    My configuration slightly differs from what is specified in the document:
    1.  I am not using a Load Balancing pool, Failover pools only.
    2.  It is polling the interface gateway instead of the DNS servers.

    I configured two failover pools:  one in which the WAN fails over to the DSL and the other the DSL fails over to the WAN.
    I have firewall rules in place on the LAN side which specify that HTTP traffic to certain sites like YouTube and Flickr should always go out of the DSL instead of across our private WAN.  When I changed the gateway on these rules from the DSL gateway to the DSLtoWAN failover pool, everything works fine.  Traffic passes as it should and when I disconnect the DSL modem, failover routes that traffic across our private WAN link.

    However, when I configure the default pass rule on the LAN side to use the WANtoDSL failover pool as the gateway instead of the WAN gateway, I run into trouble.  The interface shows status ONLINE under the Load Balancer status page, but after  about 45 seconds of changing the default pass rule gateway to the failover pool, pfSense stops passing traffic from the LAN side across the WAN interface.  I can SSH into servers which are inside the LAN from the WAN side, but I can't get anything out from the LAN side.  Changing the gateway on the default pass rule to the default gateway does the same thing.  When I change the gateway on the default pass rule to the explicit WAN gateway, everything goes back to normal.

    This has happened on two different pfSense machines in two separate offices.  Does anyone have any idea why this is happening?


  • 2.  It is polling the interface gateway instead of the DNS servers.

    I don't think the interface gateway is best thing to monitor as / if your ISP are doing some internal upgrade you might still be able to ping the gateway.

    You might need a static route. for example to DNS servers.

  • I have a static route in place for the DSL/Cable interface on each machine defining the gateway to the DNS servers and gateways subnet.

    The (DSL/Cable)toWAN failover works fine.  The problem I'm having is when I specify the WANto(DSL/Cable) failover pool as the gateway on the default pass rule in the firewall rules table on the LAN side, it doesn't allow traffic out after about 45 seconds.  Immediately after the rule is applied, traffic gets out to the WAN and I'm able to ping to any of my servers at the main office.  After about 45 seconds, if I've kept a constant ping up it starts to drop some packets.  If I stop the ping and try it again, I get a TTL exceeded error from a router in the DSL or Cable ISP's network.

    This also happens if I create a rule in the firewall rules table on the LAN side specifying that all traffic to a particular host on my WAN side should use the failover pool as the gateway.  Any attempt to ping that host will result in the same TTL exceeded error.

  • Also, I am unable to ping the WAN gateway from inside the LAN when the default pass rule gateway is set to the failover pool.  When I try this; however, I do not get the TTL exceeded error.

  • I do understand your problem though it mostly happens with wan2. If you reset states the error will kick in sooner.
    You could double check that first monitor ip in wantodsl is the wan monitor ip and if wan has a static ip a correct gateway has been entered.

    My general recommendation when dealing with a dualwan setup is:

    1. Boot from livecd
    2. Setup nic's ( specify gateways if static ip are used )
    3. Greate pool's
    load balancing                        wan isp dns server monitor ip then wan2 isp dns server monitor
    fail over pool WanToWan2        wan isp dns server monitor ip then wan2 isp dns server monitor
    fail over pool WanToWan2        wan2 isp dns server monitor ip then wan isp dns server monitor
    4. Do a Trace Route test from a lan clients using the different gateways on the default lan rule. After each gateway switch, reset states, close browser and do " ipconfig /flushdns " from command prompt.
    If for some reason isp dns server can't be used OpenDNS dns servers can be used and

  • This platform is embedded, not PC.  Is there something wrong with Load Balancing on the embedded platform?

    The documentation says that for WAN1toWAN2 failover, the pool should be WAN2 Interface and WAN2 Monitor IP first. 
    Yes, the monitor IP is a static IP for the WAN.

    Changing the monitor IP for the WAN interface to an internal DNS server, an external DNS server, or another host changes nothing.  I still get the TTL error.

  • OK, after playing around some more I managed to get this working proper.  The documentation I listed above says to create the failover pools backwards.

    Perry, thanks for all of your help!