Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Dual WAN Failover with Dual LAN

    Routing and Multi WAN
    3
    13
    6875
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Coldfirex last edited by

      Howdy,

      I have had a dual-lan, single wan setup working correctly for a while.  I am now trying to implement an additional wan line for failover only (no loadbalancing at all).  I have gotten the 2nd wan interface working and the 2 loadbalance pools implemented (Wan1FailsToWan2 and Wan2FailsToWan1).  I have verified that the load balance pools are working by taking the wan1 down (the load balance status page shows wan1 off and wan2 on).

      I believe I am having an issue with my firewall rules.  For both LANs they my rules are directing to the gateway 'default'.  I have experimented with putting my loadbalance pools as the gateway but I have not been able to get it working.  I have also been using the documents I could find concerning multi-wan setups but they are usually for loadbalancing and single LANs.  The only real rules I have existing are to keep traffic between the 2 LANs separate outside of allowing LAN1 to a single IP address on LAN2.

      WAN1: 66.76.X.X (static)
      WAN2: DHCP (WAN2Verizon)

      LAN1: 192.168.0.X
      LAN2 (Public): 192.168.1.X

      WAN1FailsToWAN2 and WAN2FailsToWAN1.

      I have attached my sanitized configuration.  If someone could please help me out I would greatly appreciate it!

      Thanks,
      Alan
      config-sanitized.txt

      1 Reply Last reply Reply Quote 0
      • C
        Coldfirex last edited by

        Any advice?

        1 Reply Last reply Reply Quote 0
        • GruensFroeschli
          GruensFroeschli last edited by

          Could you describe what your actual problem is?
          As in: what do you want and how does it differ from what you have.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • C
            Coldfirex last edited by

            @GruensFroeschli:

            Could you describe what your actual problem is?
            As in: what do you want and how does it differ from what you have.

            The issue is that while the Load Balance pools are working, I am unable to reach the Internet when it fails to WAN2.  I believe this is due to my firewall rules, but am not sure.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschli
              GruensFroeschli last edited by

              As far as i can see from your config your DHCP clients use the DNS-server directly.
              1: Remove this and let the pfSense DNS-forwarder be the DNS-server for your clients.
              2: Add a static route for one of your DNS-server entries on pfSense to the second WAN so pfSense is still able to resolve names when the primary WAN goes down.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • C
                Coldfirex last edited by

                @GruensFroeschli:

                As far as i can see from your config your DHCP clients use the DHCP directly.
                1: Remove this and let the pfSense DNS-forwarder be the DNS-server for your clients.
                2: Add a static route for one of your DNS-server entries on pfSense to the second WAN so pfSense is still able to resolve names when the primary WAN goes down.

                1. If you mean that pfSense is acting as the DHCP server then yes it is.  Or are you talking about my ISP dhcp?
                2. I will make this change.
                Would this help as I was not able to even ping or perform a traceroute when I took down WAN1?

                1 Reply Last reply Reply Quote 0
                • GruensFroeschli
                  GruensFroeschli last edited by

                  Sorry a typo.
                  I meant: Currently it seems you push per DHCP the DNS-servers 208.180.42.100 and 208.180.42.68 directly to the clients.
                  –> The clients access the DNS-server directly.

                  Just delete the DNS-server fields on the DHCP-server config.
                  --> Clients will use pfSense as their DNS-server

                  If you add the static route for the DNS-server on pfSense, pfSense will be able to resolve names even if one WAN is down.
                  If you modify the config.xlm manually you can also add a tertiary and a quaternary DNS server --> 2 for each WAN. --> 2 static routes pointing to the second WAN.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • C
                    Coldfirex last edited by

                    @GruensFroeschli:

                    Sorry a typo.
                    I meant: Currently it seems you push per DHCP the DNS-servers 208.180.42.100 and 208.180.42.68 directly to the clients.
                    –> The clients access the DNS-server directly.

                    Just delete the DNS-server fields on the DHCP-server config.
                    --> Clients will use pfSense as their DNS-server

                    If you add the static route for the DNS-server on pfSense, pfSense will be able to resolve names even if one WAN is down.
                    If you modify the config.xlm manually you can also add a tertiary and a quaternary DNS server --> 2 for each WAN. --> 2 static routes pointing to the second WAN.

                    Ah, thanks for clarification.
                    Concerning "Would this help as I was not able to even ping or perform a traceroute when I took down WAN1?".  What I meant to say is would this help as can not ping or traceroute an external IP address (with DNS out of the loop)?

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschli
                      GruensFroeschli last edited by

                      Did you do this traceroute test from pfSense itself?
                      When WAN1 is down: are you able to ping the gateway of WAN2 from pfSense itself?

                      pfSense does not use the balancing pool for traffic origination on itself.
                      –> That's why you need static routes if you want to force some traffic to the second WAN (like DNS-queries).

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • C
                        Coldfirex last edited by

                        @GruensFroeschli:

                        Did you do this traceroute test from pfSense itself?
                        When WAN1 is down: are you able to ping the gateway of WAN2 from pfSense itself?

                        pfSense does not use the balancing pool for traffic origination on itself.
                        –> That's why you need static routes if you want to force some traffic to the second WAN (like DNS-queries).

                        I tried from a laptop connected to the network, not pfsense itself.  I completely forgot to try to ping WAN2's gateway, simply an external IP.

                        1 Reply Last reply Reply Quote 0
                        • C
                          Coldfirex last edited by

                          It doesn't appear to still be working.  :(

                          Could someone please post or PM me their sanitized config if they are running in a Failover setup (not load balanced)??

                          1 Reply Last reply Reply Quote 0
                          • C
                            Coldfirex last edited by

                            Anyone have a similar setup that could spare their config for comparison?

                            1 Reply Last reply Reply Quote 0
                            • jahonix
                              jahonix last edited by

                              @Coldfirex:

                              … For both LANs they my rules are directing to the gateway 'default'.  I have experimented with putting my loadbalance pools as the gateway but I have not been able to get it working.

                              This has to be the pool, otherwise it points the clients to one gateway only. And if that fails…

                              In your posted config I saw rules originating on OPT1 to access gateway "Wan2 Failvoer..." and "Wan1 Failvoer..."
                              I haven't seen those for LAN.

                              To get it working you should start with a card blanc rule  <allow* from*="" to*="" gateway:pool="">  on both your LAN IFs.

                              I haven't setup a dual WAN config myself yet. These assumptions are from my understanding of how it should work...</allow*>

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post