Dual WAN Failover with Dual LAN



  • Howdy,

    I have had a dual-lan, single wan setup working correctly for a while.  I am now trying to implement an additional wan line for failover only (no loadbalancing at all).  I have gotten the 2nd wan interface working and the 2 loadbalance pools implemented (Wan1FailsToWan2 and Wan2FailsToWan1).  I have verified that the load balance pools are working by taking the wan1 down (the load balance status page shows wan1 off and wan2 on).

    I believe I am having an issue with my firewall rules.  For both LANs they my rules are directing to the gateway 'default'.  I have experimented with putting my loadbalance pools as the gateway but I have not been able to get it working.  I have also been using the documents I could find concerning multi-wan setups but they are usually for loadbalancing and single LANs.  The only real rules I have existing are to keep traffic between the 2 LANs separate outside of allowing LAN1 to a single IP address on LAN2.

    WAN1: 66.76.X.X (static)
    WAN2: DHCP (WAN2Verizon)

    LAN1: 192.168.0.X
    LAN2 (Public): 192.168.1.X

    WAN1FailsToWAN2 and WAN2FailsToWAN1.

    I have attached my sanitized configuration.  If someone could please help me out I would greatly appreciate it!

    Thanks,
    Alan
    config-sanitized.txt



  • Any advice?



  • Could you describe what your actual problem is?
    As in: what do you want and how does it differ from what you have.



  • @GruensFroeschli:

    Could you describe what your actual problem is?
    As in: what do you want and how does it differ from what you have.

    The issue is that while the Load Balance pools are working, I am unable to reach the Internet when it fails to WAN2.  I believe this is due to my firewall rules, but am not sure.



  • As far as i can see from your config your DHCP clients use the DNS-server directly.
    1: Remove this and let the pfSense DNS-forwarder be the DNS-server for your clients.
    2: Add a static route for one of your DNS-server entries on pfSense to the second WAN so pfSense is still able to resolve names when the primary WAN goes down.



  • @GruensFroeschli:

    As far as i can see from your config your DHCP clients use the DHCP directly.
    1: Remove this and let the pfSense DNS-forwarder be the DNS-server for your clients.
    2: Add a static route for one of your DNS-server entries on pfSense to the second WAN so pfSense is still able to resolve names when the primary WAN goes down.

    1. If you mean that pfSense is acting as the DHCP server then yes it is.  Or are you talking about my ISP dhcp?
    2. I will make this change.
    Would this help as I was not able to even ping or perform a traceroute when I took down WAN1?



  • Sorry a typo.
    I meant: Currently it seems you push per DHCP the DNS-servers 208.180.42.100 and 208.180.42.68 directly to the clients.
    –> The clients access the DNS-server directly.

    Just delete the DNS-server fields on the DHCP-server config.
    --> Clients will use pfSense as their DNS-server

    If you add the static route for the DNS-server on pfSense, pfSense will be able to resolve names even if one WAN is down.
    If you modify the config.xlm manually you can also add a tertiary and a quaternary DNS server --> 2 for each WAN. --> 2 static routes pointing to the second WAN.



  • @GruensFroeschli:

    Sorry a typo.
    I meant: Currently it seems you push per DHCP the DNS-servers 208.180.42.100 and 208.180.42.68 directly to the clients.
    –> The clients access the DNS-server directly.

    Just delete the DNS-server fields on the DHCP-server config.
    --> Clients will use pfSense as their DNS-server

    If you add the static route for the DNS-server on pfSense, pfSense will be able to resolve names even if one WAN is down.
    If you modify the config.xlm manually you can also add a tertiary and a quaternary DNS server --> 2 for each WAN. --> 2 static routes pointing to the second WAN.

    Ah, thanks for clarification.
    Concerning "Would this help as I was not able to even ping or perform a traceroute when I took down WAN1?".  What I meant to say is would this help as can not ping or traceroute an external IP address (with DNS out of the loop)?



  • Did you do this traceroute test from pfSense itself?
    When WAN1 is down: are you able to ping the gateway of WAN2 from pfSense itself?

    pfSense does not use the balancing pool for traffic origination on itself.
    –> That's why you need static routes if you want to force some traffic to the second WAN (like DNS-queries).



  • @GruensFroeschli:

    Did you do this traceroute test from pfSense itself?
    When WAN1 is down: are you able to ping the gateway of WAN2 from pfSense itself?

    pfSense does not use the balancing pool for traffic origination on itself.
    –> That's why you need static routes if you want to force some traffic to the second WAN (like DNS-queries).

    I tried from a laptop connected to the network, not pfsense itself.  I completely forgot to try to ping WAN2's gateway, simply an external IP.



  • It doesn't appear to still be working.  :(

    Could someone please post or PM me their sanitized config if they are running in a Failover setup (not load balanced)??



  • Anyone have a similar setup that could spare their config for comparison?



  • @Coldfirex:

    … For both LANs they my rules are directing to the gateway 'default'.  I have experimented with putting my loadbalance pools as the gateway but I have not been able to get it working.

    This has to be the pool, otherwise it points the clients to one gateway only. And if that fails…

    In your posted config I saw rules originating on OPT1 to access gateway "Wan2 Failvoer..." and "Wan1 Failvoer..."
    I haven't seen those for LAN.

    To get it working you should start with a card blanc rule  <allow* from*="" to*="" gateway:pool="">  on both your LAN IFs.

    I haven't setup a dual WAN config myself yet. These assumptions are from my understanding of how it should work...</allow*>


Locked