-
Hi,
I have setup 4 pfSense with FRR. 2 in Mainoffice and two in a brunch office.
They are both ha setups.They have a lwl line and a wlan backup. I use frr with ospf to switch routing if one line goes down.
Internet will be delivered from mainoffice.Now when I put both frr ospf setups so announce them as default gw I get in the main brunch the following routing table:
============ OSPF external routing table ===========
N E2 0.0.0.0/0 [10/10] tag: 0
via 10.10.65.1, lagg0.65
via 10.10.65.2, lagg0.6510.10.65.2 is the secondary pfsense in ha. So it can not do nat until it gets master. Is there a way to add a wight on the second entry?
-
In the ospf interfaces, there is a metric parameter, which defines the cost for each interface. Maybe this helps.
-
Hi,
I have set it and used it. Works perfect for the routes that are exchanged but not for the default getway.
What it makes even worse. Some pakages go over one firewall of the cluster but back the other way. So the tcp session is not in the state table and get droped. :( -
If the whole config is only one branch location, i would avoid ospf. Just setup a gateway group with failover to wlan on each site. If you are using openvpn site to site tunnel you can define both public ips for the tunnel target and the gateway group as main interface. The failover would be faster as with ospf and the routing problem, which is a problem with the carp configuration.
Much better : if your provider router can take the wlan failover, with the bgp routing, you even don´t see the failover. My provider does it that way and this works perfectly.
-
Hi,
I have taken a look into some suggestions.
First openvpn ist out of the box. The LWL is a 10GBit link. Even with ipsec and Intel acceleration the throughput is around 400mbit. Sounds like a good place for tnsr but until now I couldn't get a on side installation license.I tried using gateway groups which works fine on the branch office as uplink to the main office.
But in the main office I have to add static routes so the brunch office, and there I can not use the gateway group in the static route. (Bomer!)Netgate support suggest only use frr. But I'm not shure how to setup this.
The setup is two pfsense on main office and two in the branch office. In both office the LWL and wlan is connected to a switch which puts traffic in a dedicated vlan. This is done so both pfsense have access to both links. (Port multiplyer)
There are two scenarios I think about.
First a link goes down
Second a pfsense goes down.In both cases network should continue work after a failover tome.which can be up to 2 to 3 minutes.
On the inside interfaces in each office I use carp to Handel the failover when a pfsense box goes down.
Know I need to Handel link failover and default gw in the branch office. Also routing from the main to the branch office. While taking a look at both scenarios.
I sought I use frr with ospf which works fine except that the brunch office need to have both pfsense in the main office as default gw in case one pfsense goes down. And there need to bee a order/costs for the default routes so we don't end up having asynchronous routing.
As far as I have read ospf and areas don't help me here or did I muss something?
I would be glad to receive suggestions where to look into to get this setup up and working.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.