Failover WAN not working properly
-
I have a backup LTE connection plugged into pfSense from a Teltonika TRB140 modem in bridge mode. pfSense gets an IP adress and all looks good:
I have set up failover using this guide. Now to test it I yanked out the primary WAN link and I lost the internet connection and it never came back up until I plugged the cable back in again. The log says the following:
Did I configure something wrong somewhere?
-
@teefos said in Failover WAN not working properly:
I have set up failover using this guide.
... from 6 years ago. Impressive.
What about an original Netgate (Youtube) video about the subject ?
Or any other recent source ? -
@gertjan Okay, so I reverted everything and followed this video instead.
As soon as I change the gateway away from "default" to "PreferWAN1" on the LAN firewall allow all rule, DNS stops working.
I am not using pfSense for DNS, I'm using Pi-hole with upstream servers of 1.1.1.1 and 1.0.0.1
-
The pi hole is just like any other LAN based device, except that it only communicates over 'destination port 53'.
Do you mean all communication stops ?
-
I can still ping stuff and access websites by IP, but not by domain. As soon as I switch the gateway on the firewall rule back to Default, everything works normal again.
-
@teefos said in Failover WAN not working properly:
As soon as I change the gateway away from "default" to "PreferWAN1" on the LAN firewall allow all rule
This rule directs any traffic to the WAN1 gateway. You may have to add an additional rule to the top for allowing DNS to the Pi hole.
-
@viragomann That worked, thanks guys!
Would you care to explain why I had to add that rule to the top? WAN1 is already set as the default gateway in the general settings, so why would it be different when using the gateway group (which in turn uses WAN1?)
-
@teefos
When you state a gateway in a firewall pass rule, it directs any matching traffic to that gateway or even to the active one out of the gateway group (Policy Routing).
So the packets won't reach your internal pi hole.For passing internal traffic between interfaces you need to set the gateway option to "default".
-
@viragomann I see.
I have several VLANs and some of them can communicate freely right now using any rules on each VLAN. If I understand you correctly, after changing the gateway away from Default on the other VLANs as well, I will have to create additional allow rules applied on top, for them to still be able to communicate with each other?
-
@teefos
It's pretty not clear why you want to specify a gateway in the rules at all. I can't see any reason for that.If you state a gateway you lose benefit of the failover group.
-
@viragomann I thought that's what I had to do to enable the failover functionality.
Or is it this one I need to change?
-
@teefos
You have to select the failover group there. -
@viragomann Well that's great. Thank you so much
