Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 WAN failover not working with lan bridge

    Routing and Multi WAN
    1
    1
    136
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pierremontagnac
      last edited by

      Hello,

      I'm using version 2.4.5 release p1.
      I'm trying to set failover with 2 wans, but I have some difficulties to set it up with lan bridge. I'm observing some curious behavior.

      I have all reconfigured several times, and now restarting with most simple configuration as below.

      My box have 6 eth interfaces.

      eth0 is wan1 - dhcp - fiber with gateway 192.168.200.254

      eth5 is wan2 - dhcp - adsl with gateway 192.168.1.254

      To put other interfaces on one unique lan, I set up a bridge (BRIDGE0) containing eth1-eth2-eth3-eth4.
      New interface called BridgeLAN on network port BRIDGE0.
      BridgeLAN has static ipv4 192.168.5.254 and dhcp server on it.

      For failover, system > routing:
      WAN1 with monitor IP 8.8.8.8
      WAN2 with monitor IP 8.8.4.4
      Gateway Group with both wans, WAN1 Tier 1 and WAN2 Tier2 / Member down.
      Default gateway IPv4: Gateway_group

      In System > General Setup : DNS 8.8.8.8 for WAN1 / DNS 8.8.4.4 for WAN2

      For the moment I have only default rules in firewall. I created a default allow to any rule on BridgeLAN with:
      IPV4, Protocol Any, Source Any, Destination Any and in Advanced The gateway for "my gateway group".

      It could be important to note I changed in System > Advanced > System tunables : net.link.bridge.pfil_bridge to 1 in order to let rule on the bridge be interpreted.

      At first eye, the failover seems to work : by default WAN1 is used, if I disconnect WAN1 so WAN2 is used. At this point this is OK.
      The thing which has made me surprised is when I double checked with traceroute.
      With both WANs up (so going outside through 192.168.200.254 which is the WAN1 gateway), traceroute google.fr don't show the first node through 192.168.200.254 (lost) but OK for all other nodes:
      192.168.5.254 ok
      second hop (should be 192.168.200.254) NOK
      All others OK

      If I disconnect WAN1, traceroute shows:
      192.168.5.254
      192.168.1.1
      and other nodes.

      So I test with pings.
      Both WANs up: no response from 192.168.200.254 / ok from 192.168.1.1
      Cut WAN1: ping ok for 192.168.1.1
      Cut WAN2: ping nok for 192.168.200.254

      The pfsense can ping both... So I'm thinking there is somewhere a problem with firewall rules at BridgeLAN level.
      But I still don't understand why one can ping and not the other because there is strictly no difference between both in pfsense configuration.

      NOW... If I completely remove all from failover and gateway groups, both gateways have ping ok. The default one matches with traceroute and so on by inverting.

      So I tried to vary configuration by put eth3 outside of bridge, with static ipv4 and all other needed configuration.
      In this precise case, failover is OK, ping is OK for both gateways, all seems good.

      I come to think there is a subtlety with Lan bridges and failover!

      If any of you have a luminous idea, I take!!

      Cheers,
      Pierre

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.