Second Wan Down

rafamello

Hello.

I have a client who placed a new internet link (switched for an old one) and so got 2 links.

This new link if I put it for one user only, it works perfectly. When he put it for everyone on the network to use the internet, it falls.

Any tips?

stephenw10

How does it fail? The gateway shows as down? Traffic cannot use it?

You may need to tune the gateway monitoring:
https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html#advanced-gateway-settings

Steve

rafamello

Hello.
So far I haven't set up a gateway group.

If I go there and change the default gateway for all users, the problem occurs, so if I go back to the main gateway it works again.

stephenw10

@rafamello said in Second Wan Down:

the problem occurs

We need more details than 'problem'.

What fails? What still works? Does the gateway show as off-line?

Steve

rafamello

The 2 links appear as online.

If I only put one user to browse WAN2 and the rest by WAN1 it works perfectly.

Now if I put everyone through WAN2 the navigation drops but in a matter of 1 minute.

If I go back to WAN1, it works again.

stephenw10

Ok so users stop being able to access external sites after some time.

The gateway on WAN2 remains as UP? No packet loss or increased latency?

How are the connections failing? Just no reply? Unable to resolve?

When you change the default gateway it also changes the WAN pfSense is using. It might be breaking Unbound for example.

You could try policy routing all client traffic via WAN2 as a test instead of changing the default gateway which would prevent that.

Steve

rafamello

Okay, I'm going to try this procedure this afternoon and report to you here.

Tks

rafamello

I took the test here real quick. The same problem happened, it stopped browsing, but the ping and remote access out continued.

None of the WANs go off or lose packets.

stephenw10

Ok, so how did it fail at the client? Connection timeout? Unable to resolve? Ping still work?

rafamello

everything pertaining to navigation to.

Keeps dripping, remote access works.

It seems to me that it's something with DNS, but I created the rule for testing on top of all the others with full internet access.

stephenw10

Can we see exactly what rule you added?

Try testing the DNS directly when it fails. Diag > DNS Lookup in the pfSense GUI.

Or try to ping 8.8.8.8 from a client. If that works try to ping google.com. If that fails what is the error shown?

Steve

rafamello

Hi. Sorry for the delay.

I now performed a test, connected to a host via TS from the secondary link (the link that gives a problem) and tested navigation and ping, all right.

Already connected to the host, I put the entire network to browse the secondary link, and soon all naevgação fell, but the remote connection that I was was maintained. In it the navigation fell but the ping for both ip and dns continued to work.

In pfsense when I switched to the second link, it pinged out normally.

In the screenshot, rule 2 is the rule I use for a host to only browse the link, in rule 1 it is the rule for the entire network.

stephenw10

Rule 1 there is for UDP/TCP only so it will not catch ping traffic.
It also show 0 states created against it so, when that screenshot was taken, no traffic is matching it.

What are you using for DNS on the LAN?
By default pfSense hands clients the interface IP to use and listens on that with Unbound. If you policy route all traffic via a WAN gateway like that clients will not be able to connect to the DNS service, traffic is forced out of the WAN. You may need an additional rule above that to allow clients to reach the LAN address on the port 53.
However that would also affect policy routing one client. And it would not be caused by just changing the default route.

Steve