Issue with multi wan & high availability setup - authenticating with radius
-
When I try to authenticate with external RADIUS in a multi-wan high availability setup, authentication fails.
My main ISP WAN IP info:
WAN gateway 10.99.80.1
WAN CARP 10.99.80.2
Master firewall WAN 10.99.80.3
Backup firewall WAN 10.99.80.4Secondary ISP WAN info:
WAN gateway 10.20.20.1
WAN CARP 10.20.20.2
Master firewall WAN 10.20.20.3
Backup firewall WAN 10.20.20.4LAN CARP: 10.10.3.1
Master firewall LAN: 10.10.3.2
Backup firewall LAN: 10.10.3.3I created a gateway group: "GW_Failover"
10.99.80.1 Tier 1
10.20.20.1 Tier 2I set firewall rules to use the gateway group.
I set 2 outbound nat rules for my LAN to use each WAN
Some things I've noticed
-
I have a unifi for controller on my LAN using external
RADIUS authentication for my access points and it works great. -
When I do a packet capture on my WAN interface and authenticate from the unifi controller, I see packets going outbound from the WAN CARP 10.99.80.2
-
When I setup RADIUS on pfsense to use the same external server under System > User Management > Authenticated, authentication fails.
-
When I do a packet capture, I see packets on the WAN interface going outbound from the WAN interface IP 10.99.80.3 and I never get a response back.
Can anyone please assist?
-
-
i figured it out.
i needed to add an outbound NAT rule for each WAN.
Interface WAN - Source: "This Firewall" --> NAT to WAN Carp IP
Interface WAN 2 - Source: "This Firewall" --> NAT to WAN 2 Carp IP -
Although this resolved the issue with radius, now my backup router is unable to ping the internet or wan gateway.
-