Dual Wan, failover, not working properly | Very slow throughput after switching to WAN2 and return of WAN1 link not resumed when back

Elrick75 · May 15, 2022, 7:47 PM

Hi,

I recently setup a new interface to use Dual Wan functionality.
I configured the gateway group in failover as below.

When I disconnect my WAN1 (WAN DHCP) connection, I can see the second taking over (WAN DHCP SFR)

1st problem: When I test the second connection (WAN SFR), it is extremely slow although it is a 4G connection on which I observe a speed between 4 and 20mbit.
It takes few minutes to load a simple webpage when there is no traffic, I do not know why this problem of speed comes from but it is unusable in this context.

2nd problem: When I reconnect the WAN1 connection (WAN DHCP), it is not resumed, it remains in Pending status indefinitely.
When I view the connection status, I see that the WAN 1 connection has recovered an IP address in the pfsense dashboard.
The only way to recover back WAN1 connexion is to reboot pfsense :(

Do you know how I can solve/troubleshoot these two problems please?

Best Regards.

luckman212 · May 15, 2022, 8:24 PM

@elrick75 said in Dual Wan, failover, not working properly | Very slow throughput after switching to WAN2 and return of WAN1 link not resumed when back:

It takes few minutes to load a simple webpage when there is no traffic, I do not know why this problem of speed comes from but it is unusable in this context.

What are you using for your DNS server(s) on the LAN devices? What about for pfSense itself? If you use 8.8.8.8 for example, you will have trouble unless you apply this patch...

The only way to recover back WAN1 connexion is to reboot pfsense :(

Have you tried simply restarting the dpinger service and seeing if the gateway comes back "online" ? That will help us debug this.

Elrick75 · May 16, 2022, 6:29 AM

@luckman212

What i have on PC

I have a static IP configuration on my PC.
I put 8.8.8.8 as primary DNS because if I leave DNS IP of my ISP (WAN1) it will not be able to do the name resolution, unless I can neutralize this resolution problem at firewall level maybe?
DNS Setup on client workstation with Dual Wan is not clear for me...

DNS used by pfSense

What do you suggest? Does i need to apply the fix in my case?

Je vais tester le redémarrage de dpinger en fin de journée, mais je suis preneur de votre avis pour la partie DNS.

Merci pour votre aide

luckman212 · May 16, 2022, 1:25 PM

@elrick75 Personally I would try changing these settings:

Unless you are forced by the ISP to use 178.250.208.135/209.34, change to 8.8.8.8/8.8.4.4 or 208.67.222.222/208.67.220.220
Do not assign a Gateway to the DNS servers in System -> General (set to "none")
Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
In your System -> Routing, choose an IP address that is NOT one of your DNS servers as the Monitor IP. If you are not sure what IP to use, run a traceroute and choose a nearby hop that responds to ping, or you can try my hopfinder script to auto-detect the best one to use.
Make sure the firewall rule on your LAN interfaces does not specify a specific gateway (under Advanced options) or if it does, make sure it is set to use a Gateway Group)

Once you have done all of that, re-try your test...

Elrick75 · May 30, 2022, 7:16 PM

@luckman212 Many thanks for your answer.

About hopfinder, how does it work exactly? i use cygwin under Windows but i dunno the network interface name to enter ;)

You says "Make sure the firewall rule on your LAN interfaces does not specify a specific gateway (under Advanced options) or if it does, make sure it is set to use a Gateway Group)"
You lost me a bit there, would you have an example of the location you indicate for me to check please? :)

luckman212 · May 30, 2022, 11:34 PM

@elrick75 You need to run hopfinder.sh on your pfSense directly. I suggest these steps, roughly

ssh into your router
use option 8 to get to a shell
type fetch https://gist.githubusercontent.com/luckman212/e5df683d8b11dd68aef3255efc22e611/raw/bc9d4e4d797b581c4b8450e1697653b2657c5c86/hopfinder.sh
type chmod +x hopfinder.sh
type ./hopfinder.sh to get a list of gateway interfaces.
Example, if one of your gateways is igb0 then...
run it again as ./hopfinder.sh igb0
wait a bit for it to finish
look at the output and choose the top line (the one with the most hits)
use this IP for your Monitor IP on that gateway in pfSense under System > Routing
repeat for your other WAN...

As for your 2nd question, I am talking about the "allow all" rule on your LAN interface, it should be the last rule in your list... make sure it has just an asterisk * for Gateway, or edit the rule and click Advanced Options > Show Advanced > and look at Gateway, make sure it's set to either Default or to your failover gateway group...

rcoleman-netgate · May 31, 2022, 12:04 AM

@luckman212 it should be made aware that any side-loaded scripts negates TAC support options.

With software you are undo these by reinstalling the software and restoring from a backup config (since the backup configs do not retain any information on side-loaded applications or scripts.