Upload not working on GW_Failover

GiaNN

Hi all,
I have PFsense+ 23.09 on bare hardware, sometimes my FWA main ISP fails so i am in need of a backup connection, with the help of @stephenw10 i got an old Huawei K5150 working but it's performance were awful, so i got a ZTE 4G router in which i got a 4G sim, gave the backup router the IP address 192.168.1.3 and set up failover in the gateway section so it looks like this: ,
then i changed the gateway in the firewall IPv4 LAN rule so it looks like this:
and tried to see if it works and it does, but only in download... As soon as i try to do an upload test with the backup connection it fails or it finishes it with something like 0.03Mbps in upload while capping my 30Mbit download. (My SIM has a max speed of 30/30 and it can provide also IPv6, but keep it disabled because it create conflict with my main IPv6 and i think it also isn't static. Also if i try a test with the 4G router alone it goes 30/30) I don't understand why it behaves like that, somebody has suggestion of where to look?
I add that for the main connection i have codelQ set up to a max speed of 98/20 in order to get bufferbloat under control.

stephenw10

I would test two things:

Add a firewall rule that routes traffic via the 4G router only. No failover. Test that it also sees the low upload.

Disable traffic shaping and retest.

Also check the link between the 4G router and pfSense. Is it linked at the expected speed? Are there and errors on the interface? Is the MTU set to something odd?

Steve

GiaNN

@stephenw10 Just by doing the first step this is the result:

i brutally copied the LAN rule and put there the backup gateway while also temporarely disabling the one with GW_failover so it looks like this:

of course to get it working right i had to disable IPv6 on my computer ,
by also disabling the limiter the result is the same
.
The backup router it's not directly connected to PFsense, there's a switch in between (that's also my AP, a keenetic AP) and there's no error and the link speed is 1000/1000 with no errors..
The MTU on my PPPoE is 1402, while on the backup connection is 1500 with MSS of 1460 (which was set automatically by the ZTE)

stephenw10

That should be OK.Then the next thing I would test is connecting the 4G router directly to pfSense to eliminate the switch as an issue.

Throttling to that extent is usually something low level like a bad port or cable.

GiaNN

@stephenw10 ok i tried and it works right:

by connecting the ZTE directly in the WAN port and giving it the 192.168.8.3 IP address.
Are you sure it's not something with some firewall rule? Because even trying on a different cable, port and switch it behaves the same
now i had to give him an OPT1 interface and set it up in static IPv4, while in my config was setup as an IP address in my LAN network like this:

because i thought that by doing so i wouldn't need to set up VLANs

GiaNN

I tried to reconfigure the GW-Failover as i did before, and it still behaves the same, but if i run a speedtest from the firewall it works just right...

So i think it's something blocking traffic from LAN but i don't know what can be

stephenw10

Oh it was in your LAN subnet?

In that case it's almost certainly an asymmetric routing problem. You can't have two gateways and hosts all the same subnet like that.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

You need to put the 4G router on a separate interface. That could be a VLAN if you don't have any spare NICs.

Steve

GiaNN

@stephenw10 unfortunatelly i cannot use VLANs because the ZTE with stock firmware isn't capable of use them.
I try to see if the firewall fix works thanks
I don't know if it's this the rule that it's said in the documentation

If yes, then the automatic fix doesn't work, i try the manual.

stephenw10

The modem doesn't need to support VLANs as long as the switch does. The only part that would be VLAN tagged is between the pfSense LAN NIC and the switch.

GiaNN

@stephenw10 yes my keenetic AP supports VLAN tag.
I tried to do the manual fix with the LAN and the floating rule and it works
,
now i only need to try to set up codelQ to limit the speed to 30/30 so i can get decent bufferbloat even with the backup connection.
I tried to set up a VLAN this morning but i think i misconfigured something and it wasn't working

stephenw10

It would be much better to use a separate VLAN interface than using the workaround firewall rule if you can. Without VLANs you are still using asymmetric routing just masking the issue. But I'd almost guaranty it will come back to bite you at some point.

Steve

GiaNN

@stephenw10 i know, but i've never used VLANs before and when i tried this morning i think i messed up something, i'll see some documentation/ tutorial on how to use them and i'll try.
Are you sure the static route problem won't cause problem even with a VLAN?
Thank You.

stephenw10

Using the VLAN eliminates the asymmetry. All traffic to and from the 4G router then has to go through pfSense via the LAN and VLAN interfaces. Currently traffic can go directly between the 4G router and LAN hosts without going through pfSense.

GiaNN

@stephenw10 yes i think tomorrow i'll work on that, because right now my PPPoEv4 isn't letting any traffic through so i think i messed something. Even setting it up as gateway it doesn't work.

(my v6 PPPoE comes from the v4)
luckily i had a backup and restored it LOL.

GiaNN

@stephenw10 Hi, i resume this thread to say that i configured correctly the VLAN and now the failover works perfectly also i configured CodelQ with a 30Mbit limiter (BTW Thank You), there's only a little thing that annoys me: my backup Sim changes IP every 4 hours so the firewall sends me 2 messages like these:

Is there a way to turn off notifications on that gateway and at the same time keeping the monitoring on to detect if it works or not?

stephenw10

Not within the pfSense GUI. It always notifies about gateway events. And you need the gateway monitoring and actions enabled to make sure failover works correctly.
You could assume it's always up and disable monitoring actions on the 4G router gateway. That might be acceptable.

GiaNN

@stephenw10 said in Upload not working on GW_Failover:

Not within the pfSense GUI

is it possible via CLI?
Otherwise i can see if i can do something through the telegram bot or i'll do the always up.

stephenw10

Anything is possible with code!

But it not something I'm familiar with. There have been calls for better granularity in notifications. There might be some examples in the forum.

GiaNN

@stephenw10 well, guess i have to find what's the code PFsense uses to send telegram messages. Thank You
I did it!
I added the string if (str_contains($data["text"],"LTE_Backup_VLAN")) return 0 to the etc/inc/
/notices.inc file and it works, it doesn't send me messages about that gateway but still monitors it, but still checking if everything works.

GiaNN

@GiaNN i'll do some other testing because it seems that so It won't send any message besides the test one