WAN Failover using 2 Gateways on the same subnet

vsmaldino

Hello everyone,

there seems to be a behavior in the gateway availability control mechanism (online/offline) that appears strange to me, and I would appreciate feedback from someone more experienced than myself.

The situation is as follows:

WAN: 192.168.1.209/24
GW1: 192.168.1.211 (default GW), weight 5, monitor IP x.x.x.X (public IP from Google)
GW2: 192.168.1.232, weight 8, monitor IP x.x.x.Y (public IP from Google)
LBFO1: Gateway Group composed of GW1 + GW2 both layer 1, trigger level "Packet loss or High Latency"

If GW1 goes offline, GW2 is also marked offline even though it is online. Obviously, the same situation occurs reversing the gateways.
Is the first behavior normal, or am I doing something wrong?

This behavior is present in all versions I've experimented with (currently 2.7.2), forcing me each time to add new WAN network interfaces (WAN1, WAN2, ...) and split the WAN subnet to associate each network interface with its gateway

WAN1 192.168.1.209/27 -> GW1 192.168.1.211
WAN2 192.168.1.230/27 -> GW2 192.168.1.232
LBFO1: Gateway Group composed of GW1 + GW2 both layer 1, trigger level "Packet loss or High Latency"

This way it works fine, if GW2 goes offline, GW1 is still online and the traffic routed on LBFO1 flows via GW1.

Thank you.

Vito Smaldino

viragomann

@vsmaldino said in WAN Failover using 2 Gateways on the same subnet:

LBFO1: Gateway Group composed of GW1 + GW2 both layer 1, trigger level "Packet loss or High Latency"

This does load balancing. In this case, the gateways have to be on different interfaces.
See Load Balancing in the docs.

vsmaldino

@viragomann
from Load Balancing
" If a gateway that is part of a load balancing group fails, the interface is marked as down and removed from all groups until it recovers"
Yes this is the answer, thank you.

In any case, I don't understand why the entire interface is marked down if even just one of the gateways goes offline. I would have expected that only the offline gateway be excluded, and the traffic could still flow through the gateway that remains online.

Bob.Dig

@vsmaldino said in WAN Failover using 2 Gateways on the same subnet:

In any case, I don't understand why the entire interface is marked down if even just one of the gateways goes offline.

Probably a design decision we have to live with.

viragomann

@vsmaldino
Yeah, load balancing gateways are somehow special in pfSense. In contrast to a failover gateway group, you also cannot use lb gw groups for policy routing.
There might be reasons for this.

vsmaldino

@viragomann From my tests it is not a question of groups or types of groups (LB, FO or LB+FO)
The real limitation is given by the close relationship between a gateway and the associated network interface. To define a gateway you must first of all indicate the network interface with which to use it. When the gateway goes down, its interface is marked as "down" regardless of whether there are other active gateways using it. From what I've seen from my testing, this happens even if you don't define any group.
The best load balance and fail over system I've seen so far is the one implemented by the late Zeroshell by Fulvio Ricciardi.

Bob.Dig

@vsmaldino You can do it anyway, I have this running here:

vsmaldino

@Bob-Dig The problem is what happens if any of your SS_* GWs go down? According to my tests, they should all go down because they supposedly all use the same network interface. This behavior is not acceptable in my network.

Bob.Dig

@vsmaldino said in WAN Failover using 2 Gateways on the same subnet:

The problem is what happens if any of your SS_* GWs go down?

There is no problem as long as there is no gateway set on the interface itself.

vsmaldino

@Bob-Dig what do you mean with "there is no gateways set on the interface"?
When creating a gateway you need to define an interface for its use. From your screenshot I assume that all SS_* have the same interface, according to my tests, if only one of the SS_* goes down, that interface is marked as down.
Am I doing something wrong?

Bob.Dig

@vsmaldino said in WAN Failover using 2 Gateways on the same subnet:

what do you mean with "there is no gateways set on the interface"?

vsmaldino

@Bob-Dig first of all, thank you for your patience.
Your screenshot refers to the IP configuration of the network interface, it doesn't set any upstream gateway, Ok.
But what about the config of the SS_* GWs? Can you send me a screenshot of a couple of them? I'm very curious to see which interface they use and if it is the same as I presumed.

Bob.Dig

@vsmaldino said in WAN Failover using 2 Gateways on the same subnet:

But what about the config of the SS_* GWs? Can you send me a screenshot of a couple of them? I'm very curious to see which interface they use and if it is the same as I presumed.

It is the interface (192.168.111.1) I showed above.

If you have to NAT, you have to create the NAT-Rules manually. I don't because all the gateways are OpenWrt-VMs.

vsmaldino

@Bob-Dig
Tnx, another step over ;-)
VLAN111_OWRT_LAN is the interface of Ss_DeBe Gw.
I presume these:

1. Ss_AtVie, Ss_ChZur, ... have the same VLAN111_OWRT_LAN interface
2. 192.168.111.1 is the IP address of VLAN111_OWRT_LAN

Is it right?

Bob.Dig

@vsmaldino correct.

vsmaldino

@Bob-Dig
Tnx. It is a scenario very similar to that i tested with.

These are my GWs, both on the same interface, NO Gateway Groups defined.

This is the status few seconds after shutting down only FibraITG:

In few tens of seconds both GWs are marked down, i think because both use the same interface (WAN).

As you stated on March 7, there is some deep design decision that put in close relationship the status of the gateways using the same interface.

Bob.Dig

@vsmaldino True. But also you have a gateway set on WAN.
My setup is also different that I don't use WAN for those VPN-Gateways on the same interface and none of those gateways is the default gateway.