Two firewall accessing each other when gateway is down
-
hi everyone
i have two servers. each of them have separated LAN and firewall. one of them is Pfsense and another one have OPNsense with two different public ipv4 addresses on same subnet. two firewall wan NIC connected to a switch that is unmanageable and that switch connected to ISP point to point device.
my expected behavior is when internet is down and gateway is unreachable two firewall can access each other with WAN public IPs. but it's not working.
can you tell me why and what should i do ? -
@Farh said in Two firewall accessing each other when gateway is down:
one of them is Pfsense and another one have OPNsense with two different public ipv4 addresses on same subnet.
Did you set the subnet mask correctly on both?
-
@viragomann said in Two firewall accessing each other when gateway is down:
Did you set the subnet mask correctly on both?
yes. both of them is in subnet 28 on WAN interface.
-
@Farh per default any connection into the WAN interface is blocked (except already established connections from LAN), even ping.
So you do have rules on the WAN interfaces that allow access?
-
@patient0 said in Two firewall accessing each other when gateway is down:
So you do have rules on the WAN interfaces that allow access?
which rule do you mean ?
Am i missing something ?
I can access the other server when default gateway is up with no problem. -
@Farh well, maybe I'm missing something :).
Could you do simple drawing of the network layout?
If the gateway is up, how can you access the other servers WAN ip? Ping or SSH or can you even route to the other LAN?
-
@patient0
No. You don't miss anything.
I get your point
Yes. I created port forward rules to allow http and https on port 80 and 443.
Both of them work fine world wide and locally when gateway is up.
Sorry I don't have access to pc right now to draw diagram but it's very simple:
LAN1 <----> pfsense <----> WAN1<---> unmanaged switch <----> ISP Radio
LAN2 <----> opnsense <----> WAN2<---> unmanaged switch <----> ISP Radio
Two WANs are connected to one Unmanaged switch that mentioned on both path and i believe ISP radio must be the gateway. It's a point to point connection.
I access via both http and https.
Until today i expected to access same wan subnet on layer 2 when gateway is down but today when my internet goes down i lose the connection.
Let's say i believed that when two IP address is on same subnet must at least try to access each other with layer 2 base on each other MAC address without using layer 3 routing tables.
Is it wrong ? Or i need a configuration ? -
@Farh it's simple enough you are right.
And again you are right in that since you are on the same link/layer 2 you shouldn't need a gateway to access the other *sense.
When you set the WAN interfaces with a /28 subnet you should see the other *sense in the ARP table (Diagnostics > ARP table). Is the other *sense listed there?
-
@patient0 No. It's not in ARP table.
-
@Farh said in Two firewall accessing each other when gateway is down:
LAN1 <----> pfsense <----> WAN1<---> unmanaged switch <----> ISP Radio
LAN2 <----> opnsense <----> WAN2<---> unmanaged switch <----> ISP Radio
Until today i expected to access same wan subnet on layer 2 when gateway is down but today when my internet goes down i lose the connection.Which connection are you loosing?
WAN1 <> WAN2?
LAN1 <> LAN2?
LAN1 <> WAN2 or vv? -
@viragomann
LAN1 to service that is in LAN2 with port forward and NAT but i think no connection between WAN1and WAN2 too. -
@Farh said in Two firewall accessing each other when gateway is down:
i think no connection between WAN1and WAN2 too.
That's what we were talking about. I expect, that WAN <> WAN should work at least if you initiate the traffic on the firewalls themself.
-
@viragomann No unfortunately
I even connect a linux pc directly to firewall 2 WAN (opnsense). Set the public ip of forewall 1 on linux pc with no luck to telnet port 80 or 443. -
@Farh
Both firewalls give you diagnostic tools like ping or port probe. There is no need to attach an additional device the check this out.How are your WANs configured? Do they have static IP or DHCP?
-
@viragomann yes of course you're right but i can not take internet down on that time and i have no choice other than use another device.
It's static IP address with one wan ip and 4 virtual IP on pfsense and one static IP on opnsense
-
@Farh said in Two firewall accessing each other when gateway is down:
Until today i expected to access same wan subnet on layer 2 when gateway is down but today when my internet goes down i lose the connection.
No. It's not in ARP table.
No ARP, no layer 2 communication.
Seems you have an L2 issue.
Is there even an entry of the respective other WAN in the ARP table if the gateway is up?If not, to investigate the issue, go on one of the firewalls and start a packets capture of ARP. Then try to ping the other box.
Check after, what you got in the capture. -
@viragomann thanks for your guidance
pinging other side added it to ARP table.
is ICMP most effective rather than TCP for adding to ARP table or it's even required ??
But unfortunately even after both firewalls have each other MAC address in ARP table issue still persist. No gateway no connection.
Add other WANs to ARP table still need to pinging it. -
@Farh
No, the protocol doesn't matter. If an IP within the subnet is requested, it does an ARP resolution.
So my assumption is, that the other WAN isn't requested at all, when you try to access it from inside the LAN.Do you policy route the LAN traffic by any chance?
-
@viragomann said in Two firewall accessing each other when gateway is down:
So my assumption is, that the other WAN isn't requested at all, when you try to access it from inside the LAN.
It's impossible because my DNS return my WAN2 IP addresses and there is no other path to access.
Also traceroute result on LAN1 shows the LAN IP of pfsense but then it shows timeout.@viragomann said in Two firewall accessing each other when gateway is down:
Do you policy route the LAN traffic by any chance?
No. I don't think so. Which kind of police do you mean. It's outbound NAT
-
@Farh
Policy routing doesn't care about DNS.
And it has nothing to do with NAT.In you WAN rules for allowing upstream traffic, did you state a gateway?
If you're unsure, please show your rules.
