Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Load balancing on an SG-2100 works but failover doesn't

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 3 Posters 160 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      atlassol
      last edited by

      I need a fresh set of eyes to help me with this.

      I'm configuring an SG-2100 in my Lab LAN (10.0.2.x). I have "sticky connections" turned off. The WAN and LAN 4 (WAN2) ports are configured to be a multi-WAN gateway group. They go through another network and out through a single ISP upstream firewall (An SG-1100) from the building. They are served DHCP from the upstream firewall.

      85bf9e50-2b97-41ad-bf11-fa76187a7d9c-image.png

      99090406-8723-4c07-ab65-6d4895b9f7ba-image.png

      I'm using speedtest.net for my load balance tests.

      Load balancing between these 2 interfaces works very well with traffic being roughly balanced. Here is the gateway configuration for this option:

      bf829a1e-295f-4395-a4cb-3e054bfce40e-image.png

      When I disconnect WAN (from the WAN port) traffic is routed to WAN2. However, when I disconnect WAN2 (from LAN 4), external traffic just stops. It makes no difference if I have the gateways at staggered tiers (Tier 1 and Tier2) or both at Tier 1.

      adcac666-c5a2-4ba4-aa96-8a2fff693e3c-image.png

      The Gateway Error logs contain the following extract:

      Apr 22 14:48:40 dpinger 36420 exiting on signal 15
      Apr 22 14:48:40 dpinger 69737 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% alarm_hold 10000ms dest_addr 10.0.2.1 bind_addr 10.0.2.106 identifier "WAN_DHCP "
      Apr 22 14:48:42 dpinger 69737 WAN_DHCP 10.0.2.1: Alarm latency 0us stddev 0us loss 100%
      Apr 22 14:52:56 dpinger 69737 exiting on signal 15
      Apr 22 14:52:56 dpinger 80362 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% alarm_hold 10000ms dest_addr 10.0.2.1 bind_addr 10.0.2.106 identifier "WAN_DHCP "
      Apr 22 14:52:58 dpinger 80362 WAN_DHCP 10.0.2.1: Alarm latency 0us stddev 0us loss 100%
      Apr 22 14:58:27 dpinger 80362 exiting on signal 15
      Apr 22 14:58:27 dpinger 65901 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% alarm_hold 10000ms dest_addr 10.0.2.1 bind_addr 10.0.2.117 identifier "WAN2_DHCP "
      Apr 22 14:58:29 dpinger 65901 WAN2_DHCP 10.0.2.1: Alarm latency 0us stddev 0us loss 100%
      Apr 22 14:59:27 dpinger 20721 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% alarm_hold 10000ms dest_addr 10.0.2.1 bind_addr 10.0.2.106 identifier "WAN_DHCP "
      Apr 22 14:59:27 dpinger 65901 exiting on signal 15
      Apr 22 14:59:29 dpinger 20721 WAN_DHCP 10.0.2.1: Alarm latency 0us stddev 0us loss 100%
      Apr 22 14:59:30 dpinger 20721 WAN_DHCP 10.0.2.1: sendto error: 64
      Apr 22 14:59:31 dpinger 20721 WAN_DHCP 10.0.2.1: sendto error: 64
      Apr 22 14:59:36 dpinger 20721 exiting on signal 15
      Apr 22 14:59:36 dpinger 93478 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% alarm_hold 10000ms dest_addr 10.0.2.1 bind_addr 10.0.2.106 identifier "WAN_DHCP "
      Apr 22 14:59:38 dpinger 93478 WAN_DHCP 10.0.2.1: Alarm latency 0us stddev 0us loss 100%

      Thoughts or suggestions?

      Thx

      tinfoilmattT 1 Reply Last reply Reply Quote 0
      • tinfoilmattT
        tinfoilmatt @atlassol
        last edited by tinfoilmatt

        @atlassol This is not going to work since LAN 4 is, in fact, a switchport on the LAN backplane (together with ports LAN 1 - LAN 3)—not a router interface. You can configure only one non-LAN interface on the SG-2100 since there are only two router interfaces total.

        To do what it seems like you're trying to do, you would need a third OPT interface. But even if you did, what would be the point of WAN and an OPT functioning as failover interfaces?

        Also, that your "load balancing" configuration works at all is remarkable. But you should be aware that when configured this way and WAN is disconnected, any traffic passing through so-named "WAN2" is not firewalled.

        EDIT: Apparently the SG-2100's hardware does allow this per the link that @SteveITS has posted below.

        S A 2 Replies Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @tinfoilmatt
          last edited by

          @tinfoilmatt I think OP has done https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-wan.html. Or should have.

          @atlassol Your second pic has them with the same IP …? That’s not going to work on any configuration.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          A 1 Reply Last reply Reply Quote 1
          • A
            atlassol @tinfoilmatt
            last edited by

            @tinfoilmatt This should work (as SteveITS points out from the PfSense online documentation). I have firewall rules for the Gateway Group defined (of which WAN2) is a member, but you make a good point that I should check that the rules are properly applied in both a load balanced environment as well as a failover (if I get that working). Thx.

            1 Reply Last reply Reply Quote 0
            • A
              atlassol @SteveITS
              last edited by

              @SteveITS the issue of duplicate IP#s is one that I didn't see (or that didn't strike me as odd for some reason, but you would be right). I need to set this aside for a couple of days and maybe pick it up after I get some higher priority issues taken care of. Thx.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.