Multi Wan almost worked…
-
I installed the pfsense box I built http://forum.pfsense.org/index.php/topic,22398.0.html and had to turn off the multiwan. I had it set up to use both our DSL connections (both from the same ISP). I had the failover watching some public DNS IPs. The system would work for a while then stop. It would mysteriously work for a while then stop again. Turning off multiwan completely resolved it so I know that its the cause. I just don't know why.
I did see this error in the system log when it was still on:
Jan 27 23:56:55 kernel: arpresolve: can't allocate route for 216.99.112.195
Jan 27 23:56:55 kernel: arplookup 216.99.112.195 failed: could not allocate llinfoThats not one of our IPs but it does belong to our ISP. This error went away when I disabled the second wan interface and removed the rules related to load balance/failover.
Everything else seems fine except that clients on the LAN have to use the local IP address for our in house FTP server instead of the external address. It would be nice to know why but its not a big deal. We can see the websites being served from the same machine from inside with no issue. FTP helper is disabled on the WAN and enabled on the LAN as per instructions.
I followed the instructions in the multiwan document except I did not add any DMZs. I wanted my servers behind the NAT. Does that have something to do with it?
Also, is there any patch to allow sticky connections to co-exist with pppoe yet? If I can get the multiwan to work, I would prefer to use that over a bunch of rules.
Any help here would be greatly appreciated.
Thanks
Bob
-
Hey Bob,
Unfortunately, I'm unable to answer your question. However, I'm trying to setup something similar like yours. I did use this guide, but still having problems with failover; http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x.
I'm using 2 WAN connections with DHCP setup on each WAN, and both of my connections are to the same ISP. I've applied the same rules and setup loadbalancing/failover, as suggested in the guide, but no success. The only way pfsense will detect and pickup the connected WAN, is if I reboot the pfsense.
You mentioned something about "turning off multiwan"; how did you do that? Do you mind putting up some pics of the rules and loadbalancer for guide?
You can see pics of what I've setup here: http://forum.pfsense.org/index.php/topic,22495.0.html.
I've also tried the same on a full release 1.2.3, but keep getting the same problem with failover.
I apologize again for not being able to answer your question; just seems you've gotten past the point where I'm stuck!!
Thanks for the help.
-
I spoke too soon; don't worry about putting up the pics; I read your other post that has the pics in them: http://forum.pfsense.org/index.php/topic,22398.0.html.
I'll try to apply similar rules in LAN and see if that works.
The good news is that when WAN1 is disconnected, the loadbalancer status indicates that accordingly. It also shows that WAN2 is online, however, I can't go online using WAN2 at all. I can ping my gateway (router IP), but nothing else outside.
-
To turn the multiwan off, I just deleted the loadbalancer rules, the lan rule, and disabled the second wan interface (all my port forwarding is on the main wan). I didn't see any way to just disable the loadbalance rules so I just got rid of them all. It only takes a couple of minutes to add them again. So far we have been running perfect on the single connection so I haven't spent any time on the multiwan. I will revisit it when I get caught up.
I think the solution to my problem would be to add another router in between the pfsense box and the main wan connection so it will be a non pppoe connection. That would let me run sticky connections and I believe that would fix it. I don't have a decent router handy and I am not sure what I would do about port forwarding yet. I think I would just set up the same ports all forwarded to the internal address that I use for the pfsense main wan. It seems like having double NAT wouldn't be a good thing. Maybe by the time I can sit down and work on this again, the creators will have an update that will handle two pppoe connections with sticky working.
If you make any progress, please post. I would bet we aren't the only ones with this exact same issue.
-
Something interesting I found out (can't believe it took me so long to see it), I guess it explains why I'm having a hard time believing…...
Let me summarize what I found out about WAN2:
If WAN1 = DHCP and WAN2 = DHCP, then WAN2 will work
If WAN1 = Static and WAN2 = DHCP, then WAN2 will NOT work
If WAN1 = DHCP and WAN2 = Static, then WAN2 will NOT work
If WAN1 = Static and WAN2 = Static, then WAN2 will NOT work
Needless to say, WAN1 works regardless of what setting its holding (Static or DHCP. However, I haven't tried PPPoE) because it's not relying on WAN2.
I must be doing something wrong or forgotten because it doesn't make sense why ONLY DHCP setting needs to picked on both interfaces in order for WAN2 to work!!
I'm using 1.2.3-RC1 Embedded
-
I'm using multiwan in situations with static on WAN1 and static on WAN2, and DHCP on the other and it works fine.
When you say it's not working, what are you doing to test and how does it fail? If you're using the web interface to ping, it doesn't work with multiwan, as noted on the ping page. Using the console you should be able to ping both default gateways, but the only way to route traffic originating from the pfSense box to WAN2 is via static routes, so any other testing you need to do from behind the firewall. Also from your other thread it looks like you need to change the LAN firewall rule to use your multiwan gateway, not the default gateway.
Everything else seems fine except that clients on the LAN have to use the local IP address for our in house FTP server instead of the external address. It would be nice to know why but its not a big deal. We can see the websites being served from the same machine from inside with no issue. FTP helper is disabled on the WAN and enabled on the LAN as per instructions.
What I do to deal with FTP is set up an override in DNS forwarder to hand out the LAN IP for the FTP server instead of its WAN address. Or just use the LAN IP in their FTP client.
-
When checking if WAN2 is working or not, I just go to the console and try to ping the gateway, or any pingable IP on the Internet, which it times out. I also tested by either unplugging the modem on WAN1 and I've also tried unplugging the ethernet cable for WAN1; neither of those methods helps WAN2 get online. I have also tried using Static Route, but that didn't help. I'm not sure what is it that I'm doing wrong. There's a a note at the bottom of the table on Static Route that's confusing; it says
"Note: Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway."
My question is how else am I supposed to use the static routes. Obviously, I'm missing out on something.
I have included some pics of my "updated" setup.
Let me know what am I doing wrong. Thanks again for the help.
 -
Here's the WAN2 setup….
 -
Load Balancer Pool & Status Load Balancer Pool; actually it's setup for Failover….
 -
LAN Firewall Rules & Static Route config…
Sorry I had to upload the pics that way!!
 -
That static route isn't helping, I'm not sure why you've got it there but it seems totally wrong. You shouldn't need any manual static routes for failover to work properly.
Is it possible your gateways don't respond to ping? Aside from that static route your configuration looks okay. If you remove the static route and still can't ping the gateways then I'd be pretty certain they're just not responding (or your configuration is incorrect) as they should be on the same LAN segment. You can watch for traffic on the interface with tcpdump if you really can't sort it out, that may point to an issue elsewhere. Aside from that static route (which I think would only break WAN1 if it were to break anything) your configuration looks okay to me, so I suspect that your WAN links are either not working at all, or the monitor IP doesn't respond to ping.
For failover operation I would recommend using your two primary/secondary DNS servers as the monitor IPs if you are using the DNS forwarder (pick one for each WAN and keep it consistent). That will create implicit static routes for those addresses, one to each WAN, and will prevent the DNS forwarder from failing even though the failover has worked properly (as noted static routes are the only way to redirect traffic originating at the firewall, like DNS forwarder queries, so if your WAN interface fails the DNS forwarder will stop working otherwise). Otherwise I would manually create static routes so that at least one of the DNS servers in your pool goes out your OPT1 interface.