Gateway Groups



  • I've been playing around with the Gateway Groups feature the last few days, and the lists indicate that it should be stable about now.  I'm currently working on the 2010-06-18 04:45 snapshot.

    As long as the 1st WAN is up, things are OK, but when it goes down, traffic isn't being sent through the 2nd Wan.  If I force the 2nd WAN to become the default route, traffic moves OK, but then when 2nd WAN goes down, nothing moves through the 1st WAN.

    Could somebody provide some feedback?
    My config is as follows:

    
     <pfsense><version>6.4</version>
         <lastchange><theme>pfsense_ng</theme>
         <sysctl><desc>Set the ephemeral port range to be lower.</desc>
                <tunable>net.inet.ip.portrange.first</tunable>
                <value>default</value>
             <desc>Drop packets to closed TCP ports without returning a RST</desc>
                <tunable>net.inet.tcp.blackhole</tunable>
                <value>default</value>
             <desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
                <tunable>net.inet.udp.blackhole</tunable>
                <value>default</value>
             <desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
                <tunable>net.inet.ip.random_id</tunable>
                <value>default</value>
             <desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
                <tunable>net.inet.tcp.drop_synfin</tunable>
                <value>default</value>
             <desc>Enable sending IPv4 redirects</desc>
                <tunable>net.inet.ip.redirect</tunable>
                <value>default</value>
             <desc>Enable sending IPv6 redirects</desc>
                <tunable>net.inet6.ip6.redirect</tunable>
                <value>default</value>
             <desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
                <tunable>net.inet.tcp.syncookies</tunable>
                <value>default</value>
             <desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
                <tunable>net.inet.tcp.recvspace</tunable>
                <value>default</value>
             <desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
                <tunable>net.inet.tcp.sendspace</tunable>
                <value>default</value>
             <desc>IP Fastforwarding</desc>
                <tunable>net.inet.ip.fastforwarding</tunable>
                <value>default</value>
             <desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
                <tunable>net.inet.tcp.delayed_ack</tunable>
                <value>default</value>
             <desc>Maximum outgoing UDP datagram size</desc>
                <tunable>net.inet.udp.maxdgram</tunable>
                <value>default</value>
             <desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
                <tunable>net.link.bridge.pfil_onlyip</tunable>
                <value>default</value>
             <desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
                <tunable>net.link.bridge.pfil_member</tunable>
                <value>default</value>
             <desc>Set to 1 to enable filtering on the bridge interface</desc>
                <tunable>net.link.bridge.pfil_bridge</tunable>
                <value>default</value>
             <desc>Allow unprivileged access to tap(4) device nodes</desc>
                <tunable>net.link.tap.user_open</tunable>
                <value>default</value>
             <desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
                <tunable>kern.rndtest.verbose</tunable>
                <value>default</value>
             <desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
                <tunable>kern.randompid</tunable>
                <value>default</value>
             <desc>Maximum size of the IP input queue</desc>
                <tunable>net.inet.ip.intr_queue_maxlen</tunable>
                <value>default</value>
             <desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
                <tunable>hw.syscons.kbd_reboot</tunable>
                <value>default</value>
             <desc>Enable TCP Inflight mode</desc>
                <tunable>net.inet.tcp.inflight.enable</tunable>
                <value>default</value>
             <desc>Enable TCP extended debugging</desc>
                <tunable>net.inet.tcp.log_debug</tunable>
                <value>default</value>
             <desc>Set ICMP Limits</desc>
                <tunable>net.inet.icmp.icmplim</tunable>
                <value>default</value>
             <desc>TCP Offload Engine</desc>
                <tunable>net.inet.tcp.tso</tunable>
                <value>default</value>
             <desc>TCP Offload Engine - BCE</desc>
                <tunable>hw.bce.tso_enable</tunable>
                <value>default</value></sysctl>
         <system><optimization>normal</optimization>
            <hostname>pfsense</hostname>
            <domain>localdomain</domain>
             <group><name>all</name>
    
                <scope>system</scope>
                <gid>1998</gid>
                <member>0</member></group>
             <group><name>admins</name>
    
                <scope>system</scope>
                <gid>1999</gid>
                <member>0</member>
                <priv>page-all</priv></group>
             <user><name>admin</name>
                <fullname>System Administrator</fullname>
                <scope>system</scope>
                <groupname>admins</groupname>
                <password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
                <uid>0</uid>
                <priv>user-shell-access</priv></user>
            <nextuid>2000</nextuid>
            <nextgid>2000</nextgid>
            <timezone>Etc/UTC</timezone>
             <time-update-interval><timeservers>us.pool.ntp.org</timeservers>
             <webgui><protocol>https</protocol>
                <ssl-certref>4c1b9997e95d0</ssl-certref></webgui>
            <disablenatreflection>yes</disablenatreflection>
             <cert><refid>4c1b9997e95d0</refid>
                <name>webConfigurator default</name>
                <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLRENDQTVHZ0F3SUJBZ0lKQUtMaVd1bElENzZvTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUcvTVFzd0NRWUQKVlFRR0V3SlZVekVTTUJBR0ExVUVDQk1KVTI5dFpYZG9aWEpsTVJFd0R3WURWUVFIRXdoVGIyMWxZMmwwZVRFVQpNQklHQTFVRUNoTUxRMjl0Y0dGdWVVNWhiV1V4THpBdEJnTlZCQXNUSms5eVoyRnVhWHBoZEdsdmJtRnNJRlZ1CmFYUWdUbUZ0WlNBb1pXY3NJSE5sWTNScGIyNHBNU1F3SWdZRFZRUURFeHREYjIxdGIyNGdUbUZ0WlNBb1pXY3MKSUZsUFZWSWdibUZ0WlNreEhEQWFCZ2txaGtpRzl3MEJDUUVXRFVWdFlXbHNJRUZrWkhKbGMzTXdIaGNOTVRBdwpOakU0TVRZd05qUTRXaGNOTVRVeE1qQTVNVFl3TmpRNFdqQ0J2ekVMTUFrR0ExVUVCaE1DVlZNeEVqQVFCZ05WCkJBZ1RDVk52YldWM2FHVnlaVEVSTUE4R0ExVUVCeE1JVTI5dFpXTnBkSGt4RkRBU0JnTlZCQW9UQzBOdmJYQmgKYm5sT1lXMWxNUzh3TFFZRFZRUUxFeVpQY21kaGJtbDZZWFJwYjI1aGJDQlZibWwwSUU1aGJXVWdLR1ZuTENCegpaV04wYVc5dUtURWtNQ0lHQTFVRUF4TWJRMjl0Ylc5dUlFNWhiV1VnS0dWbkxDQlpUMVZTSUc1aGJXVXBNUnd3CkdnWUpLb1pJaHZjTkFRa0JGZzFGYldGcGJDQkJaR1J5WlhOek1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R04KQURDQmlRS0JnUURiSUk4NTkyWFdnb1lzM1NEN2FCcHEyQnRNNEFReWZ4alFmVlVNU3liR1NOckR0NUp1bnJuZgpraks0OFVsQkUwQ1A5dS90Zk1vVTA3Z09GTk4rWk5DdXRSa2IwaG9Bbk5hM2JqVDdKb2c5cG5xc2NoNmQ1ZHZ0CmhoWWVUbjBXY293UFQ2QVdGaGlqUGNRUzdTTXlWZEJ2TEVyUDcvNU5jbHZONW4xcVJHQUxRd0lEQVFBQm80SUIKS0RDQ0FTUXdIUVlEVlIwT0JCWUVGS1RpRENCRzBtNTJyTlBCc1RuckZSa0h0WDVXTUlIMEJnTlZIU01FZ2V3dwpnZW1BRktUaURDQkcwbTUyck5QQnNUbnJGUmtIdFg1V29ZSEZwSUhDTUlHL01Rc3dDUVlEVlFRR0V3SlZVekVTCk1CQUdBMVVFQ0JNSlUyOXRaWGRvWlhKbE1SRXdEd1lEVlFRSEV3aFRiMjFsWTJsMGVURVVNQklHQTFVRUNoTUwKUTI5dGNHRnVlVTVoYldVeEx6QXRCZ05WQkFzVEprOXlaMkZ1YVhwaGRHbHZibUZzSUZWdWFYUWdUbUZ0WlNBbwpaV2NzSUhObFkzUnBiMjRwTVNRd0lnWURWUVFERXh0RGIyMXRiMjRnVG1GdFpTQW9aV2NzSUZsUFZWSWdibUZ0ClpTa3hIREFhQmdrcWhraUc5dzBCQ1FFV0RVVnRZV2xzSUVGa1pISmxjM09DQ1FDaTRscnBTQSsrcURBTUJnTlYKSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUkzU3crWXhYVklKc0lKOVpMVTY1SjhMVlB6VAo2LzdBVXZ5WFZwRldJQ3dIQlp1WGlQaHVGbExabFF3MWovZVRLYWIrSURoU3pQbkRkNXp6M1lReVN5SStmZFhsCmpjVlQ5KzNBbDBmVjNoTWJ2eHRBWjY5RllFSzdpMXNMaFg2WlNLeThDdkgrQlp0dDdqQkdRbmROMEh2MzhPSEMKRks0Z0Q1Zi85V3Jrd05NegotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
                <prv>R2VuZXJhdGluZyBSU0EgcHJpdmF0ZSBrZXksIDEwMjQgYml0IGxvbmcgbW9kdWx1cwouLi4uLi4uLi4rKysrKysKLi4uKysrKysrCmUgaXMgNjU1MzcgKDB4MTAwMDEpCi0tLS0tQkVHSU4gUlNBIFBSSVZBVEUgS0VZLS0tLS0KTUlJQ1hBSUJBQUtCZ1FEYklJODU5MlhXZ29ZczNTRDdhQnBxMkJ0TTRBUXlmeGpRZlZVTVN5YkdTTnJEdDVKdQpucm5ma2pLNDhVbEJFMENQOXUvdGZNb1UwN2dPRk5OK1pOQ3V0UmtiMGhvQW5OYTNialQ3Sm9nOXBucXNjaDZkCjVkdnRoaFllVG4wV2Nvd1BUNkFXRmhpalBjUVM3U015VmRCdkxFclA3LzVOY2x2TjVuMXFSR0FMUXdJREFRQUIKQW9HQkFLcks2UGZNWGNMaGYwVXVvY3R5cTh5Rlhsbi83U1dTckx1c1JJTE5mSTVtTUtVRnl3dVBpZDY1YS9GOApsNVV5TlV0QXRHZE5zWkNrS0x4SS9VTnh2cmhNSlErbGNtRDZwMkQrYUVQSmgyaHFnZ0lqVEowV0ZrdE03L2tVCmszanYvelhOSXBFcDVHdEdiZzBNZll3cjVzbUJPK3RRZG5BZzRXMzBxbjJ0bG1jNUFrRUE5S0dMTTM4cndMK2oKWGMxeHB2SS9xYnVick1ydTJuYkJtaHpvR0xKS1lpc1lYVzEyYnNoeXRQMkZKZThHVC9OV3JBRllMUVc5VXFBNAo3dTdIWVZWRkZ3SkJBT1ZQbG9wd0ZIbzRqRVVBR2NqbWZBZlptK1hMS05iT1dxWXpMN2pvdm9GUGZYSnNodGYyCm9XNjBFRDVndDVtZUJhYjIrblZkNTlPQi9tNkJvNnhlbnJVQ1FFMW54RVVTSzBUOUhuTXk2NUJZdkw0M1I4WUEKSEYzeUQ4WjArUmUvYW52dmlQRWZEc2QxRTU2alRYczRTN1lHbUZrcXY3elhRUldnN3dMamVTRWFPeGNDUUdiUgord1IwSVJwMGhLRGozS3Z5ZlNiZjhrRmxpUmhZU3RrL0ZtVHBKNUsvMjlZVXg1bktvclFLMVVYREJGQkRSUEdLCnlOOGJqam1PamxGcW04Tk1ZZ2tDUUQ4ZXlJUUs3WVFha1hIWjIwNFNkSDlpU3ZqNnNBSUl4Sm44Y3hkc1RaNEYKeThsV3JCbkg0Y1V0UTBXTFk5R0ZTMDM3ZjVhUU4vUzl4Q0djaG1pYVkybz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K</prv></cert>
            <dns1gwint>wan</dns1gwint>
            <dns2gwint>opt1</dns2gwint>
            <dns3gwint>none</dns3gwint>
            <dns4gwint>none</dns4gwint>
            <dnsserver>208.67.222.222</dnsserver>
            <dnsserver>208.67.220.220</dnsserver></time-update-interval></system>
         <interfaces><wan><enable><if>em1</if>
                 <media><mediaopt><ipaddr>dhcp</ipaddr>
                 <dhcphostname><alias-address><alias-subnet>32</alias-subnet>
                 <spoofmac><monitorip>208.67.222.222</monitorip></spoofmac></alias-address></dhcphostname></mediaopt></media></enable></wan>
             <lan><enable><if>em0</if>
                <ipaddr>192.168.1.1</ipaddr>
                <subnet>24</subnet>
                 <media><mediaopt></mediaopt></media></enable></lan>
             <opt1><if>rum0</if>
                 <wireless><standard>11g</standard>
                    <mode>bss</mode>
                    <protmode>off</protmode>
                    <ssid>obfuscated</ssid>
                    <channel>0</channel>
                     <authmode><txpower>99</txpower>
                     <distance><regdomain><regcountry><reglocation><wpa><macaddr_acl><auth_algs>1</auth_algs>
                        <wpa_mode>2</wpa_mode>
                        <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt>
                        <wpa_pairwise>CCMP</wpa_pairwise>
                        <wpa_group_rekey>60</wpa_group_rekey>
                        <wpa_gmk_rekey>3600</wpa_gmk_rekey>
                        <passphrase>obfuscated</passphrase>
                         <ext_wpa_sw><enable></enable></ext_wpa_sw></macaddr_acl></wpa>
                     <auth_server_addr><auth_server_port><auth_server_shared_secret><pureg><enable></enable></pureg></auth_server_shared_secret></auth_server_port></auth_server_addr></reglocation></regcountry></regdomain></distance></authmode></wireless>
    
                 <enable><ipaddr>dhcp</ipaddr>
                 <dhcphostname><alias-address><alias-subnet>32</alias-subnet>
                 <spoofmac><monitorip>208.67.220.220</monitorip></spoofmac></alias-address></dhcphostname></enable></opt1></interfaces>
         <staticroutes><pppoe><username><password></password></username></pppoe>
         <pptp><username><password><local></local></password></username></pptp>
         <dhcpd><lan><enable><range><from>192.168.1.100</from>
                    <to>192.168.1.199</to></range></enable></lan></dhcpd>
         <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
         <ovpn><dnsmasq><enable></enable></dnsmasq>
         <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
         <diag><ipv6nat><ipaddr></ipaddr></ipv6nat></diag>
         <bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru></nat>
         <filter><rule><id><type>pass</type>
                <interface>lan</interface>
                 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
    
                <source>
                    <network>lan</network>
    
                 <destination><any></any></destination>
    
                <gateway>Failover</gateway></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule></filter>
         <shaper><ipsec><preferredoldsa></preferredoldsa></ipsec>
         <aliases><proxyarp><cron><minute>0</minute>
                <hour>*</hour>
                <mday>*</mday>
                <month>*</month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 newsyslog
             <minute>1,31</minute>
                <hour>0-5</hour>
                <mday>*</mday>
                <month>*</month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 adjkerntz -a
             <minute>1</minute>
                <hour>3</hour>
                <mday>1</mday>
                <month>*</month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
             <minute>*/60</minute>
                <hour>*</hour>
                <mday>*</mday>
                <month>*</month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
             <minute>1</minute>
                <hour>1</hour>
                <mday>*</mday>
                <month>*</month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
             <minute>*/60</minute>
                <hour>*</hour>
                <mday>*</mday>
                <month>*</month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
             <minute>*/5</minute>
                <hour>*</hour>
                <mday>*</mday>
                <month>*</month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /usr/local/bin/checkreload.sh</cron>
         <wol><rrd><enable></enable></rrd>
         <load_balancer><monitor_type><name>ICMP</name>
                <type>icmp</type>
                <desc>ICMP</desc></monitor_type>
             <monitor_type><name>TCP</name>
                <type>tcp</type>
                <desc>Generic TCP</desc></monitor_type>
             <monitor_type><name>HTTP</name>
                <type>http</type>
                <desc>Generic HTTP</desc>
                 <options><path>/</path>
                     <host>`200`</host></options></monitor_type>
             <monitor_type><name>HTTPS</name>
                <type>https</type>
                <desc>Generic HTTPS</desc>
                 <options><path>/</path>
                     <host>`200`</host></options></monitor_type>
             <monitor_type><name>SMTP</name>
                <type>send</type>
                <desc>Generic SMTP</desc>
                 <options><send>EHLO nosuchhost</send>
                    <expect>250-</expect></options></monitor_type></load_balancer>
         <widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets>
         <revision><time>1276882419</time>
    
            <username>admin</username></revision>
         <ppps><l7shaper><container></container></l7shaper>
         <dnshaper><gateways><gateway_group><name>Failover</name>
                wan|1
                opt1|2
                <trigger>downloss</trigger></gateway_group></gateways></dnshaper></ppps></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense>
    
    


  • My setup is 2 wan, 1 lan. I have 2 gateways, one with the default WAN and another which I created for WAN2. I created 2 gateway groups a WAN1FailtoWAN2 and WAN2toWAN1 just like old guides with wan1 and wan2 as tier1,2 respectively, and inverse. Hope someone understands

    Under status -> gateway

    gateways = nothing in list
    gateway groups = show WAN1, unknown, WAN2 unknown, WAN 2 unknown, wan 1 unknown

    any ideas?



  • Yes this is a bug right now that I see and I believe check-ins today should fix this issue but i'm waiting for the build before I can update my machine.

    Regarding the fail-over operation in Beta 3, I see the same problems with the routes not being updated properly. Look for messages in your system log for gateway and other suspicious messages and also do a > grep route-to /tmp/rules.debug and you will see the routes are not created properly after the link is down.



  • biatche - re the status issue - I updated to the 2010-06-18 04:45 snapshot (full install, not nano) and the Status display started showing correctly.  Failover wasn't working, but the status was showing the links going up and down for me.

    This is an improvement over just a day or two ago, so I'm hoping that it's just a configuration issue on my side rather than an un-resolved bug.



  • I upgraded to 6/19 and i'm still not seeing any status in the gateways…



  • Edit/Save your gateways again.



  • Did that and still no help.

    Attached is my config file.

    config-lanner_pfsense.home-20100621075403.txt


Locked