When WAN is down traffic to pfSense services is cut (but forward is OK)



  • My configuration:
    Version 1.2.3 Release
    WAN: Static IP
    OPT1: DHCP
    LAN
    Load Balancer configured in Failover mode (WAN is first, OPT1 is second)

    I have two WAN connections - WAN and OPT1. When WAN is down all traffic to pfSense itself (OpenVPN, web interface and other services) are down too. But port forwarding to internal network is working…

    I found that default gateway of pfSense is pointed to the wrong (WAN) connection. So pfSense does not have accsses to internet at all (for example package list is not shown).

    If I click SAVE on WAN interface all services are accessible again for one minute and then they are gone again... What can cause this problem? Is this a bug?


  • Rebel Alliance Developer Netgate

    That is a known limitation of pfSense 1.2.3. The system itself only sends out traffic via the default gateway.

    If you want OpenVPN to use the OPT interface, then it always has to use the OPT interface, by using the "local x.x.x.x;" directive in the custom options, where x.x.x.x is the IP (or dyndns hostname) of the OPT1 interface.

    On 1.2.3 the system only has one default gateway, and it never changes, it's always WAN.

    That is still the case on 2.0 but we have been discussing other options to help cover that scenario, possibly switching the default around if needed.



  • Ok, I will put the most stable connection for WAN. But why pfSense works perfekt for 40-60 seconds with WAN down when I click Save to WAN interface? Site-to-site OpenVPN, Web interface, all is working perfekt with OPT1 up but only just for 60 seconds  :)



  • Because traffic passing from the host itself relies on being able to ARP the default gateway in FreeBSD (or did prior to us changing that in 2.0), it'll work til the ARP cache times out.



  • Exactly what I was looking for… I noticed it in 1.2.3 and thought I'd try 2.0 to see if it was "fixed" there. Reading this post would've saved me the trouble  ;D.

    To me changing the default route whenever the default gateway is down makes the most sense and I can't really think of a scenario where you wouldn't want that but maybe you guys can enlighten me. In my setup I use the DNS forwarder as the resolver for all the clients so even though failover works great using the multiple gateways option internet access does break down because of DNS forwarder not able to forward its requests to the internet dns resolvers. Pitty...



  • @martap:

    In my setup I use the DNS forwarder as the resolver for all the clients so even though failover works great using the multiple gateways option internet access does break down because of DNS forwarder not able to forward its requests to the internet dns resolvers. Pitty…

    You need a static route for one of your DNS servers for 1.2.3 (read the docs), or in 2.0, just pick your other WAN by one of the DNS servers in the drop down box on the general setup page.


Log in to reply