Loadbalance connection problem

TheRAt · Nov 30, 2006, 7:25 PM

hi.

i have a new pfsense box with the following setup:
pfSense Version 1.0.1 (built on Sun Oct 29 01:07:16 UTC 2006)

LAN IP - 192.168.7.1
WAN IP - 207.XXX.XXX.100 (static) WAN_GW: 207.XXX.XXX.254
OPT1 IP - 192.168.1.200 (static) OPT1_GW: 192.168.1.1

LAN is as normal, shared with my internal network.

WAN is attached to a DSL connection to ISP #1
OPT1 is attached to a router, which is then attached to a second ISP which provides a dynamic IP; 192.168.1.200 is in the DMZ for the router

WAN and OPT1 are loadbalanced.
monitor IP for WAN in loadbalance pool is the WAN_GW address
monitor IP for OPT1 in loadbalance pool is the OPT1_GW address

Outbound NAT has "Enable advanced outbound NAT" selected,
and:

Interface  Source          Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description
WAN    	   192.168.7.0/24  *            *            *                 *            *         NO           Auto created rule for LAN
OPT1       192.168.7.0/24  *            *            *                 *            *         NO

My LAN Firewall rules are as follows:

Proto  Source   Port  Destination  Port  Gateway      Description
*      LAN net  *     *            *     loadBalance  Default LAN -> LoadBalanced
*      LAN net  *     *            *     *            Default LAN -> any

When I start up the box, I get no problems with accessing the internet for a while, maybe up to about 2-3 minutes .. However, after this time, the connection stops working.

Each of the connections work individually quite well, and without any problems.

Any advise on what to do to trouble-shoot this problem, and if you need any more information to help me to solve this.

Thanks

hoba · Nov 30, 2006, 9:36 PM

Make sure your monitors are not refusing to answer to pings after some time. monitor IPs are pinged every 5 seconds to detect link failure. If the connection fails what's the status of status>loadbalancer?

TheRAt · Nov 30, 2006, 9:58 PM

The connection fails even when the Load Balancer Status says that both connections are online .. also, to make certain that both gateways allow for pings, i have an open terminal running a ping to them every second .. and this has been going now for a little over 40 minutes .. no blocks so far ..

hoba · Nov 30, 2006, 10:04 PM

Then something else is wrong. show me your pooldefinitons.

TheRAt · Dec 1, 2006, 1:24 AM

info attached..
let me know if you need any more ..

hoba · Dec 1, 2006, 1:41 AM

You are not useing the right IPs as gateways in the pool. According to the first post they should be 207.216.0.254 (at WAN) and 192.168.1.1 (at OPT-WAN).

TheRAt · Dec 1, 2006, 3:18 AM

my WAN IP address is 207.216.9.122
my WAN GW address is 207.216.0.254

my OPT1 IP is 192.168.1.200
my OPT1 GW is 192.168.1.1

do I still have incorrect addresses in the system ?

Thanks for your help with this :)

hoba · Dec 1, 2006, 1:24 PM

Have a look at your loadbalncing pool screenshot. In your screenshot you entered the interface IPs, not the gateways as poolmembers. You have to enter the gateways there.

TheRAt · Dec 2, 2006, 8:53 AM

I must have been blind when I was reading the instructions ..
Thanks

The only problem I have now is that the dns queries deom the firewall seem to fail a lot .. I have provided all the machines on the local net with the primary dns server addresses for each of the ISPs as their DNS servers .. and this seems to get around the problem ..

Going to read through other posts in the forums, and the wiki to see if I can find a solution .. Thanks again for your help ..

hoba · Dec 2, 2006, 2:06 PM

This might happen if the main WAN of the pfSense is not always available (check status>systemlogs, loadbalancer). To make DNS failover too use one DNS of the WAN and one of the OPT-WAN at system>general. Then add a static route to OPT-WAN-DNS-Server/32 though OPT-WAN-Gateway at interface OPT-WAN. This way it will use the second DNS if the main WAN is down though the OPT-WAN interface.

Maybe it's just a problem with your monitor IP for the WAN Interface. Try to use a different monitor. If it doesn't always responds to pings the link will be taken down for at least 5 seconds.

TheRAt · Dec 2, 2006, 3:59 PM

Thanks ..
I will try this tonight and post how I go ..

sai · Dec 7, 2006, 6:24 PM

@hoba:

This might happen if the main WAN of the pfSense is not always available (check status>systemlogs, loadbalancer). To make DNS failover too use one DNS of the WAN and one of the OPT-WAN at system>general. Then add a static route to OPT-WAN-DNS-Server/32 though OPT-WAN-Gateway at interface OPT-WAN. This way it will use the second DNS if the main WAN is down though the OPT-WAN interface.

Maybe it's just a problem with your monitor IP for the WAN Interface. Try to use a different monitor. If it doesn't always responds to pings the link will be taken down for at least 5 seconds.

Could you explain how adding a static route in this case would be done? I dont really understand static routes.

My own solution was that I put in policy based routing for the DNS.
In Firewall : Rules : LAN
Interface LAN, Protocol UDP/TCP, Destination IP address:ISP1 DNS, Destination p$ort: 53 , Gateway = ISP1 Ethernet port.
Should this be OK?

hoba · Dec 8, 2006, 12:47 AM

This is ok for connections that are running through the pfSense like if you have a dns server at LAN but can't be utilitzed by the pfSense itself as only connections running through the pfSense can make use of policybasedrouting/loadbalancing. To keep DNS-resolution on the pfSense itself (like for dns forwarder) you need that staticroute entry like described for the DNS-Server of the ISP at OPT-WAN.

TheRAt · Dec 8, 2006, 5:01 AM

have not been able to get to this for a few days ..
played with it tonight, and still having the same problems ..
DNS is being forwarded for a while, then it just stops .. and I cannot resolve DNS ..
the load balancer logs do not indicate a drop on the wan interface ..

i think i might have something else misconfigured possibly .. any suggestions ..

hoba · Dec 8, 2006, 5:14 AM

Try to use a different external dns server. Maybe there is a problem with it.

TheRAt · Dec 8, 2006, 5:47 AM

the machine now has 3 different WAN connections …
will try changing the primary connection around, and changing the DNS servers ..

what I do not understand is that the machines on the LAN are able to work perfectly, as long as they use the DNS servers of the ISP .. I have also set up an internal box with bind on Linux and that seems to run correctly also ..

I am sure I have an incorrect entry in the settings for the firewall, but not sure where exactly to look for it ..
Off to bed anyways .. will play with it again tomorrow ..

sai · Dec 11, 2006, 6:07 PM

I dont see your static routes. hoba suggested that you will need these. pls post your static routes.