Incoming connections failed when main WAN connection fails in a failover config



  • Hi. I have a pfsense version 1.2.3 with 2 wan configurated as load balancing with failover and outbound connections work fine. When main connection WAN fails, outbound conections redirect for the WAN2 (OPT1) but incoming connections by the OPT1 fails (those connections functions OK when the WAN is up). There are any solution for this. Thank's.


  • Rebel Alliance Developer Netgate

    So you're saying that during normal operation, you have port forwards on OPT1 that work. And when you are failed over to OPT1, these same port forwards do not work?

    Or are you expecting your traffic coming in to WAN to fail over to OPT1 as well when WAN is down?



  • Hello jimp. When WAN fails, the process of failover runs OK and all the outbound traffic goes for the OPT1, but all the NAT entries associated to OPT1 not running. For example, i have open the port 25 open in opt1, in normal operation runs OK, but if the WAN fails, nat pot 25 fails for incomming connections although the OPT1 is working.


  • Rebel Alliance Developer Netgate

    If a connection fails when WAN is down, it's likely something is still trying to use WAN or relying on something reachable by WAN in some way.

    We'd need a lot more detail (screenshots of all of your NAT rules, 1:1 nat, outbound NAT, load balancer config, lan rules, wan rules, wan2 rules, and so on).



  • Yes, i think the same. I read in this forum some post with this problem but nobody answer this question. I have configured the pfsense with the lan rules ok. The last rule, says that all lan subnet traffic goes for the default gateway (i see this configuration in other post) but although i change the default gateway for the OPT1, the same problem occurs.

    Monitoring nat rules y can see that incoming connections that are made from the outside are arrived to pfsense, but i think the pfsense is unable to route to remote host either for the load balancer rule and the default gateway rule.



  • I already faced the same problem with an incoming openvpn connection on opt1 interface - sometimes it did just not work. After completely messing up my firewall rules, modifying state type on some rules  I finally switched back to a configuration which seems to function.
    Today I have replaced "apinger" with the patched version, maybe it is worth a try. Unfortunately I cannot say whether apinger had failed when I had the incoming connections problem, or not.

    Edit: apinger-problem is solved, but it ist NOT responsible for the incoming connetions problem.
    In my state table I have messages like these:

    tcp 	10.3.1.11:1192 <- 84.xxx.xxx.xxx:2133 	CLOSED:SYN_SENT 	
    tcp 	10.3.1.11:1192 <- 84.xxx.xxx.xxx:2134 	CLOSED:SYN_SENT
    

    When WAN and OPT1 are both up on boot time, the incoming connection seems to pass. But when WAN is down on boot time, the incoming connection on OPT1 fails.



  • HI all I have same problem. I use pfsense version 1.2.3 RELEASE.

    I have
    LAN 192.168.0.0/24
    WAN ( DHCP)
    OPT1 (static IP)

    in rules i set : * LAN net * * * *
    I not set load balancing i change my local outbound internet manually.    
    in OPT1 rules I open 80 port going to PC from my local network. Everything work fine but,
    When WAN is offline my inbound connections not work. I try to open 80 port from external network but not work.
    I not setup 1:1, static routes, Load Balancing.

    PS: When WAN is offline then I login via putty in pfsense i try to ping external IP adress but i cant.
    Please help me.



  • I have the same issue. If I disable load balancing everything works just fine. But obviously it will require someone to actualy change the LAN out rule manually

    OPT1 = DHCP
    WAN = PPPOE

    Running 1.2.3…



  • OPT1 = Internet 1
    WAN = Internet 2
    default lan rule = failover pool (sequence internet1/internet2)

    An important update. I've managed to get the failover working. Well, sort of… I've noticed that when I traceroute from a machine on the LAN subnet, packets go on the WAN route, regardless of the gateway selected on the default rule. When WAN goes down, incoming connections fails (even on OPT1 ip) and pfsense won't failover to OPT. Outbound traffic works a bit wierd. Sometimes hosts can get on the internet directly(?).

    So, remaining in that state (WAN DOWN, OPT and LAN UP) I ssh'ed into the pfsense box, and I checked the routing table. The default route still pointed to the dead WAN's gateway IP address. Thus, I manually deleted the default route and entered the OPT1 gateway in its place.(EDITED: AND CHANGED THE DEFAULT LAN GATEWAY TO OPT1) TA-DA! everything worked OK. Re-enabling the WAN interface caused the default route getting overwritten with the WAN gateway.

    So, why won't pfsense change the default route? :-\



  • This will be my last update to this thread (unless someone updates it of course :-) ):

    I've built another pfsense box, but this time around I've used the latest snapshot of pfsense 2.0 beta5. Everything works as a charm. Seems really a bug in 1.2.3.

    Bye for now. 8)



  • @sot010174:

    I manually deleted the default route and entered the OPT1 gateway in its place.(EDITED: AND CHANGED THE DEFAULT LAN GATEWAY TO OPT1) TA-DA! everything worked OK. Re-enabling the WAN interface caused the default route getting overwritten with the WAN gateway.

    So, why won't pfsense change the default route? :-\

    HI Man can you please tell me how you manually change default gateway with OPT1 gateway on Pfsense. PLease post here commands. Thanks



  • Of course. BACKUP THE CONFIG FIRST FOR SAFETY.

    First you should access the box via the console or ssh.  'netstat -rn' will display current routes. you should see 'default' on the first lines of the command output. Thats the default route. In my case, the default route pointed to the WAN(dead) gateway. So, I typed route del default. Then I entered the OPT route with 'route add default 201.xx.xx.xx' (OPT gateway IP address). Now you should divert the lan traffic to the OPT exclusively as leaving the LAN out gateway as the failover circuit doesn't seem to work.

    recap
    Backup.
    ssh into the box
    netstat -rn and check the default route
    route del default
    route add default {interface gateway ip}
    modify LAN out rule to the NIC selected in the previous step.
    Test everything.



  • thanks man.


Log in to reply