Someone have a default template for simple multi? Also more down checks?



  • My cheap 6 year old xincom $150 device uses: http and ping (plus interface down, and traffic - both disabled).

    Today i noticed many people use: https/http(option to regexp for validating data), dns(google!), ping, interface up/down.

    Is there a way to add https and dns to the ping method of interface up/down? We've found that icmp is very unreliable due to the fact most people QOS it way down (ping floods,etc). A long time ago we had a bad gigabit nic card in another isp's peering router - the pings were fine because the default ping was small - but when the packet was large - 20-30% failure. Simple pinging doesn't work well - and as you know HTTPS traffic is very intolerant to interface flipping (unless you have multi-homed with portable IP's but we wouldn't be here in that case). So we moved to http - (best i had) - but https would be even better since the CDN we use supports it. Test every 60s - if fail, try 5 more times every 5 seconds - if less than 3 success - down interface for a minute. Dns likewise could be used to nail 8.8.8.8 - it's generally always up - If anyone can help here i'd be greatful (to payful$!).

    Next thing up : Anyone have a real simple example of pfsense 2.0 in multi-wan?

    1. T-1 hosts servers that require high uptime SLA apps (dual t-1's on single cisco for a little bit of redundancy) (16ip)
    2. Comcast business (5ip)

    1. Some apps have to run the T-1 due to ip filtering.
    2. Some apps have to run on Comcast due to ip filtering.
    3. Mail is bound to the T-1 due to negativity aginst comcast ip's.
    3. Certain natted ip's are bound to T-1 or comcast just because.
    4. Certain protocols are bound to comcast (https/http/ftp) due to the high speed (100meg down/10 up) but should failover only when comcast is down.
    5. I have 1 RDP port punched through both networks (i know bad - i will use port knocking soon as i get this bugger up). simple NAT every RDP is running on a unique port.

    question: Anyone got a sample list of configuration to make this work? ( willing to donate $$ to any cause paypal pm or email me)
    Question: Sticky connections yes or no?
    Question: Any way to get more robust interface up/down - i've found aggressive settings result in too much interface flapping.
    Question: We run this in vmware - is it difficult or expensive (ip cost) to run CARP by running two copies? Dual-wan - carp - but i have no extra internet IP's left. Got the vm hooked to cpu 0 affinity, reserved mhz,ram, vmtools,ram affinity (numa westmere cpu's) - hopefully keep the clock drift down? Can carp work with 3 vm hosts? one per?

    PM me if you can help - we can pay or trade gear (have alot of cool hardware) - i'm not rich but hey maybe you want a new tablet or video card that I have for your time.

    Has anyone every tried vmotion on pfsense with dual wan? I could use vmotion to migrate to the other vmware host when i need to reboot it (patches or hardware upgrades)?

    Thanks!



  • If you are much willing to pay, you can post this in the bounty section.

    I cannot answer all your questions since I am just a newbie with pfsense.

    question: Anyone got a sample list of configuration to make this work?
    Yes. Multiwan is much easier now. Just go to your firewall LAN rules and assign what ports your apps are using to the specific gateway that they will use.

    Question: Sticky connections yes or no?
    There is an option in System>Advance>Miscellaneous. Just check it there

    Question: Any way to get more robust interface up/down - i've found aggressive settings result in too much interface flapping.
    You can try the high-latency or conservative.System>Advance>Firewall/NAT

    If you want to use failover, just create a group gateway in different tiers.


Locked