LAN Failover

luckylinux

I tried for about two days to get a second NIC working.
As I stated in another post I'm trying to setup a router for my home network.

I set up from console (using the wizard) the WAN interface and the LAN interface.

However I would like to have multiple LAN interfaces and automatic switching between them in case one goes down (failover).
I can successfully setup the additional interface, however even if I configure it under the "LAGG" menu I cannot ping it at all (even though it has a different ip address).
If I add a firewall rule as stated in http://geekness.eu/content/adding-another-lan-nic-pfsense then not only can I ping the additional interface, but I get locked out of the LAN on the primary interface !

I would like to setup something like

(LAN_NIC1 , LAN_NIC2)  <--- failover --- >  (WAN_NIC)

But each time I try to set it up strangely the only method to make it work is perform a "Reset to factory settings" from the console. After the last time my TV began to continuosly switch on / off due to a problem caused by the router, which I admin is quite strange …

Is it possible to make this work ? I mean the two NICs on the same subnet with the same IP address with failover (automatic switching) ? I would need two additional NICs to make a LAGG "failover" since already assigned interfaces cannot be used and I can't access the LAN otherwise (I'll buy another Intel NIC since the Realteks lose 50% of the packets). If yes, how do I do this ?

The LAN NICs are connected to a HP Procurve switch. Only one of them has to work at the time.

podilarius

If you already have 3 NICs. Hook all 3 into the LAN. Then setup your config so that what you used as a WAN before becomes a opt interface. Create a rule in the opt interface to allow all traffic. Switch to managing the pfSense on that interface. Then unassign the LAN. Setup LAGG and assign it to LAN. Make sure that a rule gets created to allow all traffic from your internal subnet to pass through the firewall. Then switch over to managing the FW through the LAGG interface. Once that is complete, unassign the opt interface, and assign that to the WAN and set it up like you did before. Restart. Check everything to make sure all is well.  If you have an extra NIC, you can use it temporarily to setup the LAGG and necessary rules.
I would toss the realtek and get intel.

luckylinux

@podilarius:

f you already have 3 NICs. Hook all 3 into the LAN. Then setup your config so that what you used as a WAN before becomes a opt interface. Create a rule in the opt interface to allow all traffic. Switch to managing the pfSense on that interface. Then unassign the LAN. Setup LAGG and assign it to LAN. Make sure that a rule gets created to allow all traffic from your internal subnet to pass through the firewall. Then switch over to managing the FW through the LAGG interface. Once that is complete, unassign the opt interface, and assign that to the WAN and set it up like you did before. Restart. Check everything to make sure all is well.  If you have an extra NIC, you can use it temporarily to setup the LAGG and necessary rules.

Thank you for the description, but should I assign no NIC to the WAN ? I have one onboard realtek which mostly work and (will have) 3 INTEL PCI(/e) NICs for a total of 4 interfaces. The onboard Realtek seems to work fairly well … not that it has so much work to do with a 25Mbps internet connection compared to the 1000Mbps in LAN ...

Is there some other option besides resetting each time ?
Besides I have quite the problem with NAT as well (see screenshot). Do you have any other suggestion ?

@podilarius:

I would toss the realtek and get intel.

Guess what … I bought 3 Realteks for the price of one INTEL's and now I found myself with 3 pieces of crapt which don't work  >:(

Definitively true ... INTEL's NIC are simply wonderful  :D

EDIT: on second though maybe I toss the integrated as well … so I have 2xLAN with failover and 1xWAN with no failover. What do you think ? Right now the WAN seems to work fairly well though ...

stephenw10

If you are trying to allow ssh access to a server at 192.168.1.8 from outside your network you have it setup wrong. It should be:

	If 	Proto 	Src. addr Src. ports 	Dest. addr 	Dest. ports 	NAT IP 	     NAT Ports 	
	WAN	TCP   	*         *       	WAN address     22     	        192.168.1.8  22 

Steve

luckylinux

@stephenw10:

If you are trying to allow ssh access to a server at 192.168.1.8 from outside your network you have it setup wrong. It should be:

	If 	Proto 	Src. addr Src. ports 	Dest. addr 	Dest. ports 	NAT IP 	     NAT Ports 	
	WAN	TCP   	*         *       	WAN address     22     	        192.168.1.8  22 

Steve

Even with this I cannot access my server from outside. Quite strange …

stephenw10

Since that's shown as a linked port forward I assume you have a firewall rule in place. Are you seeing anything in the firewall logs?

Steve

luckylinux

@stephenw10:

Since that's shown as a linked port forward I assume you have a firewall rule in place. Are you seeing anything in the firewall logs?

Steve

I don't know since all filter logs change so fast … anyway it was my fault ... had to connect to an external vpn server first then tried to connect via ssh to my host and it worked. Sorry for the trouble. Strangely though I hadn't to do this when using the Zyxel router ...
Connecting to my WAN IP address with a PC from the LAN directlly (i.e. not by using an external vpn) results in a connection timeout.
Thank you for your support stephenw10 ;)