Dual static wan, carp, no loadbalancing but failover possible?

  • hello!

    i read through the forum and through the howtos and the wiki, but i can't find a solution to my problem.
    i have 2 embedded pfsense-boxes with 3 nics each in carp configuration which work very fine.
    rl0: lan and carp
    rl1: backupwan
    rl2: wan
    now i have two wan-connections, the main on rl2 and a backup on rl1, different isps.
    all traffic should go over the main-connection except if that one fails, then i need the backup-connection to handle everything but just as long as the main connection stays down (failover).
    all i read so far uses the loadbalancer but i don't want load-balancing.
    i had it running with the loadbalancer and it worked great, but traffic on the backup line is limited and the speed is very slow and dns-resolution was a horror, exactly 1 out of 2 requests worked. i tried rules pinning the dns-server-requests to the correct gateway but to no effect. also not having load-balancing is very important for me.

    both pfsense-boxes running 1.0.1.

    thanks in advance for any advice!

    so long,

  • I've also tried to get a similar setup working and I have your same problem. I'm running a single box, no CARP and I have two providers with different response times and bandwidth, I'd like to have everyone from LAN A go out provider A and everyone from LAN B go out provider B, and if any one provider fails, the remaining one should carry both A and B traffic.

    The part I can't get to work is to isolate LAN A's traffic from LAN B's traffic. It would also work for me if I could load balance depending on destination IP or source IP. I've even thought about sending all traffic bound to IPs that end in an even octet out one interface and all traffic bound to IPs that end in an odd octet out another, but I can't get this done and also have failover.

    I wanted to ask you if maybe you've tried using a third party DNS server (asides from your regular ISP dnses) such as www.opendns.com. They are very good and free also. You could also direct DNS requests for each provider out that provider's interface, sometimes providers don't allow dns requests from another provider's IP pool, that's what I think might have happened when you where missing half of the dns replies.

    Hope that helps, tell me if you find a way to get the failover without LB

    Best Regards


  • @perry: i have already a carp-cluster, the problem is the wan-failover without load-balancing.

    @ezarikian: i already tried third-party dns-server, that solves the "1 miss out of 2" problem but it doesn't solve the problem that the backup-line is just a slow one so it just becomes "1 very slow out of 2" problem.

    is there really no way to use 2 wan-connections with failover without load-balancing?

  • @superwutze:

    i tried rules pinning the dns-server-requests to the correct gateway but to no effect. also not having load-balancing is very important for me.

    You need to use static routes, not firewall rules for the DNS resolution.  Firewall rules only work for traffic coming from one of the interfaces. DNS resolutiuon is generated by the firewall itself so firewall rules do not work.

    If you use a recent snapshot ( snapshots.pfsense.com ), you can have loadbalancing with failover behaviour, n(as opposed to roundrobin behaviour) . This means that trafic is only sent to the backup WAN if the main one fails.

    Should be fairly simple. If it does not work post your firewall rules and your load balancing setup.

Log in to reply