2 Wan route balance, Problem if one goes down!

sap68

Hi, I have 2 DLS line with public adresses, and I configure a group of gateway to use in filter policy and balance outgoing traffic in round-robin manner.

Scheme:

DSL1 -> router public IP (81.x.x.20) -> WAN port PFsense (81.x.x.21) -> LAN
DSL2 -> router public IP (82.x.x.38) -> OPT port PFsense (82.x.x.39) -> LAN

The problem rise today when a DSL line (DSL1) goes down and traffic is send alternatively on one good DSL (DSL2) but ALSO to adsl down (I think because round-robin still work)…

This is happened because the gateways (81.x.x.20 AND 82.x.x.38) respond OK either, it's router adresses and routers are OK.
The problem is in fact the DSL 1 line not the local (even public) IP.

How can avoid this kind of problems?
Maybe with another ruleset on firewall filter with another gateway groups in failover move (tier level 1/2) instead balance (tier 1/1) as I use now?

Thanks in advance, I hope I will be clear explaining my problem....

Ps. I attach a file explaining network base configuration an main firewall rule...
![Schermata 06-2456083 alle 19.32.37.jpg](/public/imported_attachments/1/Schermata 06-2456083 alle 19.32.37.jpg)
![Schermata 06-2456083 alle 19.32.37.jpg_thumb](/public/imported_attachments/1/Schermata 06-2456083 alle 19.32.37.jpg_thumb)

heper

you have to set the monitor ips for the gateway to some public ip that you won't be able to reach when the connection is failing. (your isp's dns servers or googles dns servers).
do note that when setting a monitor ip, a static route is added for that ip.
This will result that ANY traffic going to that ip will go out to the gateway where you've set the monitor-ip

sap68

@heper:

you have to set the monitor ips for the gateway to some public ip that you won't be able to reach when the connection is failing. (your isp's dns servers or googles dns servers).

Ok, I'll miss this part… I insert Google DNS just now.

@heper:

do note that when setting a monitor ip, a static route is added for that ip.
This will result that ANY traffic going to that ip will go out to the gateway where you've set the monitor-ip

I'm not shure I understand, can you explain again?
Thanks…

heper

lets say you set 1.1.1.1 as a monitor ip for GW1 and you set 2.2.2.2 as monitor ip for GW2
(do not attempt to use these example address' on actual devices)

Any connection from a LAN client will make to 1.1.1.1 will try to go out GW1, even if WAN1 is offline
Any connection from a LAN client will make to 2.2.2.2 will try to go out GW2, even if WAN2 is offline

So it might not be wise to insert an ip that you would want to failover of loadbalance.

kind regards

sap68

If I understand correctly I will be fine if I use google or open DNS servers IP as a gateway monitor, I'm right?

Ps.
I experienced in last few days some issues about https web sites, maybe it's better open a new topic about these?
Thanks again…

Nachtfalke

@sap68:

If I understand correctly I will be fine if I use google or open DNS servers IP as a gateway monitor, I'm right?

Yes, set google DNS 8.8.8.8 for GW1 and 8.8.4.4 for GW2. (Google DNS servers)
and in SYSTEM -> General Settings set other IP addresses as DNS servers. then everything should be finde.
Don't worry to much about that fact because I am not sure if this is still correct on actual pfsense version. the documentation/wiki could be a little bit outdatet on this point. Not 100%.

@sap68:

Ps.
I experienced in last few days some issues about https web sites, maybe it's better open a new topic about these?
Thanks again…

You can use sticky connections in SYSTEM -> ADVANCED

Or you create a separate firewall rule for destination port 443 and select GW1 as gateway. (or better create a GateWayGroup with GW1 Tier1 and GW2 Tier2 and set this Gatewyay Group as the Gateway for the https firewall rule.