Comcast Connection Failure rasied Havoc with DNS –



  • I have a relatively new pfSense 2.0.1 install on a SoeKris 5501-60.

    VR0 - WAN Cbeyond Static IP
        VR1 - WAN Comacast DHCP
        VR2 - LAN – Primary Tenant
        VR3 - LAN -- Secondary Tenant

    VR0 & VR1 are in a Tier 1 Shared connection Group.

    Two DNS Servers from CBeyond Spread across VR0 & VR1
        Two DNS Servers from Google Spread across VR0 & VR1  (8.8.8.8 / 8.8.4.4)

    Cbeyond is special in that it returns a 192.168.22.122 for sipconnect.atl0.cebyond.net.

    Well Comcast failed today and the VR1 link went to a down state.

    I appeared to loose all DNS resolution and specifically the CBeyond DNS as the SIP registry went away.


    Did I miss something in my configuration(s) ?

    JMS.


  • Netgate Administrator

    Are you running Siproxd on the box? Are you using the DNS forwarder?

    You should probably enter sipconnect.atl0.cebyond.net as a dns overide if you are since it won't resolve correctly from Google's DNS servers.

    Which WAN is set as default?
    You could try enabling 'Allow default gateway switching' in System: Advanced: Miscellaneous:

    Steve



  • Steve,

    SIPROXD is not ruining, no real need for it here.

    The problem with entering it as an override, in pfSense or the Asterisk box is that if CBeyond were to fail over somewhere else I would not follow.

    The Default route is the Comcast with specific Static routes to the CBeyond so that Voice is handled on the T1.  An the majority of the data traffic / Surfing is on the Comcast business class link.

    If I set this 'Allow default gateway switching' in System: Advanced: Miscellaneous:' How / when would it fail back if at all.  An why did my 1-1 NAT handle keeping this on the CBeyond network.

    A little puzzled by the actual results.

    –-----------


  • Netgate Administrator

    @Phonebuff:

    An why did my 1-1 NAT handle keeping this on the CBeyond network

    I'm not sure quite what you mean by that.

    What I suspect could be to do with your problem:
    You have load balancing/failover setup but you also have some policy based routing in place so that SIP traffic always goes via your CBeyond connection? I have a similar setup here.
    This works fine from the point of view of clients on the LAN. However it does not load balance or failover traffic generated by the pfSense box itself. That traffic will always use the system routing table to determine where it is sent. Hence running a proxy of any sort can be a problem.

    However re-reading your last post you say you have static routes in place which I would expect to get around this. Hmmm.
    I clearly don't have a handle on this!  ::)

    Do you have policy based routing in place?

    Could it be something simple like DNS not working correctly even under normal conditions?

    I don't know when the default gateway would switch back, if at all. Normally it wouldn't be a problem since only traffic that isn't handled by either load balancing or policy based routing will be affected.

    Steve



  • Generally that's because you don't have at least one DNS server assigned to each WAN under System>General Setup.



  • @CMB

    I was careful to set the Cbeyond DNS to pint at the CBeyond T1 due to the unique response to sipconnect.<city>.cbeyond.com.

    Static Routes exist for four ip Ranges all else will follow the "normal" routing rules.
              CBeyond  192.168
              CBeyond  74.7
              IPComms  69.154
              Postini    64.18

    It works great with both links up,  I will add some more detailed settings documents tonight, or maybe I will open a Commercial support case since I donated to the project via that route recently.

    Based on what you and Steve have told me, I think the failure has to do with the default gateway still pointing at the Comcast link, but I am really not sure what changes I need to make / want to make yet as the Comcast is in place due to the T1 being saturated with traffic to Cloud services and to many owners in the business using Pandora.  As if it switched over and not back this would be almost as bad as being down.

    TIA –--

    </city>


  • Netgate Administrator

    @Phonebuff:

    Static Routes exist for four ip Ranges all else will follow the "normal" routing rules.

    Just to be clear on this when you say static routes do you mean you added static routes to the system routing table or do you mean policy based routing?
    "Normal" routing would be follow the system routing table except where policy based routing or loadbalancing/failover is in effect. Your static rules (if that's what you have) could easily be by-passed by either of these.

    I think my previous post could have been under the influence of way too much caffeine!  ::)

    Steve



  • Steve,

    I went to System: Static Routes and added..

    192.168.0.0/16  WANGW -
        64.154.41.0/24  WANGW -
        64.18.0.0/20    WANGW -
        74.7.0.0/16      WANGW -

    System: Gateway Groups

    Wan1BalanceWan2    WANGW / GW_OPT2 (both Tier 1)

    What do you mean by Policy based Routing ?

    –--------------------------------------



  • @Phonebuff:

    maybe I will open a Commercial support case since I donated to the project via that route recently.

    Please do open a ticket or give us a call to go over in detail. Can follow up here with the resolution.


  • Netgate Administrator

    @Phonebuff:

    What do you mean by Policy based Routing ?

    You can route a particular device or subnet or protocol etc to use a particular gateway in a similar manner to using loadbalancing. You add a firewall rule and specify the gateway required. Traffic matching the rule will be routed accordingly. See:
    http://doc.pfsense.org/index.php/What_is_policy_routing%3F

    Using this method will catch any traffic that needs to be routed specifically before it is loadbalanced when the static routes are ignored. However you may still need the static routes on the box as services running on pfSense will always use the system routing table.

    If you can it will be way faster to use the commercial support option. I'd be interested in the outcome though.  :)

    Steve



  • Steve,

    Okay, I was not thinking in those terms, but that makes perfect sense and I know that I am not doing that right now.

    Will open a ticket tomorrow on this and a PPTP issue and then post back the solution needed.

    Thank you,
        =========



  • ==============

    Well sorry for the slow follow through.  When the Comcast went down I had two configuration issues.

    1.) My four DNS entries were set to Use Gateway (None) so they were trying to go our the Default Gateway which was down.  Now the are assigned two to Comcast, and Two to CBeyond.

    2.) In my rules I had not selected the Teir1 balanced Gateway Group just left the default *

    3.) When I did specify the Tier 1 Balanced Group I had to add a specific rule for all traffic from the Asterisk Box to ensure that it used the WAN not the Group.

    ====

    PPTP looks right but is not working, and I suspect a Windows box issue, not a pfSense issue.

    Thanks to All..

    ====



  • @Phonebuff:

    I appeared to loose all DNS resolution and specifically the CBeyond DNS as the SIP registry went away.

    –---------------------------------------------------------------------------------------------------

    Did I miss something in my configuration(s) ?

    JMS.

    I see you mentioned Asterisk later in the post.  The fact you lost all SIP registrations to the server is a very well documented Asterisk problem.  If your Asterisk server loses DNS resolution (sounds like you have a SIP trunk as this bug doesn't affect TDM devices from what I've heard), then it will fail to respond to SIP registrations itself.  There have been many attempts at work arounds (dns caching and such) but it will still always fail eventually.  It sounds like you got your DNS issues sorted, so you probably noticed your phones started to register at that point too…


Log in to reply