Failover using linksys voip device
-
A great application for pfsense is the failover feature that assures incoming and outgoing voip calls continue uninterupted during a wan failure. Well, the current call would be lost but subsequent calls should go thru. Failover of a wan interface to another(opt) does work with a windows pc on the lan but the linksys analog adapter on the lan doesn't failover.
Packet captures reveal the unit is sending out the register/login request out the lan using udp port 5060 during failover. The Wan(cable) and opt(dsl) packet captures do not reveal any of this traffic during a failover condition. The firewall log does not show this traffic being blocked. Both wan addresses are in the public address range.
After 25 hours of changing every setting on the pfsense and linksys adapter I finally found that once a wan failed the linksys would not register to the voip server(resides out on the internet) unless I changed the udp port it was registering with to another port or left the port alone but changed the distination ip address to a different public voip server. Then it would work.
Here is a scenario.
Both wans up and linksys registers to a public voip server somewhere.
Wan 1(cable) goes down. Pc's on the lan start using opt(dsl). Linksys registers to public server every 60 seconds until wan1 goes down then won't register until its port is changed or the destination ip address is changed.
Even if I power cycle the linksys ata it won't make it out the failover wan until I change it's port or leave it's port the same and change the destination ip to another public voip server ip address. I used the voip pubilc server's ip address instead of url to avoid dns problems during diagnosis.
I'm not sure if this is a result of the Linksys behavior or UDP since the pc's are using tcp. My uneducated guess is that the sticky bit is sticking during failover when it shouldn't. I am using RC1 and can't find anything about sticky bit other than it is in 1.2 and it is intended to provide wan persistance to avoid a single session using multiple wans.
I think this might be something in pfsense I'm not skilled enough to diagnose.
-
After further testing I am able to get the device to work normally if I reset the states right after failover. Doesn't pfsense need to flush states upon failover so the devices don't bind to the failed wan? Is there any way to configure it to automatically flush all states on the failed wan during a failover condition?
-
No, there is no need to flush the states. You should ensure that pfsync is running correctly which ensures the states are correct on both firewalls.
-
I thought pfsync was used with carp to sync the primary router and backup router states. I'm only using a single pfsense on a single computer. Do I have to use carp with two computers? I found a definition.
Pfsync is a computer program used to synchronize firewall states between machines running Packet Filter (PF) for High Availability. It's used along with CARP. When the main machine in the firewall cluster dies, the backup machine is able to accept current connections without loss.
My problem is that on a single pfsense with wan failover i have to flush the states to get the linksys adapter to take the failover route out to the internet. What should I be looking for. I tried setting the state time to 1 second but nothing makes any difference on the udp states in the firewall. They persisit and until i clear states the unit can't get out thru the backup wan. It appears that unless you clear all states that are related to the failed wan at the time the wan fails these units using udp have trouble. If the unit will only work when I remove the states pertaining to them and the failed wan how could it ever work unless you remove the states involved in the failure?
thanks
-
If this is a bug is this the right place to post it or should I have brought it up somewhere else? I'm not familiar with the right procedure. I do want to help contribute to this product. I can donate a configured linksys pap2 ata to one of your developers if needed. I don't think this is unique to Linksys though, I suspect it is UDP since failover works with pc's browsing using TCP.
-
You're talking about multi-WAN failover, not CARP, which is what Scott was thinking.
It is indeed a consequence of the state table. There isn't a way to force a state table reset upon WAN failure yet, but expect it in a future release after 1.2.
-
Thanks for the reply and thank you Scott also.
I don't blame you at all for putting this off to 1.3. I'm sure you are anxious to get 1.2 to production version. I'll be looking forward to 1.3 beta(fully realizing you said future, not 1.3 ;) ) since my application depends on the state reset to be able to use it. I'm excited about your product!, and I like the way you handled this.
Thanks again!