Failover does not work, or i dont understand multi-wan tiers
-
Im using a 2 WAN 1 Lan setup on my pfsense.
Have made a gateway group called "balanceo" and assigned to my lan open ports rule.The problem its that failover on WAN1 or WAN2 is not working, if one of two goes down and is not the default gateway all the conection is lost.
I have checked in misc options "Allow default gateway switching"
And reading the tutorial http://doc.pfsense.org/index.php/Multi-WAN_2.0 have doubts in this part:
Failover
When two gateways are on different tiers, the lower tier gateway(s) are preferred. If a lower tier gateway goes down, it is removed from use and the next highest tier gateway is used.
Combinations
Because of the tier system, you can have any number of combinations of load balancing and failover that you like, such as One WAN that if it goes down fails to two load balancing WANs that if both go down fail to three load balancing WANs, and so on. The only limit is that there are only 5 tiers so such configurations can only go 5 levels deep.
This mean that my config with TIER1 in both WANs will not work and i need to create 2 more gateway group and firewall rules? (1 with wan1 up and wan2 down with different tears and vice versa) ???
-
Did you tick the "Flush states when gateway goes down" option under System->Advanced->Misc->Gateway Monitoring? Try unticking it first and then restart pfSense.
If it does not help, You could create some floating rules for WAN1 and WAN2 like:
Interfaces: WAN1, WAN2
Direction: Out
Protocol: TCP/UDP
Destination ports: 80, 443, 53, etc.
Gateway: balanceo
Quick: yesThis forces traffic to always go thru the failover/load-balancer gateway group.
For ICMP, use a separate floating rule using "default" as the gateway.
-
Did you tick the "Flush states when gateway goes down" option under System->Advanced->Misc->Gateway Monitoring? Try unticking it first and then restart pfSense.
have been always untick, i will try the floating rules and tell you
-
Have you put it to work?
I have a cenario like that, with failover, and if put a rule on Lan interface redirecting email traffic (25,110,465,587) to the failover gateway, i get an "closed :syn sent" in diagnostics -> states, while without failover gateway it works. -
You've have created balancing group correctly, but what about the fail-over groups!? I don't think its going to work without those two!
Even I use 2 wan setup and fail-over properly working on real-time. Follow these stepsHere's what you need to do; under the same Gateway Groups, considering you've already created a group for balancing.
-
Create a second group, description name "Wan1 Fail Wan2 Use" and priority set wan1 to Tier1 and wan2 to Tier2, set "Trigger level" to member down.
-
Create a third group, description name "Wan2 Fail Wan1 use" and priority set wan1 to Tier2 and Wan2 to Tier1, set "Trigger level" to member down.
Now Coming Firewall Rules –> LAN, you need to create a two new rule considering you've already created a rule for balancing,
LIKE 1) BALANCE RULE
Interfaces: Lan
Protocol: ANY
Source: LAN SUBNET
Destination ports: ANY
Gateway;BALANCE- FAILOVER RULE
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan1 Fail Wan2 Use- FAILOVER RULE
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan2 Fail Wan1 useMake sure to place them on top of the lan rules, and forget abt misc settings!
This is more them enough for fail-overs. -
-
If I put this rule on top of my lan rules, it will just route the traffic through the failover gateway or it will pass all traffic too?
Thanks!
-
It'll Pass all the traffic to alive gateway in case of any one wan fail-over!