FailOver no refresh routes



  • Hi! Mi name is Max. I am really new in pfsense, and i can't resolve this problem (either my english, sorry for that).

    For testing purpose I'm trying to connect 2 LAN (offices, i expect connect 3 more) via 2 WAN's links (1 MPLS (private network) and 1 ADSL (public IP)).

    I configured 2 "peer to peer" Open VPN (one per WAN) between offices (working OK).

    Now… my idea was really simple.

    LAN 1 ------ WAN 1 ------ OPEN VPN --------- WAN Central 1 -------- LAN 2
            ------WAN 2 ------ OPEN VPN --------- WAN Central 2 -------- /

    But, it doesnt work, fail over or load balance.
    Both OpenVPN are healthy, I can see every single host on each LAN when the both connections up.

    The problem appear when I test Fail over disabling one WAN interface (anyone).

    The ping timeout. In every case I must enable the interface and restart the router. I check firewall rules, and seems to be ok. I open ports for the Ovpn and traffic between LAN's using failover group.

    One important problem I see my routing table, the two pfsense choose diferents WAN's.

    Ping LAN 1 goes by WAN 2 and comes back by WAN 1. That's my first issue, because WAN1 it's in TIER1 in both pfsense.
    The real problem is when i disable one WAN interface (anyone) the ping timeout, and the Gateway /OpenVPN goes down but the pfsense dont changes the routing table... and never refresh it and dont fail over!

    Any clue? I don't paste screens because I dont decide wich one!

    Sorry again for my bad english! I read a lot in the fórums and i cant find any similar topic.

    Thanks a lot!



  • In 2.1-RC0 you can use failover groups for OpenVPN. I don't think this feature is available in 2.0.n. It works for me using pfSense 2.1-RC0.
    On the OpenVPN server end, select a failover group as the server interface. The server will then listen on the highest tier interface that is up in the failover group.
    On the OpenVPN client end, select a failover group as the client interface. The client will go out the highest tier interface that is up in the failover group.
    Now the client needs to know where to find the server (which public WAN IP it is listening on). There are 2 ways to do this:
    a) Have a Dynamic DNS name for each server WAN interface (e.g. server1.dyndns-ip.com and server2.dyndns-ip.com).
    In the client settings "Server host or address" put:

    server1.dyndns-ip.com
    

    In the advanced settings box put:

    remote server2.dyndns-ip.com 1194
    

    (use the port number that the server is listening on)
    The client will try both places each minute or so until it finds a connection.

    b) Have a single Dynamic DNS name "server.dyndns-ip.com". In the dynamic DNS settings, "Interface to monitor", select the failover group. Then pfSense will change the definition of "server.dyndns-ip.com" when the interface status changes.
    Make the client "Server host or address" be:

    server.dyndns-ip.com
    

    This Dynamic DNS name will always point to wherever the server is listening.



  • Hi Phil thanks thanks for your answer. Now I think have 3 problems instead of 1.

    1. The versión of PFsense and i quote 2.0.3-RELEASE (i386)
      built on Fri Apr 12 10:22:21 EDT 2013 FreeBSD 8.1-RELEASE-p13.

    2. I have two WAN connection, one of them standard ADSL with fixed IP and the other one MPLS "dedicated" with private's IP 10.X.X.X it's a ring between office's and doesn't have public Access I give the Access through the Central Office, thats means I cannot switch client/server Ovpn because they cant see.

    I establish one VPN at por 1194 using MPLS.
    and other OPVPN at 1195 using both ADSL.

    So, I have/need 2 point to point connection, I dont need view outside my intranet using this connection's.

    I' cant accomplish that pfsense refresh the route's after a fail. For example this route belong to mpls

    192.168.1.0/24 10.11.12.2 UGS 0 474653 1500 ovpns1

    If I disable the interface the pfsense keep trying to connect this way regardless that the other OVPN it's UP and free.

    1. I'm not sure how to do this….but i dont think this is valid for my scenario.
      "On the OpenVPN server end, select a failover group as the server interface. The server will then listen on the highest tier interface that is up in the failover group.
      On the OpenVPN client end, select a failover group as the client interface. The client will go out the highest tier interface that is up in the failover group."

    Thank you again for your answer it give some option to think about. I'm really freeze.



  • I think you only need to run 1 OpenVPN server and 1 OpenVPN client. Your requirement is probably something like:
    a) Use the MPLS for the OpenVPN link when it is up; otherwise
    b) failover to using OpenVPN across the public internet.

    Your MPLS has static IP addresses (10.n.n.n) known to you. So you do not need to use Dynamic DNS for that. Make your gateway groups have MPLS gateway as tier1 and ADSL as tier2.
    On the client you can specify the server address directly, you do not have to put a DNS name. So specify the main address of the server as 10.n.n.n and in the advanced box, put the extra "remote" command using the Dynamic DNS name that points to the server-end ADSL connection.
    The server will normally listen on MPLS, and the client will connect over MPLS. If MPLS is down, the server will switch to listening on ADSL, and the client will connect that way.

    First, I think you need to be running 2.1-RC0 - if you are just doing this with test boxes, then you should be able to do that. Depending on your organisation policy about running Release Candidates, you might have to wait a bit until 2.1-RELEASE happens to put it in production.



  • Thank you very much Phil, I cant resolve it.

    I disable one interface and pfsense never refresh the new route… i added push route to advance configuration in OVPN server and client, and force the routes via command prompt and i m able to see with one connection (MPLS). But i must restart every time, it's a shame, but i cannot point the same range of destination (Ex. 192.168.0.1/24) using two differents gateways 10.0.0.0/24 (MPLS) and public IP using ADLS. Always the last one overlap the route even if the interface at server its disable.

    Now I think by the changes I made, cant connect the second OPEN VPN, perhaps both of them points to the same network.... push "route 192.168.0.0 255.255.255.0" on server side
    and push "route 192.168.1.0 255.255.255.0" on client side

    I cant use multiple remote configuration as you told me because the ADSL connection never can't see the MPLS connection, remember that one it's a private link between the office's managed by telco.

    I Think I only can create 2 VPN peer to peer, one over MPLS and the other over MPLS, and switch VPN like's gateway's. But i couldnt do it.

    Thank you very much, you show other way's to see my problem. Tomorrow I ll keep trying.


Locked