Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FailOver no refresh routes

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      madmax26
      last edited by

      Hi! Mi name is Max. I am really new in pfsense, and i can't resolve this problem (either my english, sorry for that).

      For testing purpose I'm trying to connect 2 LAN (offices, i expect connect 3 more) via 2 WAN's links (1 MPLS (private network) and 1 ADSL (public IP)).

      I configured 2 "peer to peer" Open VPN (one per WAN) between offices (working OK).

      Now… my idea was really simple.

      LAN 1 ------ WAN 1 ------ OPEN VPN --------- WAN Central 1 -------- LAN 2
              ------WAN 2 ------ OPEN VPN --------- WAN Central 2 -------- /

      But, it doesnt work, fail over or load balance.
      Both OpenVPN are healthy, I can see every single host on each LAN when the both connections up.

      The problem appear when I test Fail over disabling one WAN interface (anyone).

      The ping timeout. In every case I must enable the interface and restart the router. I check firewall rules, and seems to be ok. I open ports for the Ovpn and traffic between LAN's using failover group.

      One important problem I see my routing table, the two pfsense choose diferents WAN's.

      Ping LAN 1 goes by WAN 2 and comes back by WAN 1. That's my first issue, because WAN1 it's in TIER1 in both pfsense.
      The real problem is when i disable one WAN interface (anyone) the ping timeout, and the Gateway /OpenVPN goes down but the pfsense dont changes the routing table... and never refresh it and dont fail over!

      Any clue? I don't paste screens because I dont decide wich one!

      Sorry again for my bad english! I read a lot in the fórums and i cant find any similar topic.

      Thanks a lot!

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        In 2.1-RC0 you can use failover groups for OpenVPN. I don't think this feature is available in 2.0.n. It works for me using pfSense 2.1-RC0.
        On the OpenVPN server end, select a failover group as the server interface. The server will then listen on the highest tier interface that is up in the failover group.
        On the OpenVPN client end, select a failover group as the client interface. The client will go out the highest tier interface that is up in the failover group.
        Now the client needs to know where to find the server (which public WAN IP it is listening on). There are 2 ways to do this:
        a) Have a Dynamic DNS name for each server WAN interface (e.g. server1.dyndns-ip.com and server2.dyndns-ip.com).
        In the client settings "Server host or address" put:

        server1.dyndns-ip.com

        In the advanced settings box put:

        remote server2.dyndns-ip.com 1194

        (use the port number that the server is listening on)
        The client will try both places each minute or so until it finds a connection.

        b) Have a single Dynamic DNS name "server.dyndns-ip.com". In the dynamic DNS settings, "Interface to monitor", select the failover group. Then pfSense will change the definition of "server.dyndns-ip.com" when the interface status changes.
        Make the client "Server host or address" be:

        server.dyndns-ip.com

        This Dynamic DNS name will always point to wherever the server is listening.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • M Offline
          madmax26
          last edited by

          Hi Phil thanks thanks for your answer. Now I think have 3 problems instead of 1.

          1. The versión of PFsense and i quote 2.0.3-RELEASE (i386)
            built on Fri Apr 12 10:22:21 EDT 2013 FreeBSD 8.1-RELEASE-p13.

          2. I have two WAN connection, one of them standard ADSL with fixed IP and the other one MPLS "dedicated" with private's IP 10.X.X.X it's a ring between office's and doesn't have public Access I give the Access through the Central Office, thats means I cannot switch client/server Ovpn because they cant see.

          I establish one VPN at por 1194 using MPLS.
          and other OPVPN at 1195 using both ADSL.

          So, I have/need 2 point to point connection, I dont need view outside my intranet using this connection's.

          I' cant accomplish that pfsense refresh the route's after a fail. For example this route belong to mpls

          192.168.1.0/24 10.11.12.2 UGS 0 474653 1500 ovpns1

          If I disable the interface the pfsense keep trying to connect this way regardless that the other OVPN it's UP and free.

          1. I'm not sure how to do this….but i dont think this is valid for my scenario.
            "On the OpenVPN server end, select a failover group as the server interface. The server will then listen on the highest tier interface that is up in the failover group.
            On the OpenVPN client end, select a failover group as the client interface. The client will go out the highest tier interface that is up in the failover group."

          Thank you again for your answer it give some option to think about. I'm really freeze.

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            I think you only need to run 1 OpenVPN server and 1 OpenVPN client. Your requirement is probably something like:
            a) Use the MPLS for the OpenVPN link when it is up; otherwise
            b) failover to using OpenVPN across the public internet.

            Your MPLS has static IP addresses (10.n.n.n) known to you. So you do not need to use Dynamic DNS for that. Make your gateway groups have MPLS gateway as tier1 and ADSL as tier2.
            On the client you can specify the server address directly, you do not have to put a DNS name. So specify the main address of the server as 10.n.n.n and in the advanced box, put the extra "remote" command using the Dynamic DNS name that points to the server-end ADSL connection.
            The server will normally listen on MPLS, and the client will connect over MPLS. If MPLS is down, the server will switch to listening on ADSL, and the client will connect that way.

            First, I think you need to be running 2.1-RC0 - if you are just doing this with test boxes, then you should be able to do that. Depending on your organisation policy about running Release Candidates, you might have to wait a bit until 2.1-RELEASE happens to put it in production.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • M Offline
              madmax26
              last edited by

              Thank you very much Phil, I cant resolve it.

              I disable one interface and pfsense never refresh the new route… i added push route to advance configuration in OVPN server and client, and force the routes via command prompt and i m able to see with one connection (MPLS). But i must restart every time, it's a shame, but i cannot point the same range of destination (Ex. 192.168.0.1/24) using two differents gateways 10.0.0.0/24 (MPLS) and public IP using ADLS. Always the last one overlap the route even if the interface at server its disable.

              Now I think by the changes I made, cant connect the second OPEN VPN, perhaps both of them points to the same network.... push "route 192.168.0.0 255.255.255.0" on server side
              and push "route 192.168.1.0 255.255.255.0" on client side

              I cant use multiple remote configuration as you told me because the ADSL connection never can't see the MPLS connection, remember that one it's a private link between the office's managed by telco.

              I Think I only can create 2 VPN peer to peer, one over MPLS and the other over MPLS, and switch VPN like's gateway's. But i couldnt do it.

              Thank you very much, you show other way's to see my problem. Tomorrow I ll keep trying.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.