Failover routing



  • we have 500 - 1000 us for a failover routing solution for pfsense.
    I would be considered on the tools used and the practicality of deployment with a dynamic routing protocol
    feel free to post some ideas of how this could be done and we can start
    depositing some funds to make some progress.

    alan 8)



  • When you say dynamic failover routing protocols, would carp count?

    If so, I can help you with a fully redundant solution.  Contact me at sullrich@gmail.com



  • Would the already built in OLSR.org mesh software suffice for this?  I gathered from the forums that it just needs a GUI.
    If OLSR gui or other development suggestions appeal to us, we would add $300 hundred or more to this bounty.
    We want pfSense to do something like this…
    http://www.oreillynet.com/pub/a/etel/2006/02/10/free-mesh-networking-with-metrix-pebble.html?page=2
    And, does olsr route IP only or any protocol (ie. pass ethernet traffic as a common ethernet switch would)



  • possibly see the next post for an outline of exactly what we are trying to achieve



  • Dynamic failover routing.

    The idea that we are looking for is proberly not carp scott. But I will outline it to you and you can judge for your self.

    Wan1–------------------------|
                                              |
                                           Pfsense ------------- lan
                                               |
    Wan2(internal ospf network)--

    If wan 1 is up use this route and broadcast this route via ospf or similar via wan 2 to allow other nodes to use this gateway.

    If wan1 is down broadcast the fact and use the ospf routing table for finding the next gateway on wan2.

    I was thinking that if the gateway feature was used in pfsense to assess wheather wan1 was active if it was not use wan2.

    There are other pfsense boxes at the edge routing points of the ospf network.

    lan
                                       |
                                       |
                   Wan1--------pfsense
                                       |
                                       |
                                       Wan2(ospf)------ospf network------|
                                                                                     |
                                                                                     |
                                                                                     |
                                      Lan                                          |
                                        |                                            |
                       Wan1--------pfsense                                    |
                                         |                                           |
                                         |                                           |
                                       Wan2(ospf)-------ospf network-----|---(etc)
                                                                                      |
                                                                                      |
                                      Lan                                           |
                                       |                                             |
                                       |                                             |
                                    Wan1--------pfsense                       |
                                       |                                             |
                                       |                                             |
                                    Wan2(ospf)-------ospf network-------

    And so on and so forth there are about ten routes on the ospf network Varying in size and type. The core ospf network works fine. But to use Pfsense on the edge boxes would be great.

    Looks forward to a reply. If you don’t think it is what you where think let me know and I will post it to this bounty section.



  • olsr can do this
    you need a pfsense server with 3 network cards
    wan,lan,opt1

    give all the pfsense opt1 network cards ipadress in the same network range
    open a shell on the pfsense server
    cd /usr/local/etc
    nano olsrd.conf
    type this in:

    DebugLevel      2
    IpVersion      4
    ClearScreen    yes

    HNA IPv4 routes

    syntax: netaddr netmask

    Example Internet gateway:

    0.0.0.0 0.0.0.0

    Hna4
    {
    #  Internet gateway:
    #  0.0.0.0      0.0.0.0
    #  more entries can be added:
    #  192.168.1.0  255.255.255.0
    #10.141.254.0    255.255.255.0
    10.141.250.0    255.255.255.0
    0.0.0.0 0.0.0.0
    }

    close the file with control + X
    the 10.141.250.0 in the file is the local lan network you want to broadcast to the olsrd mesh so that clients on a other olsrd pfsense server can conect to that
    the 0.0.0.0 in the file is telling the olsrd mesh that tiss olsrd node has a internet conection and that olsrd pfsense servers can use that one if don't have 1 or lost one

    start olsrd
    olsrd -i xl0 >> /dev/null &
    replace xl0 with youre opt1 card



  • do the other boxes with the ospf netowrk need to have oslr as well i guess to allow for the routing to go cleanly
    is there anyway of importing oslr routes into ospf to stop a redesign of an already functioning ospf network.

    looks like you might have an answer is this theroy or practical. does it really work what sort of hardware requirements



  • all the pfsense servers need to run olsrd witch is all ready on the pfsense server instald by default
    more info on olsrd you find here:
    http://www.olsr.org/
    olsrd is most used on wireless networks
    so that you can put a node on a high tower and forget about the routing stuf
    you do only the local routing stuf
    the rest olsr will find out by him self
    if one node breaks down the olsrd network will route the routes around the problem
    if a new node is installed and has a faster route then a -> b then the network will use the faster route
    so it's not only reporting of it has internet or not
    its also reporting witch nodes it can see and how fast the route to them is and wat routes a laying behind the olsrd network node that don't use olsrd like the local lan network
    so that that can be conect from all the olsrd servers

    youre network will look somving like this:

    lan 10.0.0.0/24
                                      |   
                                      |
                  Wan1–------pfsense 1
                                      |
                                      | 
                    192.168.1.1  opt1 (olsrd)------olsrd network ------|
                                                                                    |       
                                                                                    |
                                                                                    |
                                      Lan 10.0.1.0/24                          |       
                                        |                                            |
                      Wan1--------pfsense 2                                  |
                                        |                                          |
                                        |                                          |
                      192.168.1.2  opt1(olsrd)---------olsrd network-----|---(etc)
                                                                                    |
                                                                                    |
                                      Lan  10.0.2.0/24                        | 
                                      |                                            |
                                      |                                            |
                Wan1--------pfsense 3                                        |
                                      |                                            |
                                      |                                            |
                  192.168.1.3    opt1(olsrd)--------olsrd network--------|
                                                                                    |                   
                                                                                    |
                        Lan  10.0.3.0/24                                      | 
                                      |                                            |
                                      |                                            |
                                -pfsense 4                                        |
                                      |                                            |
                                      |                                            |
                  192.168.1.4    wan(olsrd)--------olsrd network-------

    pfsense server 1 on 192.168.1.1 will report
      it has internet and a direct route to 10.0.0.0/24
      a route to node 192.168.1.2
      a route to node 192.168.1.3
      a route to node 192.168.1.4
      a route to 10.0.1.0/24 via 192.168.1.2 / 192.168.1.3 / 192.168.1.4
      a route to 10.0.2.0/24 via 192.168.1.3 / 192.168.1.2 / 192.168.1.4
      a route to 10.0.3.0/24 via 192.168.1.4 / 192.168.1.2 / 192.168.1.3
      a route to 0.0.0.0 via 192.168.1.2
      a route to 0.0.0.0 via 192.168.1.3

    pfsense server 2 on 192.168.1.2 will report
      it has internet and a direct route to 10.0.1.0/24
      a route to node 192.168.1.1
      a route to node 192.168.1.3
      a route to node 192.168.1.4
      a route to 10.0.0.0/24 via 192.168.1.1 / 192.168.1.3 / 192.168.1.4
      a route to 10.0.2.0/24 via 192.168.1.3 / 192.168.1.1 / 192.168.1.4
      a route to 10.0.3.0/24 via 192.168.1.4 / 192.168.1.1 / 192.168.1.3
          a route to 0.0.0.0  via 192.168.1.3
      a route to 0.0.0.0 via 192.168.1.1

    pfsense server 3 on 192.168.1.3 will report
      it has internet and a direct route to 10.0.2.0/24
      a route to node 192.168.1.1
      a route to node 192.168.1.2
      a route to node 192.168.1.4
      a route to 10.0.0.0/24 via 192.168.1.1 / 192.168.1.2 / 192.168.1.4
      a route to 10.0.1.0/24 via 192.168.1.2 / 192.168.1.1 / 192.168.1.4
      a route to 10.0.3.0/24 via 192.168.1.4 / 192.168.1.1 / 192.168.1.2
      a route to 0.0.0.0 via 192.168.1.1
      a route to 0.0.0.0  via 192.168.1.2

    pfsense server 4 on 192.168.1.4 will report
      it has a direct route to 10.0.3.0/24
      a route to node 192.168.1.1
      a route to node 192.168.1.2

    a route to node 192.168.1.3
      a route to 10.0.0.0/24 via 192.168.1.1 / 192.168.1.2 / 192.168.1.3
      a route to 10.0.2.0/24 via 192.168.1.3 / 192.168.1.1 / 192.168.1.2
      a route to 10.0.1.0/24 via 192.168.1.2 / 192.168.1.1 / 192.168.1.3
      a route to 0.0.0.0 via 192.168.1.1
      a route to 0.0.0.0 via 192.168.1.2
      a route to 0.0.0.0 via 192.168.1.3

    pfsense server 4 don't has internet and use pfserver 1,2 or 3 for its internet conections depending on witch one it can reache fast

    if ospf can read the kernal routes then it can use the routes that olsrd add's or removes from the kernal routing tabels

    olsrd self don't read from these tabels it has tabels with routing info and info of time it takes to make a conecting to a node on a route
    and witch nodes has witch routes to witch nodes etc etc



  • …[olsr] will always use ipadresses…
    Is there any way to get OLSR to pass regular ethernet (MAC) traffic, such as using VPN over OLSR all done in pfSense, or other trick?
    Another possibility if the above won't work: Can pfSense in Bridge mode also do "spanning tree protocol"?  If so, is this possible solution worthy?
    Thank you for the helpful replies,
    -Pete



  • @pcatiprodotnet:

    Another possibility if the above won't work: Can pfSense in Bridge mode also do "spanning tree protocol"?

    Yep, on non-wireless bridges it does this by default.

    @pcatiprodotnet:

    If so, is this possible solution worthy?

    Not really sure.



  • on non-wireless bridges it does this by default.
    How do you enable it on Wireless bridges?  And, is using it over wireless known to be problematic?



  • Why would you want it on wireless?



  • Why would you want [spanning tree protocol] on wireless?
    I though it might route wireless bridged ethernet traffic around down wireless nodes.  I guess not.

    My Goal:  LANs in multiple buildings all linked together by ethernet Bridge over wireless Mesh (I assume olsr.org is the best).

    Perhaps using OLSR plus "ethernet over IP" (such as VPN) to pass ethernet MAC traffic wirelessly between sites, all accomplished in pfSense, could make it appear to every PC in every building that they are on the same "local" ethernet LAN.  Is this posssible?  If so, how do I configure pfSense to do this?

    Thanks, -pc



  • we are using a routed networ rather than a bridge network.
    we have nodes with there own internet connection and a large
    netowrk to link them all together.

    if an internet connection fails on a node then we manually reconfigure
    the routes onto our ospf backbone to use another route.

    if you network is in anyway going to grow use routing and not bridging
    it will be far more stable in our experiance.

    each of our nodes support 30 -100 wireless clients

    we presently have 8 nodes and a 20 box backhaul system.

    I think there are issues with oslr and ospf. from my recent reviews it  seems that
    oslr routes in the kernal are not recognised correctly by ospf. (but don't really know as
    we dont really have any knowledge of oslr)

    We where thinking of working with the load balancing pool features in pfsense.
    but this might not work to well either because it does not seem to touch the
    routing table. Is this true.

    Maybe if we can consilidate some thoughts a little better we can do something here.
    are there many more thoughts from the core team. would this be worth you spending
    your time on. or are we a little to far over in the left field.

    we have no choice but to spend money on it so i would love to give some to the
    fine pfsense team



  • if you network is in anyway going to grow use routing and not bridging it will be far more stable in our experiance.
    Thanks for the tip aldo!  I'm a Programmer, but new to networking/wireless, and I appreciate any expert advice.
    I had desired Bridging so a single Captive Portal could control all clients, but that may not be a good idea either.
    -Pete



  • you could still do this with routing. if you dont use nat on one side of the network
    just route through it. captive portal could still work for you.

    i know the drama of design is a far differnet one that the doing of it though
    continually fraught with try to do stuff but not spent money.

    i think i would prefer to be a prgrammer then maybe your only limitation is
    how large your brain is.

    good luck i willl take some time with oslr in the next week and see what
    it can do. i think it might be more powerful than i think, even if it
    is a very immature product



  • @pcatiprodotnet:

    …[olsr] will always use ipadresses…
    Is there any way to get OLSR to pass regular ethernet (MAC) traffic, such as using VPN over OLSR all done in pfSense, or other trick?
    Another possibility if the above won't work: Can pfSense in Bridge mode also do "spanning tree protocol"?  If so, is this possible solution worthy?
    Thank you for the helpful replies,
    -Pete

    olsrd will work on vpn just use the vpn interface as the interface for olsrd then on both sides of the vpn
    if the interface can route then olsrd can work on it



  • Is an olsr node capable of accepting RIP route information on its non-olsr interface?
    Thanks, -pc



  • yes but olsrd will not read the kernal routes
    so info from rip can be rewirten by olrsd

    just like rip is rewriting the kernal routes that  olsrd has put in



  • just wondering about wheather anyone has come up with any great ideas here. it seems one of the core issues ould lie in how pfsense managed a dynamic routing table.
    do we think that the changes made to olsrd would allow this to happen or that olsrd only works well within a subnet.

    has anyone had any time to test what scott has done so far. i am an ospf bgp player so this olsrd is new to me. we would definately consider it if it looks like it might be a practical solution.



  • i guess i could close this now i have managed to get quagga running a few months ago and it serves my purpose does anyone have any get extensions to this that would allow them to collect this bounty if not i will close the offer


Locked