Unclear on multi WAN failover setup



  • Apparently I have not yet figured out how to get pfSense 2.1 to fail over to DSL when the cable goes down. Comments and suggestions on our setup are eagerly sought.

    We have a Logic Supply Atom D525 box with a total of 6 NICs and a WLAN card. The two motherboard NICs are connected to the LAN switch and the cable modem respectively. One of the daughterboard NICs is connected to a DSL modem. The WLAN card is WLAN0, which we use to provide a guest network for visitors.

    I have two gateways defined. The cable is WAN1 and the DSL is WAN2. I have defined a gateway group, Failsafe, with WAN1 as tier 1 and WAN2 as tier 2. I have designated multiple DNS servers on each providers' network. No static routing rules are defined. There is a firewall rule on the LAN interface to route DNS queries from LAN to the WAN2 provider servers via WAN2. There is another rule on the LAN interface, source LAN to destination any via Failsafe.

    Now when WAN1 goes down, I will see a short burst of traffic on WAN2, then nothing. I can't do DNS lookups. Outbound traffic doesn't seem to be failing over to WAN2.

    A possibly related issue is that when I edit the gateways, if I uncheck the "Default Gateway" checkbox for WAN1, it always comes back checked.

    The pfSense wiki mentions setting up a total of three gateway groups for a 2-WAN configuration: two failover groups and a load balancing group. I don't understand how the routing (or firewall) rules would be configured for this case.

    Can someone explain how to configure a working 2-WAN failover setup, please? Thanks in advance.



  • What you described sound like enough in order to make it work…

    What if you select WAN2 as your default gateway, without the rule that directs traffic? Does it work? Because if WAN2 never works, I would check the Outbound NAT config. After the failover takes place, did you check if you have connectivity besides DNS? Tracerouting 8.8.8.8 maybe? (so you can also see what gateway is being used)

    The firewall rule to route DNS is not necessary, and might be messing up things. If you go to the general setup page, make sure the DNS servers have the right gateway selected there. After that, they will always be routed through that gateway.

    Something else to check is the gateway monitoring. By default, it pings the gateway. How are you testing "the connection going down"?? Because if your gateway still responds to pings when the connecion is down (maybe it is a local device), this is pointless. Some people (including me) prefer to use some external IP for monitoring (like 8.8.8.8).

    Regarding the 3 gateway setup, what the wiki suggests is to create the 3 of them so you can quickly change your routing, but the the way you set it up has to work. Load balancing works in the same way, but you set a gateway group with both gateways on the same tier. Then all outgoing connecionts are "round-robined" among them (or whatever algorithm you select)



  • @georgeman:

    What you described sound like enough in order to make it work…

    What if you select WAN2 as your default gateway, without the rule that directs traffic? Does it work? Because if WAN2 never works, I would check the Outbound NAT config. After the failover takes place, did you check if you have connectivity besides DNS? Tracerouting 8.8.8.8 maybe? (so you can also see what gateway is being used)

    I've now selected WAN2 as the default gateway. I haven't disabled the cable modem to test yet. I'll do that after this post.

    I find the "default gateway" confusing - if the firewall rules are directing traffic to the gateway group, what traffic uses the "default"?

    The firewall rule to route DNS is not necessary, and might be messing up things. If you go to the general setup page, make sure the DNS servers have the right gateway selected there. After that, they will always be routed through that gateway.

    I hadn't seen that option for DNS routing on the general setup page before. I've changed the configuration as you suggest.

    Something else to check is the gateway monitoring. By default, it pings the gateway. How are you testing "the connection going down"?? Because if your gateway still responds to pings when the connecion is down (maybe it is a local device), this is pointless. Some people (including me) prefer to use some external IP for monitoring (like 8.8.8.8).

    On both WANs, I'm using an IP on the other side of the link, both internal routers at the respective ISPs.

    Regarding the 3 gateway setup, what the wiki suggests is to create the 3 of them so you can quickly change your routing, but the the way you set it up has to work. Load balancing works in the same way, but you set a gateway group with both gateways on the same tier. Then all outgoing connecionts are "round-robined" among them (or whatever algorithm you select)

    Oh, so there's a manual configuration step to switch between the gateway groups? I didn't see a way to do the switchover between groups automatically. That makes a little more sense.



  • A brief test (powering down each modem in turn) seems to indicate failover is working as expected. I may go back and reset WAN1 as the default gateway later. Thanks for the help!



  • @Chucko:

    I find the "default gateway" confusing - if the firewall rules are directing traffic to the gateway group, what traffic uses the "default"?

    The system will route all traffic for which you haven't explicitely defined a gateway, through the default gateway. Also traffic originating from pfSense itself will use the default gateway unless another one is specified.

    @Chucko:

    Oh, so there's a manual configuration step to switch between the gateway groups? I didn't see a way to do the switchover between groups automatically. That makes a little more sense.

    Changing the gateway group is a manual procedure. It looks that you want to always use WAN1 unless it's down right? Let's suppose that at some point, for some reason you want to always use WAN2 instead, unless it's down. So you grab your rule, and change its gateway to the one which has WAN2 as Tier1.

    Or if you want to load balance, switch the rule's gateway to a gateway group that has both WANs on the same Tier.


Log in to reply