Cable WAN doesn't work, VDSL does, laptop direct does work



  • G'day fans of the best firewall in the world  ;D

    I am ex-tre-me-ly depressed  :'(

    I had a day of today, and have wasted the whole day trying to get my Cable WAN to work. It doesn't  >:(

    Here is the thing:
    1. I have WAN1 working. VDSL. I have Snort, Squid, Squidguard, Radius, DNS-Forwarder, VLANS.
    2. I needed a WAN2 for failover.
    3. I bought a new Intel NIC and I got WAN2 to work thanks also to the great phil.davis: https://forum.pfsense.org/index.php/topic,71334.0.html. That is: pfSense fails over, and I have an external WAN2-ip from my cable ISP.
    4. Today I decided to waste some time on thoroughly testing it.
    5. Only to discover the WAN2-connection doesn't work right. Websites randomly open and don't open. Ping and tracert work 1 second, and don't work the next. On VDSL all works flawlessly. And: if I plug a laptop directly in the modem all works flawlessly as well.

    I tried a zillion things:

    • Tried it from Windows, Linux, PC-BSD.
    • Removed the failover groups (and LAN rules), disabled WAN1 so I only simply had WAN2.
    • Removed Squid and squidguard.
    • Checked the MTU (due to a link in the pfSense wiki).
    • Checked and doublechecked my LAN-firewall rules (but that shouldn't be a problem, as VDSL works).
    • Rebooted pfSense, HP switch, PC's.
    • Changed cables between modem and pfSense.

    Nothing, it remains the same. One second it works, the next second it doesn't. Gateway stays up all the time.

    WAN2 is cable, Telenet.be (IPv4 Configuration Type 'DHCP'). MTU according to the 'TCPOptimizer'-test is 1500. I even set that manually in the WAN2-configuration, even 'though the text there says it is 1500 by default. I even disabled 'block private networks' as in the logs it shows a 'bootpc' on WAN2 from 10.0.0.0 (or something, its gone from the logs now so I don't recall exactly anymore what it was).

    Something is wrong, but like said: if I plug a laptop directly in the modem it works perfectly.

    I'm thinking of reinstalling everything, but with all the packages and their configs that is quite some work (I tried the restore from backup once, but that didn't work too well, so if I have to do it, better safe than sorry, I'd better reinstall from fresh).

    Wasted a whole day on this  :'(

    Would anybody perhaps know what the problem might be here? What I could try next before doing a complete reinstall?

    Thank you very much in advance for your reply :-)

    Bye,


  • Netgate Administrator

    Ok. So I glanced over your other thread where Phil helped you out. It looks like you have the two connections setup as a failover rather than as loadbalancing yes? Is it set to use DSL as the primary connection and fail-over to cable? Had you forced it to fail-over to the cable connection when it stopped working correctly?

    Two things come to mind here. Squid will always use the system default gateway unless you've taken steps to make it do something else. You can set the default gateway to change if the current default goes down but I seem to remember it won't always switch back which may be an issue.

    If you are seeing seemingly inexplicable changes in behavior try disabling Snort. That can often cause odd things to happen.  ;)

    Steve



  • @stephenw10:

    Ok. So I glanced over your other thread where Phil helped you out. It looks like you have the two connections setup as a failover rather than as loadbalancing yes? Is it set to use DSL as the primary connection and fail-over to cable? Had you forced it to fail-over to the cable connection when it stopped working correctly?

    Two things come to mind here. Squid will always use the system default gateway unless you've taken steps to make it do something else. You can set the default gateway to change if the current default goes down but I seem to remember it won't always switch back which may be an issue.

    If you are seeing seemingly inexplicable changes in behavior try disabling Snort. That can often cause odd things to happen.  ;)

    Steve

    And once again this man who has 'Hero member' under his name indeed is a hero and comes to my rescue  ;D

    (Thank you Steve, you helped me get rid of my depression  :-*).

    Because: the problem indeed was Snort. Not that I know what exactly the problem was…

    1. I disabled Snort on all interfaces and WAN2 worked without problems;
    2. I enabled, one by one, Snort again on all interfaces (WAN1, WAN2, LAN and VLAN) - and WAN2 still worked.
    3. So "something" happened. Was it simply disabling and enabling Snort? But then again: I had before also rebooted the box, which in my humble opinion means that Snort was disabled and enabled on all interfaces during this reboot process. That didn't do the trick, but your suggestion did do the trick.

    ???

    But WAN2 works now  ;D

    • To answer your earlier questions:
      1. Yes, VDSL was WAN1, was default gateway, cable was WAN2 and was only fail over.
      2. I had set a mandatory firewall rule on LAN to have my desktop go via WAN2 (a failover group zFailover2, where WAN2 was tier1 and WAN1 was tier2), in order for me to test the WAN2. I did reset states after that, 'just in case'.
      3. I already had Squid completely uninstalled before, but it didn't make a difference for the performance of WAN2.

    Finally, as to the part in bold: that seems to be rather complicated. Currently I must have at least 20 tabs open, both threads on this very fine forum as well as tutorials on blogs, and when it comes to Squid on dual WAN it appears there are as many, partly conflicting, different instructions as there are threads/blog posts  :-\

    Marcelloc translated something from Portuguese saying in Squid you need to select both LAN and loopback, in other places it is said only LAN, others say WAN1 and WAN2, others say only loopback.

    In some places/threads it is said manual NAT outbound, others say no longer for 2.1 (which I am on), others say this is false information.

    Some say create the floating rule for HTTP, others say that doesn't work any you need to create a LAN rule.

    And so on and so forth.

    You wouldn't happen to know where the right information for 2.1 is written, would you Steve? Because I feel getting Squid back will also be a cumbersome experience. I use Squid mainly for Squidguard, so when WAN1 fails over to WAN2 I would like WAN2 traffic also to be filtered by Squidguard.

    Thanks once again for getting me out of my severe depression, Steve; in your debt once again  ;) ;D


  • Netgate Administrator

    No problem, glad my wild guess proved at least somewhat helpful.  ;)

    I'm unsure about the status of Squid with multiwan. Certainly what I said, that it always uses the default gateway, used to be true but things may have changed since I last tried it. I'm not running Squid here at home which is the only place I have multiwan connectivity.

    Time to do some research….

    Way out of date:
    https://doc.pfsense.org/index.php/Troubleshoot_Outbound_Load_Balancing_Issues#Squid_doesn.27t_seem_to_be_using_both_connections

    Steve

    Edit: This looks fairly comprehensive, haven't tried it myself though:
    http://www.communig8.com/articles/64-open-source/137-pfsense-multi-wan-how-to-really-make-it-work


Log in to reply