LAN Failover on Packet Loss to Specific Address Possible with pfSense?
-
Is there any way to failover from one interface to another based on packet loss similar to WAN failover with a Gateway Group? (LAGG wont fit the bill)
I have pfSense VM running on an ESXi (5.5) host and it is connected to all three vSwitches: LAN - BRIDGE - WAN
I am trying to test a setup with wanos (wanos is a WAN optimization appliance) but I need a bypass NIC or sorts so connectivity from LAN to pfSense is not lost in the case of failure on wanos.
Wanos intercepts traffic by bridging its interfaces effectively connecting LAN to BRIDGE (Both LAN and BRIDGE vSwitches are in promiscuous mode)
LAGG works as intended and I can disconnect each of pfSense's LAGG interfaces and pings from LAN to pfsense continue without a hiccup BUT if I power off wanos to simulate an outage of any kind on that VM no failover happens and pings to pfsense are dropped. I assume this is because LAGG detects no outage on the primary interface because the actual outage is on the wanos interfaces.
That said, is there any way to initiate a failover when pfsense cannot reach the LAN via wanos? Obviously LAGG will not accommodate this scenario.
I hope this makes sense, but please let me know if anything needs clarification.
-
Hi Spiffster, coincidentally found this thread while searching for "wanos pfsense"
I am wondering whether a solution was eventually found?
Agree, it would be a nice to have feature if the LAGG was able to monitor an ip address. In that case it seems the above scenario would work perfectly. I noticed that the pfsense policy based routing can monitor an ip address as a fail-over trigger though.
I am not familiar with pfsense at all but had a quick look at one or two interesting features.
CARP looks promising. Perhaps its possible to enable CARP on both LAN ports E.g. instead of having the two LAN ports in a LAGG, have the two LAN interfaces compete for the CARP primary/active role. Effectively, if pfsense would allow this configuration, once the Wanos device reboots for example, the standby interface will lose communication with the primary and become active. Once the reboot is complete the primary can take over again (if CARP supports preemption).
Just an idea (there are other ways to achieve this) but out of path will be available in the next release as well.
-
Thanks for the reply Antonie, Im just tying up loose ends on my posts as to not leave them unconcluded.
What I found was that there is no real way to setup a monitor IP for a LAGG interface, BUT I could setup a cron job to test connectivity to a specific address and failover accordingly, but cron jobs would only execute every minute.From what I have discovered about wanos is that it seems very reliable, so this isn't a huge priority anyway, but in production you have to plan for everything.
Now that I do have wanos in production, both pfsense and wanos are running without a hypervisor, so no vswitch in between, just crossover. It works perfectly in this case. Powering off the wanos system causes pfSense to switch ports…
I suspect the issue with what I was trying to do here was the vSwitch, pfSense would not see an outage because it as far as it was concerned it was still connected to a working switch, which makes perfect sense.
-
High end switches support multi-pathing for the layer 2 and can fail an interface when errors start to happen.
The original question asked how to fail over "like the WAN". The issue is easier on the WAN because you just say "This route is bad, fail over to another route". The problem with the LAN side is you have only one route. Clients have only one gateway, that is one route. That is a layer 3 issue.
LAN failures is a layer 2 issue. It's best to handle it at the Layer 2, which is the switch. I'm wondering why an interface would have loss and why failing over would fix the issue. There is a "raid 1" for Ethernet. I forget the protocol name, but packets are duplicated on all interfaces in a group.