Two wan links one only backup
-
Hey there all. If you could recommend some reading or advice on the following scenario.
Problem: Our ISP seems to be having a lot of internal trouble at the moment. We have had aprox 7 outages lasting 1 hour - 10 hours in 2015.
When the outage occurs, the WAN gateway and even a few hops into their internal network may be working, however we cannot get out to the rest of the internet. sometimes it is sporadic as well. The ISP blocks ICMP passed its network.We have now purchased a backup connection and want to install it into our pfsense. I know that some cisco gear has the ability to use a bunch of different metrics to select the best path for traffic (not just icmp or dns lookup). Does pfsense have some package that can do something similar? The main issue being that we cannot rely on the link being down, or a gateway ping, as those always stay up when the ISP has troubles. Dns may also sporadically resolve.
The second connection is metered, so we would never want to send any traffic over it unless the first WAN connection is down. Down means that we have sporadic connection to the internet sometimes lasting hours.
any help or links to resources for my reading appreciated! thanks!
-
The ISP blocks ICMP passed its network.
What? You say you cannot "ping pfsense.org" because your ISP blocks ICMP traffic? That's shabby!
-
What? You say you cannot "ping pfsense.org" because your ISP blocks ICMP traffic? That's shabby!
More like idiotic.
Get a non-retarded ISP. End of story.
-
symmetric 100mbit for $750 a month unmetered
in canada thats cheap.
And they have been rock solid for years. They are run by the government, who is now unfortunately outsourcing to a private corp which is when all the problems started. Governments trying to cut costs, but i digress.
but yes, block pings, small price to pay in my opinion. Commercially, we would be paying 2k-3k per month for the same line.
As i said, i heard that the cisco ASA is able to make routing decisions based on more than just icmp ( i believe DNS lookups, delay, jitter, "reliability" are some of the metrics used), so i am wondering if pfsense can do something similar. I dont want to drop pfsense but others in the corp are not so pfsense loyal.
-
It comes down to "you get what you pay for", right?
Does Traceroute from Diagnostics menu work for you (leaving "Use ICMP" unchecked, of course)? -
Yeah i can traceroute that way yes it is successful.
The technology from cisco is called performance based routing and it is part of the iWAN architecture. From their docs:
Intelligent Path Control
Cisco Performance Routing (PfR) improves application delivery and WAN efficiency. PfR dynamically controls
data packet forwarding decisions by looking at application type, performance, policies, and path status. PfR
monitors the network performance—jitter, packet loss, and delay—and makes decisions to forward critical
applications over the best-performing path based on the application policy. Cisco PfR can intelligently load
balance traffic to efficiently use all available WAN bandwidth. IWAN intelligent path control is the key to providing
a business-class WAN over Internet transport.Something similar in pfsense? and how to configure, is all I want to know really. thanks!
-
No. pfSense uses very broken apinger (dead as a door knob upstream, heavily customized internally) to monitor WAN. It uses ICMP and there is no way to make it use anything else. The apinger status is pretty much along the "unfixable garbage, needs rewrite from scratch" line…
-
Ok thanks very much doktor, that answers my question perfectly. Sad, but hey there always a new feature that could be added in the future.
We are going to try and find something to ping on their local network (as far as possible before they block pings) and just ping that.
thanks for the help.
