Re: [pfSense Support] Multi-WAN with Fail Over
The DNS should switch over with the fail BUT if you use an ISP DNS server then it may not be available from an IP address that does not belong to the ISP. If your second link is not with the same ISP (good Idea for redundancy) then you will have to look at DNS that can be reached from both networks. Free ones exist but they tend to pay for themselves using a search page to replace the Not Found when a name is incorrectly typed by a user. Alternatively you can name both ISP servers (and add a static route for the backup DNS server so it is always seen while the link is up or you may get some performance issues) Or you can run your own DNS and do the lookup yourself! Rob - Original Message - From: Alexsander Loula alex.lo...@gmail.com To: support@pfsense.com Sent: Tuesday, 24 March, 2009 12:20:52 GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: [pfSense Support] Multi-WAN with Fail Over I'll try to do it this night (GMT -3:00). 2009/3/23 Chris Buechler c...@pfsense.org On Mon, Mar 23, 2009 at 10:13 PM, Chuck Mariotti cmario...@xunity.com wrote: Alex, I share your pain. I’m not a pf guru, but I can’t seem to get this working either… I have managed to get the Load Balancer Status to turn Green/Yellow/Red as expected when I unplug a connection. But the internet get’s all wonky… as if DNS isn’t working, old records seem to work, some pages take forever, etc... You have to add a static route to push one of the DNS servers over the second WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Robert Mortimer wrote: If you have two PF machines (One for each ADSL) you can use CARP to get the failover you require. No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. -- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
Lenny wrote: Also, today, looking on ebay, I realized that it's not such an easy task - to find a modern server with a dual core AMD (second generation) and at least 1 PCI-X slot. The same is with Intel. And I already have 4 PCI-X cards, so I'd rather use them. we've found the Tyan 5391 motherboard (core2duo) to run pfsense respectably - with dual intel e1000 gigabit and e100 10/100 for sync, they work pretty well. can use PCIX and PCIe card. http://www.tyan.com/product_board_detail.aspx?pid=343 there's probably an updated model. oh, the remote management card is no good, avoid. their 5372 motherboard is ok (proper intel server 5000 chipset)... avoid the 5375 (intel 5100) as its got design problems, we've had all sorts of weirdness with them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
I tried both suggestions (static route and opendns) without success. As I can use a regular PC in this case, I'm using Endian community edition that is working perfectly for WAN1 to WAN 2 failover. I'll try to play a little more with pfSense because I'd like to have the option to use embedded hardware as well. Thanks anyway! 2009/3/25 Veiko Kukk veiko.k...@krediidipank.ee Robert Mortimer wrote: If you have two PF machines (One for each ADSL) you can use CARP to get the failover you require. No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. -- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] WAN, VLANS on WAN, and RRD Graph Behavior Graph or Feature?
I have a pfsense router configured with the following WAN setup. It's running 1.2.2. Wan Physical Interface Contains: WAN is mapped to the default untagged interface (I know this isn't a completely normal setup with VLAN's also on the interface too, but it's a legacy setup I've inherited and am not currently able to change) WAN2 through WAN5 are mapped to 802.1q VLANS on this same physical interface With this configuration, I have noticed the following behavior when viewing traffic RRD graphs: The WAN interface in the RRD page shows the sum of all traffic on the actual physical interface, including the VLAN traffic. Each WAN interface VLAN shows only the traffic on that VLAN. Is this a bug, or is this expected behavior? Thanks, Vaughn Reid III - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
On Wed, Mar 25, 2009 at 5:26 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. Works fine, I've setup a number of boxes like that. You have something setup wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] WAN, VLANS on WAN, and RRD Graph Behavior Graph or Feature?
On Wed, Mar 25, 2009 at 9:16 AM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: I have a pfsense router configured with the following WAN setup. It's running 1.2.2. Wan Physical Interface Contains: WAN is mapped to the default untagged interface (I know this isn't a completely normal setup with VLAN's also on the interface too, but it's a legacy setup I've inherited and am not currently able to change) WAN2 through WAN5 are mapped to 802.1q VLANS on this same physical interface With this configuration, I have noticed the following behavior when viewing traffic RRD graphs: The WAN interface in the RRD page shows the sum of all traffic on the actual physical interface, including the VLAN traffic. Each WAN interface VLAN shows only the traffic on that VLAN. Is this a bug, or is this expected behavior? Expected, there is no way to differentiate between tagged and untagged traffic. It's showing you the traffic that's passing over that interface, which includes the VLANs assigned as other interfaces. You shouldn't use the parent interface with VLANs (for reasons completely unrelated to this, and not product/vendor specific). I would plan to change that, or just live with the understanding that the parent interface will always have the sum of all VLAN traffic and that your network is possibly open to VLAN hopping from tagged to parent interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Hi Chris, Could you please share your XML config? So I can check if I'm setting something wrong. Tks, Alex 2009/3/25 Chris Buechler c...@pfsense.org On Wed, Mar 25, 2009 at 5:26 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. Works fine, I've setup a number of boxes like that. You have something setup wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula alex.lo...@gmail.com wrote: Could you please share your XML config? The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] WAN, VLANS on WAN, and RRD Graph Behavior Graph or Feature?
Thanks for the confirmation that I'm experiencing expected behavior. I thought that was the case, but I wanted to be sure. Vaughn III Chris Buechler wrote: On Wed, Mar 25, 2009 at 9:16 AM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: I have a pfsense router configured with the following WAN setup. It's running 1.2.2. Wan Physical Interface Contains: WAN is mapped to the default untagged interface (I know this isn't a completely normal setup with VLAN's also on the interface too, but it's a legacy setup I've inherited and am not currently able to change) WAN2 through WAN5 are mapped to 802.1q VLANS on this same physical interface With this configuration, I have noticed the following behavior when viewing traffic RRD graphs: The WAN interface in the RRD page shows the sum of all traffic on the actual physical interface, including the VLAN traffic. Each WAN interface VLAN shows only the traffic on that VLAN. Is this a bug, or is this expected behavior? Expected, there is no way to differentiate between tagged and untagged traffic. It's showing you the traffic that's passing over that interface, which includes the VLANs assigned as other interfaces. You shouldn't use the parent interface with VLANs (for reasons completely unrelated to this, and not product/vendor specific). I would plan to change that, or just live with the understanding that the parent interface will always have the sum of all VLAN traffic and that your network is possibly open to VLAN hopping from tagged to parent interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] error in latest snapshot
Installed the following snapshot
1.2.3-PRERELEASE-TESTING-VERSION
built on Tue Mar 24 23:54:30 EDT 2009
and it failed to boot with the following message
Trying to mount root from ufs:/dev/da0s1a
/etc/rc: 43: Syntax error: else unexpected (expecting then)
I looked in the code and found the file had the following and it is missing a
then statement
if [ $hideplatform = true ];
platformbanner= # hide the platform
else
platformbanner= on the '${PLATFORM}' platform
fi
added the then in there and it booted right up
-Sean
Re: [pfSense Support] Multi-WAN with Fail Over
This is my config: 2009/3/25 Chris Buechler c...@pfsense.org On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula alex.lo...@gmail.com wrote: Could you please share your XML config? The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org ?xml version=1.0? pfsense version3.0/version lastchange/ themenervecenter/theme system optimizationnormal/optimization hostnamepfsense/hostname domainlocaldomain/domain usernameadmin/username password/password timezoneAmerica/Sao_Paulo/timezone time-update-interval/ timeservers0.pfsense.pool.ntp.org/timeservers webgui protocolhttp/protocol port/ certificate/ private-key/ /webgui disablenatreflectionyes/disablenatreflection afterfilterchangeshellcmd/ dnsserver201.6.0.115/dnsserver dnsserver201.6.0.112/dnsserver dnsserver200.169.116.22/dnsserver dnsserver200.169.116.23/dnsserver ssh authorizedkeys/ port/ /ssh sharednet/ maximumstates/ shapertype/ /system interfaces lan ifnfe0/if ipaddr10.1.1.1/ipaddr subnet24/subnet media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype /lan wan ifrl0/if mtu/ ipaddrdhcp/ipaddr subnet/ gateway/ disableftpproxy/ dhcphostname/ media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype spoofmac/ /wan opt1 ifrl1/if descrWAN2/descr bridge/ enable/ ipaddrdhcp/ipaddr spoofmac/ mtu/ dhcphostname/ /opt1 /interfaces staticroutes/ pppoe username/ password/ provider/ /pppoe pptp username/ password/ local/ subnet/ remote/ timeout/ /pptp bigpond username/ password/ authserver/ authdomain/ minheartbeatinterval/ /bigpond dyndns typedyndns/type usernameloula/username passwordTruth2145amp;*/password hostbigdogwall.homelinux.com/host mx/ enable/ /dyndns dhcpd lan enable/ range from10.1.1.10/from to10.1.1.245/to /range /lan /dhcpd pptpd mode/ redir/ localip/ remoteip/ /pptpd ovpn/ dnsmasq enable/ regdhcp/ regdhcpstatic/ /dnsmasq snmpd syslocation/ syscontact/ rocommunitypublic/rocommunity /snmpd diag ipv6nat/ /diag bridge/ syslog/ nat ipsecpassthru enable/ /ipsecpassthru advancedoutbound rule source network10.1.1.0/24/network /source sourceport/ descrAuto created rule for LAN/descr target/ interfacewan/interface destination any/ /destination natport/ /rule rule source network10.1.1.0/24/network /source sourceport/ descr/ target/ interfaceopt1/interface destination any/ /destination natport/ dstport/ /rule /advancedoutbound /nat filter rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ protocoltcp/protocol source networklan/network /source destination any/ /destination descr/ gatewayLoadBalance/gateway /rule rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source networklan/network /source destination any/ /destination descr/ gatewayopt1/gateway /rule rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source networklan/network /source destination any/ /destination descrDefault LAN -gt; any/descr /rule /filter shaper/ ipsec preferredoldsa/ /ipsec aliases/ proxyarp/ cron item minute0/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 newsyslog/command /item item minute1,31/minute hour0-5/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 adjkerntz -a/command /item item minute1/minute hour3/hour mday1/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /etc/rc.update_bogons.sh/command /item item minute*/60/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout/command /item item minute1/minute hour1/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /etc/rc.dyndns.update/command /item item minute*/60/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20
RE: [pfSense Support] Multi-WAN with Fail Over
Alex, as I said before, I am not an expert on this and I'm not one to look at XML config files. I am not completely convinced I have this working 100%... but I'll try to contribute. dnsallowoverride/ is something I disabled on my config, so that the DNS entries I specified are not taken over by the DHCP on WAN. Try to write down some test IP addresses that are public that you can PING so that you try to see if your connections/failover are working WITHOUT letting DNS get it the way. I found DNS got in the way of trying to get things working first on an IP level. The RULES you specify need to be in a certain order, refer back to your install document, it should say something about the order the rules are to appear in the chart (top down). Here are my RULES from my config: - filter - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination address192.168.1.0/24/address /destination log / descrMake sure that DMZ1 traffic goes to the right interf/descr /rule - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination networkopt1/network /destination descrMake sure DMZ2 traffic goes to WAN2/descr gatewayopt1/gateway /rule - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination any / /destination descrDefault LAN - any via LoadBlanced WAN/descr gatewayLoadBalance/gateway /rule - rule typepass/type interfacepptp/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source any / /source - destination networklan/network /destination descr / /rule /filter HERE IS MY LOAD BALANCE STATEMENT - It appears that you do not have a monitorIP entry for each. I think it uses these to ping the monitor IP addresses to verify that the WAN / WAN2 links are up and running. If not, it fails over. In other words, if there is no response, it assumes the WAN link is down. - load_balancer - lbpool typegateway/type behaviourfailover/behaviour monitorip67.69.184.7/monitorip nameLoadBalance/name descRound robin load balancing/desc port / serverswan|67.69.184.199/servers serversopt1|67.69.184.7/servers monitor / /lbpool - lbpool typegateway/type behaviourfailover/behaviour monitorip / nameWANFailsToWAN2/name descWAN2 preferred when WAN fails/desc port / serversopt1|67.69.184.7/servers serverswan|67.69.184.199/servers monitor / /lbpool - lbpool typegateway/type behaviourfailover/behaviour monitorip67.69.184.7/monitorip nameWAN2FailsToWAN/name descWAN preferred when WAN2 fails/desc port / serverswan|67.69.184.199/servers serversopt1|67.69.184.7/servers monitor / /lbpool /load_balancer Are you able to get RED/GREEN/YELLOW entries when viewing Loadbalancing under the Status menu? It should look something like this: Name Type Gateways Status Description LoadBalance gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 Round robin load balancing WANFailsToWAN2 gateway (failover) opt1 wan Online Last change Mar 25 2009 19:21:53 Offline Last change Mar 25 2009 19:21:53 WAN2 preferred when WAN fails WAN2FailsToWAN gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 WAN preferred when WAN2 fails In this case, my MAIN WAN link is down (unplugged in fact). Let me know how it goes for you. Regards, Chuck From: Alexsander Loula [mailto:alex.lo...@gmail.com] Sent: Wednesday, March 25, 2009 10:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN with Fail Over This is my config: 2009/3/25 Chris Buechler c...@pfsense.orgmailto:c...@pfsense.org On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula alex.lo...@gmail.commailto:alex.lo...@gmail.com wrote: Could you please share your XML config? The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.commailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.commailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Internet at the lake? Rogers Mobile Internet Stick (Rocket) with pfSense?
I have the option of staying/working from a home on a the Lake for a number of weeks this summer here in Ontario/Canada. Nice and relaxed. Unfortunately, the only internet access is dialup, which is not acceptable (of course). After much poking around, I borrowed my wife's iPhone, went up to the highest point in the house, stuck it up against each window, and low and behold with one of those windows... one bar of 3G. 3G / Edge jumped In and Out, but it was definitely there. Some tests were pretty good... 2mbit down, 500kup... others, pretty bad... very bad... 3G signal would go down, etc... but it's there! The one problem is, there are no leaves on the trees yet... and it's just one bar of signal. So I imagine it will get worse in a couple of months time. Second problem is, that the wireless provider here (Rogers) sells a USB Stick that will give me 3G Internet Access (like the iPhone). Model Ovation MC950D 7.2 USB Modem - HSDPA/HSUPA/UMTS... My concern is that this thing is as bad or Worse than the iPhone for receiving 3G signals. I would really like to not have to worry about signals here. Does anyone know if the antenna on this thing is significantly better than an iPHone? Will I get 0 bars or 5 bars? Third Problem is, I have more than one computer. I'd like to share this connection. This is where pfSense comes in. I tried looking this up on the hardware list, but I don't see it. I see someone referencing it on a BSD list, but version 8.0... Does anyone know if these work with pfSense 1.2.2 as a WAN connection? There are pre-fab 3G Routers that work with it, but they are $$$. Fourth Problem is, this is a separate problem, that maybe I can get an alternative in place if needed, but my cell phone is 3G as well. No signal = no calls. I have looked at Signal Boosters for areas/building, but they seem to be insanely expensive. Anyone have any suggestions or solutions to this problem? Regards, Chuck - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Internet at the lake? Rogers Mobile Internet Stick (Rocket) with pfSense?
ubnt.com is a good place to start. First - check with someone in town (that can be 30 miles away even) see if you can get a cablemodem or dsl or something there - then antenna away Great stuff ! On Mar 25, 2009, at 11:31 PM, Chuck Mariotti wrote: I have the option of staying/working from a home on a the Lake for a number of weeks this summer here in Ontario/Canada. Nice and relaxed. Unfortunately, the only internet access is dialup, which is not acceptable (of course). After much poking around, I borrowed my wife's iPhone, went up to the highest point in the house, stuck it up against each window, and low and behold with one of those windows... one bar of 3G. 3G / Edge jumped In and Out, but it was definitely there. Some tests were pretty good... 2mbit down, 500kup... others, pretty bad... very bad... 3G signal would go down, etc... but it's there! The one problem is, there are no leaves on the trees yet... and it's just one bar of signal. So I imagine it will get worse in a couple of months time. Second problem is, that the wireless provider here (Rogers) sells a USB Stick that will give me 3G Internet Access (like the iPhone). Model Ovation MC950D 7.2 USB Modem - HSDPA/HSUPA/UMTS... My concern is that this thing is as bad or Worse than the iPhone for receiving 3G signals. I would really like to not have to worry about signals here. Does anyone know if the antenna on this thing is significantly better than an iPHone? Will I get 0 bars or 5 bars? Third Problem is, I have more than one computer. I'd like to share this connection. This is where pfSense comes in. I tried looking this up on the hardware list, but I don't see it. I see someone referencing it on a BSD list, but version 8.0... Does anyone know if these work with pfSense 1.2.2 as a WAN connection? There are pre-fab 3G Routers that work with it, but they are $$$. Fourth Problem is, this is a separate problem, that maybe I can get an alternative in place if needed, but my cell phone is 3G as well. No signal = no calls. I have looked at Signal Boosters for areas/ building, but they seem to be insanely expensive. Anyone have any suggestions or solutions to this problem? Regards, Chuck - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
