I may have spoken too quickly last time as what I said made a lot, probably too may, assumptions about your network. So lets start over and say as with most networking things "it depends". You've mentioned that the wireless links are bridges but you also said that you believe that the switches are layer 3 and may be used for routing. So the first thing you need to figure out is if the traffic is being passed between buildings are just forwarded between buildings using layer 2 mechanisms or is the traffic being routed by a router, which may be a layer 3 switch in your case.
So if you're dealing with a network that's routing traffic between the buildings then my original reply stands. You should look at moving to a dynamic routing solution such as OSPF. But based on some of your other questions it sounds like this may not be the case. If you're network isn't currently routing traffic between buildings then this problem gets to be a bit more complex. Especially if you need to preserve the broadcast domain of your network. This isn't something that I have any experience with so maybe someone else on the list could give you some advice for this. Here are my thoughts on this though. You may be able to get this to work using GRE tunnels or some other network trickery. But you'll also need to figure out how to get it to work with a layer 2 multi-path solution. Such as link aggregation or STP. I'm not convinced that either will work over such a link. As for your dealing with QoS to work with VoIP goes. I don't see why you wouldn't be able to do that but I don't know a lot about the QoS stuff in pfSense other than it does support it so in theory you should be able to prioritize the traffic as you need though pfSense. Your question about VLANs is what tips me off that you're not routing currently. But it's my understanding that a router will strip off the vlan tags. So you would need to route traffic from one VLAN on network A to the appropriate VLAN on network B where the frame will be tagged again. Sorry I don't have any more concrete answers but I hope this information helps. -- David On Fri, Aug 12, 2011 at 2:23 PM, John Mcdonnell <[email protected]> wrote: > That's mostly what I figured, but I thought I had seen on docs saying that > what I wanted to do wasn't supported in version 2.0. The only real question > I have is on how to configure the following scenario, which I sort of > described earlier: > > Building A is the main building with the DMARC. > Building B is one of our remote buildings. > Building C is another remote building. > > Building B is wirelessly connected "directly" to building A. (It actually > bounces off another tower in between, but that is all in the provider's > setup.) > Building C is wirelessly connected to building A through building B. > (Building B has 2 radio transmitters, one pointed to the provider, the other > to building C.) > > Now, if the wireless link between A and B goes down it would cause building > B to switch over to the Comcast VPN backup. However, most of the time, it > is something between buildings B and A that goes out and building C stays > connected to building B over the wireless link. Is it possible to detect > when the link between buildings A and B goes out so that I can switch > building C over to the VPN backup so as to balance the traffic on building > B's VPN backup? > > Now that I typed this, I think this is what you were referring to with > using OSPF. Could you please give me some peace of mind that this would > work? And would the VPN allow the VOIP traffic to be prioritized over all > other traffic? For some reason in my head I have it stuck that I need to > pass VLAN tags over the link, but I'm pretty certain that I do not, > correct? This is basically inserting a router in the line instead of being > bridged. Will this, by default, disable my ability to ping (among other > things) between buildings unless I add rules to allow it? I'm thinking it > does, but want to make sure so that I'm not wasting time adding > unnecessary rules, making the rules more complex and therefor harder to > maintain. > > Sorry for being a bother, but just trying to get my head around it while > also doing 20 other things. I'm pretty certain that I can get my boss to go > for this setup this time around if I have all the facts in front of me. An > automatic backup network connection between buildings would have been nice > before, but now that our phone system is connected between buildings via > VOIP, though there is a sort of backup in that we still have a line at each > building so that they can still call out when the network is down, I think > it is a bit more important to have something like this working so that full > phone functionality is available. > > Be a lot easier to do this in a couple weeks after the crunch to get > everything done before the start of the school year and the first couple > weeks of the new year with the surge of help desk tickets. Trying to get > what I can in my spare time in advance though. > > -- > John McDonnell > [email protected] > > ------------------------------ > *From:* David Miller <[email protected]> > *To:* [email protected] > *Sent:* Thursday, August 11, 2011 9:47 PM > *Subject:* Re: [pfSense Support] VPN Failover Backup > > If I'm following what you're saying you don't really have a redundant > VPNissue. You need to setup routing that deals with link failures. pfSense > supports OSPF which should be able to do what you need. Basically the VPNis > just another route with a lower priority to the other buildings. > > http://en.wikipedia.org/wiki/Open_Shortest_Path_First > > -- > David > > On Thu, Aug 11, 2011 at 8:09 PM, John McDonnell <[email protected]>wrote: > > Hello everyone. I want to apologize in advance as I hate bringing up > something that I'm sure has been discussed many times already and the > length > of this e-mail is rather long. > > I've found a few examples, but they were dealing with older versions of > pfSense and in the pfSense docs, I found something like I wanted to do, but > it had a notice that it doesn't work with the 2.0 branch. I would play > around with it and see if I could figure it out, but this is a really busy > time at work right now (I'm actually at home right now typing this as I > don't have much spare time at work until a few weeks after the new school > year starts) and I would like to find out if this is possible before trying > to convince my boss to go this route. I brought this idea up about a year > or > so ago, but was shut down. I'm hoping this time, if I have more information > available, and possibly set up a pair or so of working boxes, we'll go > through with the idea. Especially since our phone system is now all tied > together with VOIP between buildings. > > Anyway, here's the background info on our setup. We're a K-12 school > district and we have 5 buildings. 2 of our buildings are next to each other > and connected via fiber. Then between our main DMARC and the other 3 > buildings, we have 100meg wireless bridges. Last year, Comcast provided us > with free broadband that we use as a backup. Currently, it's set up as a > manual backup in that we can manually plug a computer into the Comcast > network if needed. What I want to do is configure a couple of pfSense boxes > at each of the 3 remote locations to connect via VPN to the a pfSense box > in > the building that is connected via fiber. (Not the main DMARC, most likely > look into plugging that Comcast connection into the main Cisco router for > main network failover.) The Comcast is not static addressing if that makes > a > difference. I do have dynamic addresses set up for these Comcast boxes > though, which I think is all that I need for OpenVPN. > > Preferably, what I want to do is keep the setup working the same as it is > now, with the addition of a VPN failover. I believe that our core L3 > switches are performing basic routing which I think will make this easier. > I > can provide relevant info (and am going to verify this is indeed what is > going on later) from the switches if needed, but I think they are basically > routing anything outside of the 10.x range that the individual buildings > are > using to the main DMARC which then has routes to the other buildings and > sends everything else over the main internet connection. If this is what > is > going on, it should be fairly easy to insert a pfSense box between the core > switch and the wireless bridge and Comcast CSU/DSU. > > Now comes the question on the VPN failover setup. I basically will need to > pass all traffic over the VPN when the main link is down, including VLAN > information. Is this possible? I will also need to prioritize the VOIP > VLAN > over all other traffic. I'm also curious if it is possible to detect if one > of the other links went down and switch to failover if it has. Our one > building bounces through another building on the wireless bridge, so when > the in-between building goes down, it knocks out both buildings, even if > the > link between those buildings is still up. So if possible, I'd like to > detect > when that connection goes down and switch from using the wireless link > between buildings (except possibly any traffic that needs to go between > those two buildings) and use the failover VPN to get better performance > instead of all going through one Comcast connection. > > I think I explained everything in a semi-understandable manner, if anything > needs explained further in order to explain what I'm trying to do, I can > clarify or possibly include a diagram (I should still have the original > Visio diagram I made to present to my boss last year saved somewhere) to > show things better. (I'm not sure if this list scrubs attachments or not.) > > I don't need anyone to come and set this up for me, though that may be an > option in the future if we decide to upgrade to some appliances instead of > using old spare PC's and want a support contract to go with them, but just > some clarification on if what I want to do is possible and some pointers on > where to look to figure out how to configure. Though, I'll gladly also > accept any specific configuration examples as well. As I said, I don't have > much spare time at work, though I might work on setting up the boxes in my > spare time at home. > > Thanks in advance for any help you can provide. > > -- > John McDonnell > [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > > > >
