OPNsense Forum
English Forums => General Discussion => Topic started by: stormy on January 06, 2017, 04:44:33 pm
-
I'm assessing if OPNSense can accomplish the seeming (to me) simple requirements that I have on my network.
I have 2 different ISPs, so need WAN1 and WAN2, clearly that is not an issue with MultiWAN support.
However, I got it setup using other dd-wrt/tomato and other methods, the problem start after this is setup :) As follows:
1) I have several VPN clients/devices, like CISCO phone, or smartphones trying to get VPN tunnel while going through the router/firewall (opnsense in future maybe). This WORKS, but, only for a few minutes, b/c sooner or later, the IPs change for the client, and that breaks the VPN tunnel, so the clients repeatedly disconnect/reconnect.
Can opnsense assure a particular client a "fixed" WAN so that VPN will work without breaking?
2) Even withOUT vpn in the mix, a simple download of a large OS ISO, like 4GB, from a browser, the download often gets stuck, b/c the backend server probably sees my ip changing periodically and drops the connection..
Can opnsense somehow automatically detect such "sessions" and keep them with same IP, OR, do i have to assign each PC on the network to a given WAN and if that WAN goes down, only then it will flip it to WAN2?
3) The tomato/multiwan packages on home-grade routers have a MAC or IP filter (as part of multiwan support), and that SORT of works, but two things:
a) Due to low powered CPU, they have a lot of FALSE negatives appear with regards to WAN1 or WAN2 being DOWN, and then, again, the traffic is impacted. In other words, the algorithm to detect if WAN1 or WAN2 are down is broken, and thus causes disconnects. Setting detection to 1 minute causes disconnects almost every 4-5 minutes, and raising it to 10 minutes, causes disconnects every 30-45 minutes, but recovering from such a false "outages" is also long (b/c 10 minutes have to pass before the next check is initiated :) :), and of course all that time, both WANs are totally fine, something with the way they check ping/traceroute is broken... so for now, had to totally disable detection of wans offline :) :) Lets assume the WAN IPs are fixed/given to me by ISP, and link connection will always be UP, still internet may not work, due to many reasons :)
b) If WAN1 is REALLY down (no network), and the filter is set to route say MAC3 to WAN1 (so as to keep vpn from failing as described above), then MAC3 is now totally disconnected, their code is not smart enough to realize that WAN2 is UP, and it can route to it, until which time that WAN1 is back online, then put MAC3 on WAN1 again :)
Can opnsense quickly and reliably detect wans going down (no interenet), and in that case, can they re-route on working WANs? and return to original WAN once it is back and active?
I feel somewhat stupid asking such things, b/c it sounds like obvious requirements to me :), but as found out, that is not the case in multiwan implementations that I've tested :)
Thanks for any tips...
Stormy
-
Hi Stormy,
1/2) Yes, you can do policy routing at the firewall rules level, either for IP, subnet, multiple IPs and/or subnets (aliases). You can pin connections to a single WAN or use "sticky" policies for Multi-WAN balancing where a single host is automatically pinned to a WAN as long as running sessions for it exist. In that sense, it will "stick" to a WAN and not jump around, except when that link goes down as you suggested.
VoIP is sometimes tricky with drops over prolonged periods, though tunnel routing is not an issue. I guess you mean IPsec here?
3a) "Gateway monitoring" in OPNsense uses a separate service to track gateway reachability using ICMP. Some say it works fine, others have issues with it. The topic goes back into our pfSense history. I'll spare details, but you can look for clues by looking at pfSense/OPNsense "apinger" topics. The more "enterprisey" the requirements get, the less likely the chance. After all it's free and we can't match up with the best. Claiming otherwise would be silly. In this case, you really need to see if the monitoring works reliably for you or not.
3b) Except that we can't do MAC routing, yes, the system is intelligent enough.
3) Quickly and reliably as long as its a hard cut of the line, switching according to packet loss on the line is more difficult to cope with, but also possible.
Here's our Multi-WAN setup guide, maybe it can help making the picture clearer:
https://docs.opnsense.org/manual/how-tos/multiwan.html
Cheers,
Franco
-
Thanks much Franco!
1) by any chance is there some "emulator" one can connect and just see the GUI mock-up, without changing anything, just to see the pages/options?
2) I think no MAC routing on multiwan is not a big deal so long as IP can be routed, then one could ensure that MAC always gets that specific IP.
3) as for VOIP/IPSEC, I'm no expert on this topic, learning. I do have a VOIP box that opens up a VPN tunnel to the provider, and when this thing was put on Multiwan it constantly reconnected, I'm guessing b/c tunnel broke due to changing IP. This is a must-have, be able to put certain IPs/MACs (preferrably) to a certain WAN, which would fail over in case of outage...
4) I'm not too worried about detection not working 100% , it sounds like this framework is a lot more flexible to making changes, in other firmware based it's a lot more complex since it's all nvram, etc...
5) Regarding loadbalancing/failover, that sentence in doc "To combine Load Balancing with Failover you will have 2 or more WAN connections for Balancing purposes and 1 or more for Failover" almost makes me think i would need 3 WAN connects to have both balancing/failover, but maybe I'm being overly careful, and 2 WAN are enough to have both features...
6) BTw, in the h/w requirement/DOCS didn't see it specifically mention how many NICs are required, I'm assuming 2 are bare minimum.
OK, now need to figure out which box can be used for this experiment :)
-
Hi Stormy,
1) sent an email with a test login.
2) From OPNsense itself, you can pin this down with DHCP static leases, yes.
3) I'm not sure what that means. :)
4) I've never set up Failover and Load-Balancing at the same time so I cannot say.
5) In fact you can configure OPNsense with zero NICs... which isn't very useful, but possible. One is the minimum for connectivity. It can be a nice setup to have an OPNsense VM with one NIC, put a dedicated service on it (you can install and operate packages like FreeBSD) and protect the service with the firewall components or captive portal. One NIC is also enough if you route separate VLANs through the same. Two is the most common case, or many more.
Cheers,
Franco
-
Thanks for the warm welcome. indeed test system looks cool!!
Regarding voip/#3, i think it will be OK, if IP can be "pinned" to a specific WAN, that is fine.
I think in my case I would need minimum 3, b/c of 2 WANS coming in, and 1 going out to LAN... although I may install on old laptop just for testing until can find a decent box. Thanks!!!