OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: nicovell3 on February 02, 2018, 09:23:03 am
-
Hello,
In a setup with two wan routers and one OPNsense firewall I've configured the two gateways with a gateway group to use the secondary gateway while the first one is down. The problem is that I don't want to configure just one firewall rule with that gateway group, I want the gateway group to be the default gateway for all rules, but there is not such option.
I tried configuring a route for all !RFC1918, but the gateway group does not appear in the gateway list. Which is the most correct and elegant way to set up this?
Thanks in advance ;)
Edit: Wow, I just realized I posted in the wrong section and I don't know how to move the post. Sorry.
-
Hi there,
This isn't allowed, but you can turn on Firewall: Settings: Advanced: "Allow default gateway switching".
Which picks a viable default gateway on gateway status changes.
Cheers,
Franco
-
Hi Franco,
Thanks for your quick reply. But I see two problems there:
- I have more gateways to let my firewall connect to other networks (like laboratory routers), so I cannot simply rely on the firewall to decide which gateway to use. It can try to route my connections to a gateway which can't reach internet.
- That option you talk about has the following description: "If the link where the default gateway resides fails switch the default gateway to another available one. This feature has been deprecated.". So I thought setting this can't be the correct way.
What do you think?
Thanks for your help.
-
The feature needs work. It would be beneficial to restrict it by gateway group as you said.
So far, we have no master plan for that area, hence the (to some degree unfounded) deprecation.
Cheers,
Franco
-
Hi nicovell3,
Did you have put some static route to reach specific/particular private network (like labotory network) ?
There are also possibilities with firewall policy based routing (need to check if OPNsense permit this feature)
Regards,
Greg
-
Hi Greg,
Yes, I have set up static routes for those private networks. I also set up other routes with policy based routing, but I prefer the firewall to route these networks with global routes to avoid specify multiple times the gateway in my rules, as I'd like to do with the multi-wan thing.
Anyway, I'd have to get those gateways declared to use policy routing, so changing that wouldn't solve my problem...
Regards,
Nico.
-
Hi my name is jack
In a setup with two wan routers and one OPNsense firewall I've configured the two gateways with a gateway group to use the secondary gateway while the first one is down.
The problem is that I don't want to configure just one firewall rule with that gateway group, I want the gateway group to be the default gateway for all rules, but there is not such option.
I tried configuring a route for all !RFC1918, but the gateway group does not appear in the gateway list.
Which is the most correct and elegant way to set up this?
Thanks in advance
-
If you only need failover and no loadbalancing you don't need to set up a gateway group.
Go to System : Settings : General and set default gateway switching.
Then go to System : Gateways : Single and set your WAN Gateways as "upstream" and give them priorities, like 1 and 2.
-
I'm interested in failover and preference: i.e. use circuit A if it's available, if not then use B, but if A comes back, go back to A.
That doesn't work with "upstream" because opnSense will just choose one, without consideration for preference. At least, that's how it did for me. Perhaps there's another setting that I'm ignoring that helps resolve this?
Cheers!
-
There are now priorities with 19.7, jist try it Out :)
-
Ok so it didn't quite work.
I just had an outage where the uplink on the primary circuit (priority 1) was effectively dead: the CableModem still had an IP (and as such so did the firewall), but the probe-IP configured (a known point beyond the CM, within the provider's network) was unreachable. The Gateway was even recognized as down.
But the default gateway did not switch to the secondary (priority 2).
Both the primary and secondary individual gateways are the only gateways marked as "upstream". All other gateways are VPNs, and are priority 255 (for obvious reasons - if there's no base circuit, there can be no VPN over them). Gateway switching is indeed enabled in System settings.
I'll run a more controlled test tomorrow/weekend. For now, I'm sad to report that the feature does not appear to be working.
I'm fully updated, btw (OPNsense 19.7.2-amd64, FreeBSD 11.2-RELEASE-p12-HBSD, OpenSSL 1.0.2s 28 May 2019).
Cheers!
-
System : Settings : General, enable default gateway switching
-
Like I said above, Gateway switching is enabled.
-
Logs from system.log would be cool
-
It seems that the default firewall setting has a rather short limit on log size. I'm going to increase it for the future. Also: the log size field processing has a bug - I tried to set the size to 3GB (in bytes = 3,221,225,472), but when I reset the log files, the first log file was already over 100GB when I forcibly rebooted to avoid choking the disk...
I set it to 2GB-1 (2,147,483,647) and that seemed to work just fine.
Annoyingly, I had configured a remote syslog server to capture all these logs but for some reason it stopped listening and wasn't receiving so even that history was boned.
I'll submit logs the next outage I have.
Cheers.
-
Here's another tidbit I've just discovered with this new setup: the 2nd circuit is unroutable except for IPs for which it's specifically set up for - either by DHCP or manually by me.
However, when failover occurs (which it does seem to when the 1st circuit goes completely offline), everything is fine and routing works perfectly. Then it fails back cleanly.
However, while the primary circuit is up, traffic going out the 2nd circuit (i.e. for tests and diagnostics) simply dies (i.e. is never seen again) except when going to the addresses I mentioned. I'm not sure if there's a setting that I'm missing, but this used to work just fine when I was using a routing group to handle the failover.
Let me know if I should start this as its own thread, as this diverges a bit from the topic of discussion.
Cheers!
-
Maybe Open an issue via GitHub If you are sure this is a bug
-
Well, I know for sure the behavior is as described vs. what I would have expected. If you think it's a bug, I'll file a report.
I was just giving the benefit of the doubt that the problem was me and a bad setting somewhere...
Thoughts?
-
Maybe you first read all open and closed issues about it in GitHub, there are 2-3 of them.
-
I shall do that.
In other news, the problem with failover seems to be dpinger. This is from today's outage event:
Aug 25 09:43:12 firewall dpinger: CABLE_DHCP 10.19.0.1: Alarm latency 8574us stddev 2231us loss 6%
Aug 25 09:43:12 firewall dpinger: GATEWAY ALARM: CABLE_DHCP (Addr: 10.19.0.1 Alarm: 1 RTT: 8574ms RTTd: 2231ms Loss: 6%)
Aug 25 09:48:36 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:37 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:38 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:39 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:40 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:41 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:42 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:43 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:44 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:45 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:46 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:47 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:48 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:49 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:50 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:52 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:53 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:54 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:55 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:56 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:57 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:58 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:48:59 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:00 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:01 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:02 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:03 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:04 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:05 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:06 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:07 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:08 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:09 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:10 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:11 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:12 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:13 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:14 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:15 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:16 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:17 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:18 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:19 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:20 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:21 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:22 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:23 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:24 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:25 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:26 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:28 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:29 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:30 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
Aug 25 09:49:31 firewall dpinger: MASKVPN_VPNV4 10.57.0.205: sendto error: 55
It would seem that DPinger is trying to re-route everything via a VPN gateway, which isn't marked as an upstream gateway - i.e. dpinger doesn't seem to be aware of the new "gateway priority" feature ... either that, or it's simply not giving a hoot.
I'll log both defects in GitHub.
Cheers!