61
General Discussion / OPNSense's MultiWAN Support / options (VPN and routing)
« on: January 06, 2017, 04:44:33 pm »
I'm assessing if OPNSense can accomplish the seeming (to me) simple requirements that I have on my network.
I have 2 different ISPs, so need WAN1 and WAN2, clearly that is not an issue with MultiWAN support.
However, I got it setup using other dd-wrt/tomato and other methods, the problem start after this is setup As follows:
1) I have several VPN clients/devices, like CISCO phone, or smartphones trying to get VPN tunnel while going through the router/firewall (opnsense in future maybe). This WORKS, but, only for a few minutes, b/c sooner or later, the IPs change for the client, and that breaks the VPN tunnel, so the clients repeatedly disconnect/reconnect.
Can opnsense assure a particular client a "fixed" WAN so that VPN will work without breaking?
2) Even withOUT vpn in the mix, a simple download of a large OS ISO, like 4GB, from a browser, the download often gets stuck, b/c the backend server probably sees my ip changing periodically and drops the connection..
Can opnsense somehow automatically detect such "sessions" and keep them with same IP, OR, do i have to assign each PC on the network to a given WAN and if that WAN goes down, only then it will flip it to WAN2?
3) The tomato/multiwan packages on home-grade routers have a MAC or IP filter (as part of multiwan support), and that SORT of works, but two things:
a) Due to low powered CPU, they have a lot of FALSE negatives appear with regards to WAN1 or WAN2 being DOWN, and then, again, the traffic is impacted. In other words, the algorithm to detect if WAN1 or WAN2 are down is broken, and thus causes disconnects. Setting detection to 1 minute causes disconnects almost every 4-5 minutes, and raising it to 10 minutes, causes disconnects every 30-45 minutes, but recovering from such a false "outages" is also long (b/c 10 minutes have to pass before the next check is initiated , and of course all that time, both WANs are totally fine, something with the way they check ping/traceroute is broken... so for now, had to totally disable detection of wans offline Lets assume the WAN IPs are fixed/given to me by ISP, and link connection will always be UP, still internet may not work, due to many reasons
b) If WAN1 is REALLY down (no network), and the filter is set to route say MAC3 to WAN1 (so as to keep vpn from failing as described above), then MAC3 is now totally disconnected, their code is not smart enough to realize that WAN2 is UP, and it can route to it, until which time that WAN1 is back online, then put MAC3 on WAN1 again
Can opnsense quickly and reliably detect wans going down (no interenet), and in that case, can they re-route on working WANs? and return to original WAN once it is back and active?
I feel somewhat stupid asking such things, b/c it sounds like obvious requirements to me , but as found out, that is not the case in multiwan implementations that I've tested
Thanks for any tips...
Stormy
I have 2 different ISPs, so need WAN1 and WAN2, clearly that is not an issue with MultiWAN support.
However, I got it setup using other dd-wrt/tomato and other methods, the problem start after this is setup As follows:
1) I have several VPN clients/devices, like CISCO phone, or smartphones trying to get VPN tunnel while going through the router/firewall (opnsense in future maybe). This WORKS, but, only for a few minutes, b/c sooner or later, the IPs change for the client, and that breaks the VPN tunnel, so the clients repeatedly disconnect/reconnect.
Can opnsense assure a particular client a "fixed" WAN so that VPN will work without breaking?
2) Even withOUT vpn in the mix, a simple download of a large OS ISO, like 4GB, from a browser, the download often gets stuck, b/c the backend server probably sees my ip changing periodically and drops the connection..
Can opnsense somehow automatically detect such "sessions" and keep them with same IP, OR, do i have to assign each PC on the network to a given WAN and if that WAN goes down, only then it will flip it to WAN2?
3) The tomato/multiwan packages on home-grade routers have a MAC or IP filter (as part of multiwan support), and that SORT of works, but two things:
a) Due to low powered CPU, they have a lot of FALSE negatives appear with regards to WAN1 or WAN2 being DOWN, and then, again, the traffic is impacted. In other words, the algorithm to detect if WAN1 or WAN2 are down is broken, and thus causes disconnects. Setting detection to 1 minute causes disconnects almost every 4-5 minutes, and raising it to 10 minutes, causes disconnects every 30-45 minutes, but recovering from such a false "outages" is also long (b/c 10 minutes have to pass before the next check is initiated , and of course all that time, both WANs are totally fine, something with the way they check ping/traceroute is broken... so for now, had to totally disable detection of wans offline Lets assume the WAN IPs are fixed/given to me by ISP, and link connection will always be UP, still internet may not work, due to many reasons
b) If WAN1 is REALLY down (no network), and the filter is set to route say MAC3 to WAN1 (so as to keep vpn from failing as described above), then MAC3 is now totally disconnected, their code is not smart enough to realize that WAN2 is UP, and it can route to it, until which time that WAN1 is back online, then put MAC3 on WAN1 again
Can opnsense quickly and reliably detect wans going down (no interenet), and in that case, can they re-route on working WANs? and return to original WAN once it is back and active?
I feel somewhat stupid asking such things, b/c it sounds like obvious requirements to me , but as found out, that is not the case in multiwan implementations that I've tested
Thanks for any tips...
Stormy