16
High availability / Re: No Failover on WAN Interface down
« on: February 04, 2022, 09:56:44 pm »
Ah, gotcha, sorry for the misunderstanding.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
17
High availability / Re: [Guide - WIP]WAN failover to mobile hotspot
« on: February 01, 2022, 10:41:37 pm »
I know this is an old thread but I just wanted to say that I had a configuration like this working a couple of years ago. I was not using a phone but it was a cellular wireless hotspot and it did work in case anyone is still wondering. Unfortunately, it has been too long and too many configurations ago so I don't remember specific instructions on how I did it but it is possible.
18
High availability / Re: No Failover on WAN Interface down
« on: February 01, 2022, 10:27:09 pm »
I found this list from an old post of mine after I did get it going in case it helps.
1. Have you setup the gateway group?
2. Have you adjusted the priority (1 main and 2 alt) and weight(keep weight at 1 for both) settings in the single gateway options and the tier settings (1 main and 2 alt) in the group?
3. Have you checked upstream gateway on both so that they can be used as a default gateway?
4. Have you checked far gateway for any gateways not in the same IP subnet.
5. Have you configured the DNS servers to use gateways in the general settings?
6. Have you configured the monitor IPs for each single gateway, (or at least the main, more on this later) you can use any external DNS server for this?
7. Have you checked the "Allow default gateway switching" box in General settings?
1. Have you setup the gateway group?
2. Have you adjusted the priority (1 main and 2 alt) and weight(keep weight at 1 for both) settings in the single gateway options and the tier settings (1 main and 2 alt) in the group?
3. Have you checked upstream gateway on both so that they can be used as a default gateway?
4. Have you checked far gateway for any gateways not in the same IP subnet.
5. Have you configured the DNS servers to use gateways in the general settings?
6. Have you configured the monitor IPs for each single gateway, (or at least the main, more on this later) you can use any external DNS server for this?
7. Have you checked the "Allow default gateway switching" box in General settings?
19
High availability / Re: No Failover on WAN Interface down
« on: February 01, 2022, 10:04:55 pm »
I've had many issues with getting failover to work properly in the past and even recently had some issues that I think I resolved. I am assuming you have created a failover group for the WAN interfaces. I've found that what seems to work the best for me is using the packet loss option for triggering and setting up the tier options properly. You also need to use that group instead of individual WAN interfaces in any fields on other pages that allow you to choose the group unless it is a service that you only want to work when a particular single interface is on line. There is an "Allow default gateway switching" option under System/Settings/General that apparently needs to be checked for proper switching as well. Lastly, under DNS servers in the same section, if any DNS servers there are also being used by any network devices (either directly or indirectly as in the case of an internal DNS server forwarding to them) then I have found that I needed to assign unique server addresses to each WAN interface and to make sure that at least one of the DNS servers being used was assigned to each of the WAN interfaces or I would have DNS issues when it did switch.
20
General Discussion / Re: Admin TOTP authentication device lost, how to get access?
« on: December 17, 2021, 10:13:26 pm »
That is actually not a bad idea to make a physical printout of the QR code and file that somewhere. That seems the simplest of all. Great thoughts. Thank you for that. Sometimes it is too easy to overlook the obvious.
21
General Discussion / T-Mobile 5G MiFi as WAN failover
« on: December 15, 2021, 02:23:22 am »
Does anyone know if there is currently support for the T-Mobile 5G MiFi M2000 hotspot? It does support a single client through a USB C port. If there is not current support, can it be added?
22
General Discussion / Admin TOTP authentication device lost, how to get access?
« on: December 15, 2021, 12:33:21 am »
Hi folks,
Sorry if this has been answered before but I could not find a thread in my searching. This has not happened yet but I am asking in advance in case it does. I am using TOTP for admin GUI access. The thought has occurred to me that if I were to lose my authenticating device or access to it or something were to happen to me, how could anyone access the firewall GUI? I haven't seen any other backup authentication options such as email, etc. Would it then have to be accessed via console/ssh to resolve the issue? Or perhaps there is something else I'm not thinking of that would help. Forgive me if it is something simple that I am overlooking.
Sorry if this has been answered before but I could not find a thread in my searching. This has not happened yet but I am asking in advance in case it does. I am using TOTP for admin GUI access. The thought has occurred to me that if I were to lose my authenticating device or access to it or something were to happen to me, how could anyone access the firewall GUI? I haven't seen any other backup authentication options such as email, etc. Would it then have to be accessed via console/ssh to resolve the issue? Or perhaps there is something else I'm not thinking of that would help. Forgive me if it is something simple that I am overlooking.
23
General Discussion / Re: NTP Server no longer working - Please help!
« on: June 24, 2020, 12:23:36 am »
I am getting this error in the NTP log:
ntpd[16061]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
On my Windows domain controller, it will not resync because it cannot find any time data so perhaps the firewall is blocking access to its own NTP server? I am perplexed but I really do need some answers if anyone has any. I'm feeling a bit abandoned by the community here but hopefully someone can help.
And this used to work but then stopped I think after one of the updates to the firewall but I am not certain when it stopped working.
ntpd[16061]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
On my Windows domain controller, it will not resync because it cannot find any time data so perhaps the firewall is blocking access to its own NTP server? I am perplexed but I really do need some answers if anyone has any. I'm feeling a bit abandoned by the community here but hopefully someone can help.
And this used to work but then stopped I think after one of the updates to the firewall but I am not certain when it stopped working.
24
General Discussion / Re: NTP Server no longer working - Please help!
« on: June 23, 2020, 09:48:22 pm »
Bump?
25
General Discussion / NTP Server no longer working - Please help!
« on: June 17, 2020, 02:13:32 am »
So originally when I setup the firewall I used the default NTP setup to sync my domain controller to and it worked but now for whatever reason the server cannot get time from the firewall any longer. If I use the w32tm monitor server funcion it also times out with no response. Could I have inadvertently changed a firewall rule that is blocking it? Everything seems to be setup properly under NTP services. Please help if you can. Thanks.
26
General Discussion / Re: Multi-Wan IPv4 setup
« on: May 15, 2020, 11:09:53 pm »
At first I followed instructions in the documentation here on the OPNsense site but then I ran into the exact same problem you describe in your op so that is when I started playing around with things. I posted here but didn't get any good answers in time so I kept playing around with settings to try and figure out exactly what each did.
From what I could gather, I understood weight to be how much priority each connection would have in more of a load balancing setup but I just kept them at 1 because I figured in a failover situation they should both have the same weight and other criteria should decide on which is in use. Tiers and priority seem almost like they would perform the same functions so it is a bit confusing there. I'm not sure if Tier in a group overrides priority or not or if they have some other unknown purpose.
Packet loss in your case sounds like it might be the best choice. I tried packet loss but in the end I had gone back to member down for my purposes. I'm actually not sure if it had any bearing on me finally getting it working or not because I was changing several options at a time sometimes and never went back to flush out the exact changes that made it work.
I do believe that what made it finally start switching back to the main default WAN properly is the "Allow default gateway switching" box being checked but again I haven't done any verifying of that.
From what I could gather, I understood weight to be how much priority each connection would have in more of a load balancing setup but I just kept them at 1 because I figured in a failover situation they should both have the same weight and other criteria should decide on which is in use. Tiers and priority seem almost like they would perform the same functions so it is a bit confusing there. I'm not sure if Tier in a group overrides priority or not or if they have some other unknown purpose.
Packet loss in your case sounds like it might be the best choice. I tried packet loss but in the end I had gone back to member down for my purposes. I'm actually not sure if it had any bearing on me finally getting it working or not because I was changing several options at a time sometimes and never went back to flush out the exact changes that made it work.
I do believe that what made it finally start switching back to the main default WAN properly is the "Allow default gateway switching" box being checked but again I haven't done any verifying of that.
27
General Discussion / Re: Multi-Wan IPv4 setup
« on: May 12, 2020, 11:33:04 pm »
Okay so I have just recently gotten this setup on mine and it does not seem to be intuitive or work correctly as one would think. I had to play around with a lot of things to get it working but finally it seems to be so let me mention all of the things I have tweaked as a list of questions:
1. Have you setup the gateway group?
2. Have you adjusted the priority (1 main and 2 alt) and weight(keep weight at 1 for both) settings in the single gateway options and the tier settings (1 main and 2 alt) in the group?
3. Have you checked upstream gateway on both so that they can be used as a default gateway?
4. Have you checked far gateway for any gateways not in the same IP subnet.
5. Have you configured the DNS servers to use gateways in the general settings?
6. Have you configured the monitor IPs for each single gateway, (or at least the main, more on this later) you can use any external DNS server for this?
7. Have you checked the "Allow default gateway switching" box in General settings?
I chose member down as the trigger for switching but the main gateway needs higher priority and tier. I also had to check allow DNS server list to be overridden for the DNS to work reliably over DHCP connection on the alt. You can exclude the main WAN from this too. I also disabled the gateway monitoring on the alt so it would consider it as always being up since it is a 4G cell connection and I didn't want any intermittent connection issues to cause the system to think it was down when it is in use.
I hope this helps in some way.
1. Have you setup the gateway group?
2. Have you adjusted the priority (1 main and 2 alt) and weight(keep weight at 1 for both) settings in the single gateway options and the tier settings (1 main and 2 alt) in the group?
3. Have you checked upstream gateway on both so that they can be used as a default gateway?
4. Have you checked far gateway for any gateways not in the same IP subnet.
5. Have you configured the DNS servers to use gateways in the general settings?
6. Have you configured the monitor IPs for each single gateway, (or at least the main, more on this later) you can use any external DNS server for this?
7. Have you checked the "Allow default gateway switching" box in General settings?
I chose member down as the trigger for switching but the main gateway needs higher priority and tier. I also had to check allow DNS server list to be overridden for the DNS to work reliably over DHCP connection on the alt. You can exclude the main WAN from this too. I also disabled the gateway monitoring on the alt so it would consider it as always being up since it is a 4G cell connection and I didn't want any intermittent connection issues to cause the system to think it was down when it is in use.
I hope this helps in some way.
28
General Discussion / Re: Multi-WAN failover works - sort of
« on: May 08, 2020, 10:50:58 pm »
Well for me I think what worked was under Settings/General I had to check the allow default gateway switching to make it reliable and then I also had to check allow DNS server list to be overridden for the DNS to work reliably over the 4G DHCP connection. What I would recommend would be to have a failsafe WAN failover wizard that could be run and would make all the necessary changes by answering a couple of questions. As it is you have to go to several places to figure out what needs to be checked and setup in order to make it function correctly and nothing in the main areas tells you this so it is not intuitive.
29
General Discussion / Re: Multi-WAN failover works - sort of
« on: May 01, 2020, 10:21:51 pm »
Okay, once again I think I may have it licked. It has been working properly for 3 days straight now. I did a lot of tweaking so I'm not quite sure what the exact combination that made it stick is but all I know is that for any developers listening, failover WAN does not work very well like it should, at least not like I would expect it to. Some of the parameters must not be functioning reliably yet. Please do some testing and tweaking for future updates please. Thank you.
30
General Discussion / Re: Multi-WAN failover works - sort of
« on: April 28, 2020, 10:53:58 pm »
Anyone?