No Failover on WAN Interface down

[meschmesch]

Hi,
I have the problem that no HA failover to the second system takes place in case WAN connection is lost. In case I physically disconnect the WAN cable, failover takes place. It also works in case i shut down the first system. But in case e.g. the WAN provider is not providing any packets any more, no failover to the second system occurs.

Does anyone have an idea how to solve that issue?
Thanks!

[bimbar]

Perhaps use some monitoring ip on the gateway.

[meschmesch]

I do. Monitoring shows that Wan ipv4 is down.

[vico1959]

I've had many issues with getting failover to work properly in the past and even recently had some issues that I think I resolved. I am assuming you have created a failover group for the WAN interfaces. I've found that what seems to work the best for me is using the packet loss option for triggering and setting up the tier options properly. You also need to use that group instead of individual WAN interfaces in any fields on other pages that allow you to choose the group unless it is a service that you only want to work when a particular single interface is on line. There is an "Allow default gateway switching" option under System/Settings/General that apparently needs to be checked for proper switching as well. Lastly, under DNS servers in the same section, if any DNS servers there are also being used by any network devices (either directly or indirectly as in the case of an internal DNS server forwarding to them) then I have found that I needed to assign unique server addresses to each WAN interface and to make sure that at least one of the DNS servers being used was assigned to each of the WAN interfaces or I would have DNS issues when it did switch.   

[vico1959]

I found this list from an old post of mine after I did get it going in case it helps.

1. Have you setup the gateway group?
2. Have you adjusted the priority (1 main and 2 alt) and weight(keep weight at 1 for both) settings in the single gateway options and the tier settings (1 main and 2 alt) in the group?
3. Have you checked upstream gateway on both so that they can be used as a default gateway?
4. Have you checked far gateway for any gateways not in the same IP subnet.
5. Have you configured the DNS servers to use gateways in the general settings?
6. Have you configured the monitor IPs for each single gateway, (or at least the main, more on this later) you can use any external DNS server for this?
7. Have you checked the "Allow default gateway switching" box in General settings?

[meschmesch]

Hi, thanks for the replies. I think there is a misunderstanding. I would like to have a high availability transition from Master-Firewall --> Backup-Firewall in case WAN is offline. This transition works fine in case I physically disconnect the CAT-Cable from the physical interface of the Master-Firewall. Then HA switches to the Backup-Firewall.

However, it does not work in case I "just" stop transmission of packets from WAN to the Master-Firewall. Just as an example, imagine that the Master Firewall is connected to WAN via a switch:

Code: [Select]

WAN - Cable1 - Switch - Cable2 - Master-Firewall
In case Cable2 is removed, the HA transition from Master->Backup takes place. In case cable1 is removed, nothing happens even though the gateway shows 100% packet loss.

[vico1959]

Ah, gotcha, sorry for the misunderstanding.

[vico1959]

So I'm not quite certain why you want to switch firewall boxes with just the loss of WAN. This seems a bit overkill for that scenario. Typically you would only want to switch firewall boxes if one of those boxes actually goes down. So I say this wondering if the functionality you are looking for actually exists in the software. I have not personally attempted to do what you are looking at doing so I don't really have anything helpful to add.

[lilsense]

I agree with vico, but if you plan on doing something like that you would need to set up two independent fw/routers and run a routing protocol. if the WAN goes out on one the traffic will fail over to the other.

[meschmesch]

Would it be possible in an alternative implementation to switch just on the primary firewall from Wan to LTE in case WAN goes down (but is still connected, so no switch to the backup firewall) using the builtin capabilities of Opnsense?

LTE is available as interface and as gateway (online). But in case Carp Wan goes offline, LTE does not take over... At least I have no internet connection. In a setup without HA and Carp it works like a charm.

Nat is set up for both, the WAN Carp address and the LTE address.

[lilsense]

I think you are confused...

They are both considered WAN. So presuming if I understand you correctly, OPNSense is able to have multiple WAN Connections with having one as primary and another as secondary( or backup). Once primary fails then the secondary will pick up. NAT has nothing to do with this as it is configured on the interface, if you plan on using this feature.