multi-wan failover problem

Started by hescominsoon, August 11, 2022, 09:29:11 PM

Previous topic - Next topic
Quote from: hescominsoon on August 19, 2022, 11:09:34 AM
That should not be necessary in terms of cycling the interface.

Your lack of context is staggering, but thanks anyway for this comment.

More work on the ticket was done. Thanks for all the feedback an testing. :)


Cheers,
Franco

August 19, 2022, 11:59:25 AM #31 Last Edit: August 19, 2022, 12:17:01 PM by hescominsoon
you are welcome.  My lack of feedback is because i am not running 22.7 in a failover environment now as i cannot afford to be testing the software in said environment as the client will not put up with that.  22.1 works as the use case calls for..and as the thread shows..22.7 doesn't(Edited..not in it's current release form)..a.  I DO have 22.7 running here with a single wan and that, of course, works perfectly.  My statement of..you should not have to cycle the interface goes all the way back to my first post about this...if i had the ability to test this further..i would.  I don't..so i won't. OPnsense is a good product..but this one issue burned me badly when alll other times it worked perfectly.  Normally i upgrade here..beat on it..and deploy7.  I tested it here in a similar..but not exact environment..then upgraded to 22.7 on the 3850 on the client firewall only to have OPnSense fall flat..and continue to do so.  In order to fix it..a reinstall to 22.1 was required.  Due to the lack of a vga port that machine wilt stay on 22.1...probably forever until I can guarantee failover works as it should.  At this point what is probably going to happen is i will have to replace that firewall..at my expense..with a pfsense box that i KNOW does failover correctly.  I wanted to move to opnsense for my critical business clients due to PFSense's well stated intentions of going closed source and paid only...it looks like for non-critical applications i will continue to use opnsense...but for other applications it's either pfsense or something else.  This regression has caused me to look like an idiot to my partner AND also to the client we spent many hours trying to get rid of a sonicwall firewall to replace it with this 3850.  I am now contemplating having to buy the hardware from my partner and eat several hours of time to get the sonicwall working or replace the 3850 with a PFSense machine with TAC.

I am not saying opnsense is a bad product but this failover issue left me looking like a complete idiot.  I have never had a firewall upgrade blow up this badly..in full view of both my partner and a major client..at the same time. 

I appreciate the entire opnsense teams time and efforts...and i know this will be resolved eventually.  This is going to cost me a good deal of money both in having to either replace the hardware with something else...OR eating many hours of time trying to convince the partner and client this is a viable solution for their needs. 

I actually hae two custom Opnsense firewalls i am configuring for a different client who does not have a failover requirement...and will happily deploy those firewalls(on custom hardware).  I will continue to run Opnsense here at my office as well.  Opnsense is a solid product but this incident has made me change my use cases for the product.

i hope that provides the context you are looking for franco. 

(Edit: noticed the patch...great job..just cannot test it at the client as reinstalling from the serial console is really a pain..if it had a vga port...Once .3 is released i'll test here at my office in my multi-wan setup and then if it works right..we MIGHT decide to upgrade the 3850....)

Fair enough. And I think 22.7 is a little premature if you want to indeed not "look like an idiot" in a business setting. This is NOT intended as a fire and forget replacement at this stage. Sometimes early releases can be, but this one may not be. It's been 3 weeks since release. It last for over 5 more months. I'm sure you know how this works.


Cheers,
Franco

August 19, 2022, 04:25:56 PM #33 Last Edit: August 19, 2022, 04:51:02 PM by hescominsoon
I know how it works now....not too long ago release meant release...not it's kinda done but the users are the final beta test which has infested the rest of the software community.  Firewalls and other critical infrastructure..imo...should hold themselves to a higher standard and open source ones used to hold themselves to even higher ones.  You know what they say about assumptions...Assumptions always bite you in the ass.

Quote from: hescominsoon on August 19, 2022, 04:25:56 PM
I know how it works now....not too long ago release meant release...not it's kinda done but the users are the final beta test which has infested the rest of the software community.  Firewalls and other critical infrastructure..imo...should hold themselves to a higher standard and open source ones used to hold themselves to even higher ones.  You what they say about assumptions...especially code quality across the entire spectrum now...Assumptions always bite you in the ass.
trying to understand why you would not use the free 22.4 1-year business license that comes with your hardware purchase. It's there to keep you, your business, your customers and OPNsense safe. Let free home users beat on 22.7 for many months until OPNsense is convinced all the unforeseen show stoppers are cleaned up. Then you be will justified in coming at them if you experience this in the business release.

read my previous post.  if you cannot understand why from that...i cannot assist any further..:)

well at least... we learn something rigth?
never put a new releases in production without testing...
if you do... better have a backup plan...
there are reasons why there are users still on older 21.x or 20.x release

everyone knows that for all releases there will always be bug... thing is opnsense/franco is at it solving/fixing the bug.

for today's software...yes...unfortunately release is no longer the actual release.

Quote from: hescominsoon on August 19, 2022, 07:26:24 PM
for today's software...yes...unfortunately release is no longer the actual release.
Been that way from the start when a company has a free early consumer release and a delayed business release. One of those 2 is more battle-tested at the expense of the other.

The summary is, I am going with a different product in the future. 

What prevents you from using the business release in a business context?

Also the community releases are usually perfectly stable for any home deployment. If you have an issue, just report on Github.

August 21, 2022, 07:32:58 PM #41 Last Edit: September 11, 2022, 11:38:08 PM by hescominsoon
allow me to restate...the lack of support from Deciso during US business hours...hence the move to another vendor for business clients.

(original text: lack of support hours available from Deciso in the US...hence the move to another vendor for business clients.)

the patch works, and I did not pay anything for it...
that should be the main point now
yes it did took a day or 2 and a report by @tcpip in github

anyway this is about, solving the multiwan-wan failover / gateway fail problem and it is solved
we also learned NOT to put first release/community version to production servers without testing.

Quote from: hescominsoon on August 21, 2022, 07:32:58 PM
lack of support hours available from Deciso in the US...hence the move to another vendor for business clients.

That's a flat out lie. We do have happy support customers in the US and all you need is to acquire a contract.

If you intent to keep spreading misinformation I have no alternative to taking action as a moderator.


Cheers,
Franco

September 11, 2022, 11:31:45 PM #44 Last Edit: September 11, 2022, 11:39:44 PM by hescominsoon
Quote from: franco on August 23, 2022, 01:56:23 PM
Quote from: hescominsoon on August 21, 2022, 07:32:58 PM
lack of support hours available from Deciso in the US...hence the move to another vendor for business clients.

That's a flat out lie. We do have happy support customers in the US and all you need is to acquire a contract.

If you intent to keep spreading misinformation I have no alternative to taking action as a moderator.


Cheers,
Franco
my intent is not misinformation.  Sorry you see it that way.  According to you site support is 9-5 central european time..which does not line up with business hours in the US.  so i will reword..there is not support from decosio during US business hours..which is something i require from a vendor.  My apologies for my error in wording there.  Original post has been corrected with the original text placed in parentheses for the record.