[SOLVED] Multi WAN

Started by Julien, August 21, 2016, 12:29:34 AM

Previous topic - Next topic
August 21, 2016, 12:29:34 AM Last Edit: August 30, 2016, 09:33:01 PM by franco
Hi Guys,
we have a new project to configure 5 OPNsense for our customers using Multi WAN.
the second WAN is gonna be just fail over, if the first WAN is down the second WAN will jump in.
the WAN1 is already configured and everything is working fine.
i want to avoid any difficulities .
i've seen this doc on the site https://docs.opnsense.org/manual/how-tos/multiwan.html?highlight=Multi
If anyone has done this already, can please share your experience with me ?
thank you
DEC4240 – OPNsense Owner

Hi Guy,

I followed this how-to three times - without success. Therefore I am interested in comments and exchange of experience, too.

Did you spent some time in a test setup?

Regards
Uwe

Quote from: wurmloch on August 21, 2016, 02:13:27 AM
Hi Guy,

I followed this how-to three times - without success. Therefore I am interested in comments and exchange of experience, too.

Did you spent some time in a test setup?

Regards
Uwe
Good day,
what are you trying to establish using Multi WAN?
DEC4240 – OPNsense Owner

Salut Julien,

here are some pics: https://forum.opnsense.org/index.php?topic=3537.0. Maybe helpful even if in German.

My opnsense has 2x WAN (both static public addresses /24) connected to different German carriers and 1x LAN with some client-PCs.

What kind of setup has your test scenario?

Quote from: wurmloch on August 21, 2016, 02:40:59 PM
Salut Julien,

here are some pics: https://forum.opnsense.org/index.php?topic=3537.0. Maybe helpful even if in German.

My opnsense has 2x WAN (both static public addresses /24) connected to different German carriers and 1x LAN with some client-PCs.

What kind of setup has your test scenario?
are you trying to configure a failover ?
my Multi WAN is gonna be failover.
so 1 WAN is up and second WAN is backup.
can't seem to find a good tutorial about this.
sorry my german is bad. :)
DEC4240 – OPNsense Owner

Hi Julien,

yes, I tried to configure a multi wan failover, following the link that you mentioned in your first post. But it didn't work at all. Unfortunately I cannot see what my mistake is.

In the German part of this forum I described what I did and what went wrong. Unfortunately nobody jumped in to give some advise. If I find some time I will repeat it on another opnsense to get some English screen shots of the flop.

Helpless regards
Uwe

Hi Julien, Uwe,

I have used the documentation to setup both fail-over and load-balancing without any issues. One of the things that some people forget is to change the firewall rules to actually use the gateway group, maybe that's Uwe's issue too (I didn't see any firewall rules in his posting).

Multi wan relies on policy based routing, without a traffic selector the default gateway from the machine will be used (don't forget to set rules for the local traffic too, as in the example for DNS).

Best regards,

Ad

August 22, 2016, 11:38:15 PM #7 Last Edit: August 22, 2016, 11:46:06 PM by Julien
Quote from: AdSchellevis on August 22, 2016, 02:21:58 PM
Hi Julien, Uwe,

I have used the documentation to setup both fail-over and load-balancing without any issues. One of the things that some people forget is to change the firewall rules to actually use the gateway group, maybe that's Uwe's issue too (I didn't see any firewall rules in his posting).

Multi wan relies on policy based routing, without a traffic selector the default gateway from the machine will be used (don't forget to set rules for the local traffic too, as in the example for DNS).

Best regards,

Ad
Hi Ad,
When you said Firewall rules , do you mean the DNS firewall as explained on the document ?
I haven't done anything yet as I am trying to do my home work before connecting the second WAN
On the documents it said the destination is 192.168.1.1/32 if I am using a 24 bit LAN subnet have to use 192.168.1.1/24 , am I correct ?
Do I have t o apply the rule on the LAN or WAN side for DNS ? Its not clear to me if I read the document.


Thank you
DEC4240 – OPNsense Owner

Hi Julien,

In https://docs.opnsense.org/manual/how-tos/multiwan.html it's step 4 (Policy based routing).

Best regards,

Ad

Hi,

Today I installed a new system from scratch at home with two WAN (DHCP from my two internet routers/lines) and what can I say, it works as expected :-)

Now I have two different multi WAN setups/machines (1@home and 1@work), one working, one not and I will find out where the difference is!

Uwe

Julien,

Quote
On the documents it said the destination is 192.168.1.1/32 if I am using a 24 bit LAN subnet have to use 192.168.1.1/24 , am I correct ?

Not correct. "/24" means the (sub)net, i.e. 192.168.1.0/24 = subnet mask 255.255.255.0 ==>
192.168.1.0 = the subnet
192.168.1.1 to 192.168.1.254 = available IP addresses
192.168.1.255 = broadcast address

You have to address ONE machine = ipaddress/32 ==> 192.168.1.1/32

Have a look at http://www.subnet-calculator.com

QuoteDo I have t o apply the rule on the LAN or WAN side for DNS ? Its not clear to me if I read the document.

On the LAN tab of the firewall rules. It instructs the firewall to accept DNS requests from your LAN in any case. I would add a second rule regarding ICMP. With that you can ping to the firewall to see if the client (on the LAN) can reach it.

As far as I understood you'll have to write an explicit rule for each service, you'd like to access (on the firewall), e.g. proxy, dns ...
The predefined "anti lock-out rule" guarantees that you'll be able to access the firewall via https and ssh.

i'll expect next week to install the second WAN,
its will be a challenge configuring it . like old time using pfsense, Multi WAN was easy as drinking water :)
i hope we will get a support here to have the second WAN configured.
DEC4240 – OPNsense Owner

Hi Julien,

Today I played a bit with my multi wan failover setup at home, nothing to worry about.

The only noticeable thing was that nearly each time when I pulled out the [WAN] cable (for a failover test) and I plugged it in after a minute or so, the interface didn't came up again properly.

Opnsense [WAN] --X--> internet router                   ==> problem, because NIC down and up again
Opnsense [WAN2] --> switch --X--> internet router ==> no problem because NIC never goes down (still connected to the switch and link stays up.

"--X--" means the cable i pulled :-)

Both of the wan interfaces are configured with dhcp, maybe that caused the problem. You can have a look at the screen shots in my corresponding German thread.

Uwe

August 29, 2016, 11:59:36 AM #14 Last Edit: August 29, 2016, 02:32:15 PM by Julien
Hi guys,
i have configured it as mentioned and also created the DNS rule before any to any rules on the LAN side.
i have test both Packet Loss and member down.
however when i remove the cable of WAN1 the connections goes down. The WAN 2 doesn't goes up.
Both WAN are ISP WAN using the same Gateway.
Could this be related to my issue ? Because both WAN are having the same Gateway from my ISP site ?
Which options to chose for Load balancing for 1 WAN up and 2 WAN is stand by.
I am using the
Packet Loss
Triggers when the packet loss to a gateway is higher then the defined threshold.


Thank you
DEC4240 – OPNsense Owner