[SOLVED] Multi WAN

[Julien]

Hi Jos
THE configuration is exactly as the document
I think on the configuration you guys miss a step for the dns
When both WAN are connected I can't ping google.com but I can ping 8.8.&. Or any dns IP
My firewall is a rack one and bought it from Applianceshop in the NL
Are you sure the issue is a intel driver and not a configuration ?
Much appreciate it your continue support

[jschellevis]

Hi Julien,

I am sure that current em driver of FreeBSD 10.3 is broken and doesn't register a link down when removing a cable.
So you really need to update the driver first.

DNS is covered in the docs in Step 3 and 5.

I suggest

1) you do a factory default,
2) update if not yet on 16.7.3,
3) install the em driver
4) load the sample config I posted
5) change the WAN IP's to your actual situation
6) Apply and retest with this configuration

I have tested this configuration at least 10 times and as I said the sample config was made especially for this topic and verified to work. There isn't much else I can do for you.. just try my suggestions and there is a good change you will find what your where missing in the first place.

When testing, please note:
a) it takes about 20 second to switch
b) when ping-ing a site, stop and try again
c) when using a browser, try another one too as sometimes the change is not picked up correctly and your browser needs time to recover.

Good luck!

[Julien]

Thank you Jose for your answer.
we are using exactly this model
https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-a10-quad-core-ssd-rack.html
are you saying this model is affected with the intel drivers issue ? according to the HD ID of the appliance the NICS are GbE [Intel® 82574L].
so updating the Intel Drivers of the NICS would make the Multi wan working ?
i am just double checking before starting changing stuff on the productions.

thank you for your continu support.

[jschellevis]

Hi Julien,

FreeBSD 10.3 has issues with the em driver, I don't know the full list of Intel chipsets that run into issues, but the 82574L is certainly one of them. That is why we made a solution available.

We will provide an easy package to install Intel's original drivers too, expect in one of the next 2 updates.

For now you will have to do the manual install and /boot/loader.conf.local update.

- Jos

[Julien]

Hi Julien,

FreeBSD 10.3 has issues with the em driver, I don't know the full list of Intel chipsets that run into issues, but the 82574L is certainly one of them. That is why we made a solution available.

We will provide an easy package to install Intel's original drivers too, expect in one of the next 2 updates.

For now you will have to do the manual install and /boot/loader.conf.local update.

- Jos

Hi Jos,
sorry for the late reply i was sick.
monday i am going to test this and report back.

[Julien]

Hi Jos,
i have finally managed to get this configured.
maybe is the steps i did to get it working or the intel drivers are.
all this time i have rebooted the firewall with 1 WAN in.
what i did i installed the drivers of the intel and add the line to the boot file " thank you Jos" .
connected both WAN1 and WAN2 and rebooted the firewall , and voila everything start working.

if i remove the WAN1 now, it will take 20 seconded to switch back on the WAN2 ?
because i just did it and been waiting for 3 minutes and no up link is back !
any suggestions why ?

thank you
thank you

[jschellevis]

Hi Julien,

If it doesn't work, try to see what is happening:

On the firewall check if the gateway actually went offline.

From a PC on the LAN
1) Try to ping 8.8.8.8 or 8.8.4.4 (stop the ping and restart it as it will try the same route until restart)
2) See whether it will try to use the second gateway: traceroute 8.8.8.8 or traceroute 8.8.4.4 second line will show the ip of the gateway used.
3) If ping works then you probably have a DNS issue, most likely missing the firewall rule for that (port 53, gw *)
4) If ping does not work but the traceroute is going to the right (online) gateway then you either have a firewall rule blocking the traffic or the gateway doesn't work.
5) If the ping doesn;t work and the traceroute shows that it isn't switching then you either haven't setup the firewall rule for the gateway group correctly (the default allow rule on LAN) or the the primary gateway is still listed as online or both are offline. Also make sure you have the monitor ip of both set to something different so wan1 to 8.8.8.8 and wan2 to 8.8.4.4 for instance.

That is all I can think of as it works very well. Only thing that does currently not work is combining multi-wan with captive portal or the traffic shaper. Hopefully we get that resolved before 17.1

Cheers,

Jos

[Julien]

hi Jos,
thank you for your answer,
I've done this like 20 times today and it did not works.
whenever the WAN1 is disconnect the ping dow not go up, when I trace route the connection it goes to the WAN2 when WAN1 is down.
firewall rules are fine exactly as the documents, DNS rule is on the top of default Rules on LAN rules.
I think it something wrong with the code .
I am not trying to be rude hopefully it will be fixed in the next release,
I've installed pfsense and configured the multi WAN everything works out of the box no struggling.
we have a different customer which will have a second WAN in the next 4 weeks, I hope by than we can get this working.
thank you so much for your continue support   

[jschellevis]

Hi Julien,

I am not sure what is going wrong with your setup, however I have done several installs in the past weeks for our customers and none of them have issues with the multi-wan failover.

Also my test setup (that I provided a config from a few posts back) works fine every time.
It can still be a combination of things, but I don't know.

Perhaps you should consider commercial support so we can put more time into your specific case and figure out why its not working as expected. See: https://opnsense.org/support-overview/commercial-support/

- Jos

[Julien]

Hi Julien,

I am not sure what is going wrong with your setup, however I have done several installs in the past weeks for our customers and none of them have issues with the multi-wan failover.

Also my test setup (that I provided a config from a few posts back) works fine every time.
It can still be a combination of things, but I don't know.

Perhaps you should consider commercial support so we can put more time into your specific case and figure out why its not working as expected. See: https://opnsense.org/support-overview/commercial-support/

- Jos

thank you for your answer Jos,

i beleive the issue is related to code or hardware .
i've took a confguration of the firewall before i switch back to Pfsense.
is it possible to email it to you , to check the configuration ?
is it also possible to have a teamviewer live session to check the configuration ? atleast to advise its not configuration issue, if it i am able to pay some hrs to get it fix.

thank you

[jschellevis]

Hi Julien,

Well if the same hardware is now working with pfsense, then its for sure not hardware and since I have confirm multi-wan to work fine with OPNsense it must be a combination of things or configuration issue.

If you want to verify, just download the config I have send you quite some post ago and try that one.

Alternatively you can buy support hours and I'll be happy to check your configuration and/or remotely support you.

-Jos

[Julien]

Hi Julien,

Well if the same hardware is now working with pfsense, then its for sure not hardware and since I have confirm multi-wan to work fine with OPNsense it must be a combination of things or configuration issue.

If you want to verify, just download the config I have send you quite some post ago and try that one.

Alternatively you can buy support hours and I'll be happy to check your configuration and/or remotely support you.

-Jos

Hi Jos,
uploading your configuration file to the firewall would erase the vlans and vpn settings ?
is the below the same issue i am having ? as Franco confirmed it a kernel issue ?
https://forum.opnsense.org/index.php?topic=3791.0

thank you