Alex, as I said before, I am not an expert on this and I'm not one to look at XML config files. I am not completely convinced I have this working 100%... but I'll try to contribute.
<dnsallowoverride/> is something I disabled on my config, so that the DNS entries I specified are not taken over by the DHCP on WAN. Try to write down some test IP addresses that are public that you can PING so that you try to see if your connections/failover are working WITHOUT letting DNS get it the way. I found DNS got in the way of trying to get things working first on an IP level. The RULES you specify need to be in a certain order, refer back to your install document, it should say something about the order the rules are to appear in the chart (top down). Here are my RULES from my config: - <filter> - <rule> <type>pass</type> <interface>lan</interface> <max-src-nodes /> <max-src-states /> <statetimeout /> <statetype>keep state</statetype> <os /> - <source> <network>lan</network> </source> - <destination> <address>192.168.1.0/24</address> </destination> <log /> <descr>Make sure that DMZ1 traffic goes to the right interf</descr> </rule> - <rule> <type>pass</type> <interface>lan</interface> <max-src-nodes /> <max-src-states /> <statetimeout /> <statetype>keep state</statetype> <os /> - <source> <network>lan</network> </source> - <destination> <network>opt1</network> </destination> <descr>Make sure DMZ2 traffic goes to WAN2</descr> <gateway>opt1</gateway> </rule> - <rule> <type>pass</type> <interface>lan</interface> <max-src-nodes /> <max-src-states /> <statetimeout /> <statetype>keep state</statetype> <os /> - <source> <network>lan</network> </source> - <destination> <any /> </destination> <descr>Default LAN -> any via LoadBlanced WAN</descr> <gateway>LoadBalance</gateway> </rule> - <rule> <type>pass</type> <interface>pptp</interface> <max-src-nodes /> <max-src-states /> <statetimeout /> <statetype>keep state</statetype> <os /> - <source> <any /> </source> - <destination> <network>lan</network> </destination> <descr /> </rule> </filter> HERE IS MY LOAD BALANCE STATEMENT - It appears that you do not have a monitorIP entry for each. I think it uses these to ping the monitor IP addresses to verify that the WAN / WAN2 links are up and running. If not, it fails over. In other words, if there is no response, it assumes the WAN link is down. - <load_balancer> - <lbpool> <type>gateway</type> <behaviour>failover</behaviour> <monitorip>67.69.184.7</monitorip> <name>LoadBalance</name> <desc>Round robin load balancing</desc> <port /> <servers>wan|67.69.184.199</servers> <servers>opt1|67.69.184.7</servers> <monitor /> </lbpool> - <lbpool> <type>gateway</type> <behaviour>failover</behaviour> <monitorip /> <name>WANFailsToWAN2</name> <desc>WAN2 preferred when WAN fails</desc> <port /> <servers>opt1|67.69.184.7</servers> <servers>wan|67.69.184.199</servers> <monitor /> </lbpool> - <lbpool> <type>gateway</type> <behaviour>failover</behaviour> <monitorip>67.69.184.7</monitorip> <name>WAN2FailsToWAN</name> <desc>WAN preferred when WAN2 fails</desc> <port /> <servers>wan|67.69.184.199</servers> <servers>opt1|67.69.184.7</servers> <monitor /> </lbpool> </load_balancer> Are you able to get RED/GREEN/YELLOW entries when viewing Loadbalancing under the Status menu? It should look something like this: Name Type Gateways Status Description LoadBalance gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 Round robin load balancing WANFailsToWAN2 gateway (failover) opt1 wan Online Last change Mar 25 2009 19:21:53 Offline Last change Mar 25 2009 19:21:53 WAN2 preferred when WAN fails WAN2FailsToWAN gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 WAN preferred when WAN2 fails In this case, my MAIN WAN link is down (unplugged in fact). Let me know how it goes for you. Regards, Chuck From: Alexsander Loula [mailto:[email protected]] Sent: Wednesday, March 25, 2009 10:08 PM To: [email protected] Subject: Re: [pfSense Support] Multi-WAN with Fail Over This is my config: 2009/3/25 Chris Buechler <[email protected]<mailto:[email protected]>> On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula <[email protected]<mailto:[email protected]>> wrote: > > Could you please share your XML config? > The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected]<mailto:[email protected]> For additional commands, e-mail: [email protected]<mailto:[email protected]> Commercial support available - https://portal.pfsense.org
