I've got a PfSense version 1.2.3 cluster at a Public Library customer
connected to 6 WAN links.
The first 5 are connected as VLANS through a TP-Link SL3428 switch then
to an ISP provided Router (4 AT&T ADSL links each with a Netopia ADSL
router and a Fiber Link with a Cisco 2800 series router). These 5 WAN
links are all configured identically (except for IP, etc.) and have
worked beautifully for 2 or 3 years). The first 5 WAN's all go out the
same Intel server interface. The 6th connection goes out a second Intel
server interface (There are 6 physical Intel server gigabit interfaces
on the machines all together -- 4 onboard plus 1 dual port PCI-X card).
Illustration:
WAN Connections 1 through 5
Pfsense Cluster ---> VLAN Trunk ---> TP-Link Managed Switch ---> Switch
Ports out to each Provider on a different VLAN's (port to provider in
access mode not tagged) ---> Provider's Router --> Internet ----
Everything Works!!!
WAN Connection 6
Pfsense cluster --> VLAN Trunk --> D-Link Managed Switch --> Switch Port
out to the Provider (port to provider in access mode not tagged) ---->
Provider's On-Site Black Box/Fiber Converter (can't get any details
about what's in it) --> Nothing!!!
The Library has recently decided to replace the ADSL links with a
fiber-to-your door Internet connection. For redundancy, I've set this
up to run through a D-Link DGS 3200-10 managed switch. I this
connection configured identically to the other 5 working connections
except ISP specific things like netmask and IP address. I cannot, for
the life of me, get this 6th connection to work correctly.
I've been doing some troubleshooting for bit now and have noticed some
items that might be helpful on this 6th WAN connection.
Address Learning enabled on the Switch (default setting):
1. If I leave MAC address learning on on the D-Link switch, the Carp
Master can ping its real IP address, can ping its CARP IP address, and
can ping the fail-over PfSense
2. The fail-over Pfsense server can ping its own real IP, can ping the
Carp Master's real IP, but cannot ping the CARP IP.
3. When I first boot the switch, I can usually ping the CARP IP from
the fail-over box 1 time before pings start timing out.
4. From a remote location, I am able to ping the real IP of both boxes,
but I cannot ping the CARP IP.
5. Both boxes can ping the ISP's default gateway.
Address Learning disabled on the Switch:
1. Both PFSense boxes can ping each other, and both can ping the CARP IP.
2. Neither can ping the ISP's IP address.
3. From a remote location, I am unable to ping any of the boxes on the
6th ISP interface.
I've tried this connection through the same switch without VLAN's
enabled for this connection and still have no connectivity through this
provider. If I plug in a laptop directly to the switch and use any of
the 3 IP's in question, I have a good Internet connection.
On the D-Link Switch, Spanning Tree is disabled. The ports containing
the PFSense box links are tagged VLAN trunks with no untagged ports
allowed. The port leading to the ISP is an untagged VLAN that is only a
member of 1 VLAN. I know I could set this up without fussing with the
VLANS, but I wanted to be consistent between the 2 switches.
I believe this is a switch related issue and not a PFSense related issue
directly. I am hesitant to run this connection through the other
managed switch because I'm looking for redundancy. If anyone has any
suggestions about where my problem may be, I'd really appreciate the help.
Thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
