Post by John Mcdonnell
That's mostly what I figured, but I thought I had seen on docs saying that
what I wanted to do wasn't supported in version 2.0. The only real question
I have is on how to configure the following scenario, which I sort of
Building A is the main building with the DMARC.
Building B is one of our remote buildings.
Building C is another remote building.
Building B is wirelessly connected "directly" to building A. (It actually
bounces off another tower in between, but that is all in the provider's
setup.)
Building C is wirelessly connected to building A through building B.
(Building B has 2 radio transmitters, one pointed to the provider, the other
to building C.)
Now, if the wireless link between A and B goes down it would cause building
B to switch over to the Comcast VPN backup. However, most of the time, it
is something between buildings B and A that goes out and building C stays
connected to building B over the wireless link. Is it possible to detect
when the link between buildings A and B goes out so that I can switch
building C over to the VPN backup so as to balance the traffic on building
B's VPN backup?
Now that I typed this, I think this is what you were referring to with
using OSPF. Could you please give me some peace of mind that this would
work? And would the VPN allow the VOIP traffic to be prioritized over all
other traffic? For some reason in my head I have it stuck that I need to
pass VLAN tags over the link, but I'm pretty certain that I do not,
correct? This is basically inserting a router in the line instead of being
bridged. Will this, by default, disable my ability to ping (among other
things) between buildings unless I add rules to allow it? I'm thinking it
does, but want to make sure so that I'm not wasting time adding
unnecessary rules, making the rules more complex and therefor harder to
maintain.
Sorry for being a bother, but just trying to get my head around it while
also doing 20 other things. I'm pretty certain that I can get my boss to go
for this setup this time around if I have all the facts in front of me. An
automatic backup network connection between buildings would have been nice
before, but now that our phone system is connected between buildings via
VOIP, though there is a sort of backup in that we still have a line at each
building so that they can still call out when the network is down, I think
it is a bit more important to have something like this working so that full
phone functionality is available.
Be a lot easier to do this in a couple weeks after the crunch to get
everything done before the start of the school year and the first couple
weeks of the new year with the surge of help desk tickets. Trying to get
what I can in my spare time in advance though.
--
John McDonnell
------------------------------
*Sent:* Thursday, August 11, 2011 9:47 PM
*Subject:* Re: [pfSense Support] VPN Failover Backup
If I'm following what you're saying you don't really have a redundant VPNissue. You need to setup routing that deals with link failures. pfSense
supports OSPF which should be able to do what you need. Basically the VPNis just another route with a lower priority to the other buildings.
http://en.wikipedia.org/wiki/Open_Shortest_Path_First
--
David
Hello everyone. I want to apologize in advance as I hate bringing up
something that I'm sure has been discussed many times already and the length
of this e-mail is rather long.
I've found a few examples, but they were dealing with older versions of
pfSense and in the pfSense docs, I found something like I wanted to do, but
it had a notice that it doesn't work with the 2.0 branch. I would play
around with it and see if I could figure it out, but this is a really busy
time at work right now (I'm actually at home right now typing this as I
don't have much spare time at work until a few weeks after the new school
year starts) and I would like to find out if this is possible before trying
to convince my boss to go this route. I brought this idea up about a year or
so ago, but was shut down. I'm hoping this time, if I have more information
available, and possibly set up a pair or so of working boxes, we'll go
through with the idea. Especially since our phone system is now all tied
together with VOIP between buildings.
Anyway, here's the background info on our setup. We're a K-12 school
district and we have 5 buildings. 2 of our buildings are next to each other
and connected via fiber. Then between our main DMARC and the other 3
buildings, we have 100meg wireless bridges. Last year, Comcast provided us
with free broadband that we use as a backup. Currently, it's set up as a
manual backup in that we can manually plug a computer into the Comcast
network if needed. What I want to do is configure a couple of pfSense boxes
at each of the 3 remote locations to connect via VPN to the a pfSense box in
the building that is connected via fiber. (Not the main DMARC, most likely
look into plugging that Comcast connection into the main Cisco router for
main network failover.) The Comcast is not static addressing if that makes a
difference. I do have dynamic addresses set up for these Comcast boxes
though, which I think is all that I need for OpenVPN.
Preferably, what I want to do is keep the setup working the same as it is
now, with the addition of a VPN failover. I believe that our core L3
switches are performing basic routing which I think will make this easier. I
can provide relevant info (and am going to verify this is indeed what is
going on later) from the switches if needed, but I think they are basically
routing anything outside of the 10.x range that the individual buildings are
using to the main DMARC which then has routes to the other buildings and
sends everything else over the main internet connection. If this is what is
going on, it should be fairly easy to insert a pfSense box between the core
switch and the wireless bridge and Comcast CSU/DSU.
Now comes the question on the VPN failover setup. I basically will need to
pass all traffic over the VPN when the main link is down, including VLAN
information. Is this possible? I will also need to prioritize the VOIP VLAN
over all other traffic. I'm also curious if it is possible to detect if one
of the other links went down and switch to failover if it has. Our one
building bounces through another building on the wireless bridge, so when
the in-between building goes down, it knocks out both buildings, even if the
link between those buildings is still up. So if possible, I'd like to detect
when that connection goes down and switch from using the wireless link
between buildings (except possibly any traffic that needs to go between
those two buildings) and use the failover VPN to get better performance
instead of all going through one Comcast connection.
I think I explained everything in a semi-understandable manner, if anything
needs explained further in order to explain what I'm trying to do, I can
clarify or possibly include a diagram (I should still have the original
Visio diagram I made to present to my boss last year saved somewhere) to
show things better. (I'm not sure if this list scrubs attachments or not.)
I don't need anyone to come and set this up for me, though that may be an
option in the future if we decide to upgrade to some appliances instead of
using old spare PC's and want a support contract to go with them, but just
some clarification on if what I want to do is possible and some pointers on
where to look to figure out how to configure. Though, I'll gladly also
accept any specific configuration examples as well. As I said, I don't have
much spare time at work, though I might work on setting up the boxes in my
spare time at home.
Thanks in advance for any help you can provide.
--
John McDonnell
---------------------------------------------------------------------
Commercial support available - https://portal.pfsense.org