next »

[jamesc]

Hi all,

I have successfully set up OSPF with dual OpenVPN tunnels in a Multi-WAN client/server setup.

Failover works well, I can down the active WAN, OSPF kicks in and routes OpenVPN traffic over the secondary WAN.  I can happily flip between the two WAN's all day long with no problems at all.

My problem is with load balancing.  Both of my OpenVPN connections are assigned to interfaces which are then assigned in OSPFd.  I have given both the interfaces a metric of 10.  When I start two simultaneous pings (via two seperate PC's) from Site B to Site A, traffic graphs only show one WAN being utilised.

Here's what my OSPF route table looks like:

Code:

Destination          Nexthop           Path Type    Type      Cost    Uptime
0.0.0.1              10.0.9.5          Intra-Area   Router    10      00:05:36
0.0.0.1              10.0.8.5          Intra-Area   Router    10      00:05:29
10.0.8.6/32          10.0.9.5          Intra-Area   Network   20      00:05:19
10.0.8.6/32          10.0.8.5          Intra-Area   Network   20      00:05:19
10.0.9.6/32          10.0.9.5          Intra-Area   Network   20      00:05:36
10.0.9.6/32          10.0.8.5          Intra-Area   Network   20      00:05:29
192.168.2.0/24       10.0.9.5          Type 1 ext   Network   110     00:05:36
192.168.2.0/24       10.0.8.5          Type 1 ext   Network   110     00:05:29
192.168.2.1/32       10.0.9.5          Type 1 ext   Network   110     00:05:36
192.168.2.1/32       10.0.8.5          Type 1 ext   Network   110     00:05:29

The destination subnet i'm trying to reach from the client is 192.168.2.0/24 and you can see there are two possible routes to this (10.0.8.5 and 10.0.9.5), these correspond two the two ovpnc tunnels which i've setup on the client.

Any ideas of where this is going wrong?

Cheers,

James

[heper]

i've noticed the same thing in a similar situation.

afaik ospf only seems to add 1 route to the routingtable even tho multiple are available with same metric .... i don't know if its a impossible with bsd or if it just isn't implemented at the moment.

if you really want balancing i'm pretty sure you could create a gateway-group and balance your vpntunnels the same way you would balance WAN connections ....
create a gateway group , create firewall rule to point all traffic with destination 192.168.2.0/24 over the gateway-group

i haven't tried this myself but i believe that might work

[jamesc]

Hi Heper,

I have tried the gateway group method and can confirm that load balancing does work with that, however failover doesn't. If you down the WAN that is currently associated with the active ovpnc entry in the routing table then the tunnel doesnt activate on the 2nd WAN.

OpenVPN seems to obey the routing table and not the gateway group for return traffic.

I think in order to achieve load balancing and failover for OpenVPN then a combination of gateway group and OSPF is needed, im just not sure how.

[cmb]

You can't give them both the same metric, ECMP is not supported.

[heper]

@cmb would it be possible to implement with the next major release ?

[heper]

@jamesc

if you don't absolutely need ospf it might be possible to add static routes with the gw groups ...

or

wait till 'ECMP' (now i know how to call it) gets supported.

[ANSW3R]

@jamesc

Forgive me for hijacking your thread. May I ask how did you configure your OSPF with failover? I did assign my OSPF, same as yours, to 2 OpenVPN interfaces with different metric. And yet when I force to down my primary link it won't failover to the backup link but the FIBs routes are updated. When I restart my OSPF service the destination subnets are now reachable. Hope you can help me with this. Thank you in advance.

pfsense version: 2.0-Release (i386)

Code:

Destination          Nexthop           Path Type    Type      Cost    Uptime
192.168.3.0          192.168.30.2      Intra-Area   Router    1       00:23:37
192.168.30.1/32      192.168.30.2      Intra-Area   Network   2       00:23:37
192.168.103.1/32     192.168.30.2      Intra-Area   Network   51      00:23:27
192.168.3.0/24       192.168.30.2      Type 1 ext   Network   101     00:23:37
192.168.3.1/32       192.168.30.2      Type 1 ext   Network   101     00:23:37

Cheers,
Denry

[heper]

@answ3r

did you wait long enough (there is a timeout setting) ?

[jimp]

The OpenOSPFd package is a bit broken these days, you might give my Quagga-OSPF package a spin (after removing OpenOSPFD), settings are essentially the same between them, but Quagga appears to work much better with FreeBSD's routing tables, whereas OpenOSPFD still seems to assume it's working on OpenBSD even when running on FreeBSD...