I'm having a weird problem, exhibited on an
What I've noticed:
1. The web interface doesn't show the graphs on the dashboard when this happens
2. When I look at "show load-balance status" it shows that all the connections are "inactive"
3. Rather than rebooting, if I disable the WAN interfaces and then re-enable them, things return to nromal
4. When the situatoin starts, DNS resolution from Level 3 stops to work, but I can ping public IPs from the router
My first workaround was to use public DNS as part of DHCP so that the ER isn't used, but that doesn't last as at some point, I need to restart the interfaces or the router. Once the router stops being able to do DNS lookups itself, the VPN tunnel goes down thereafter as it relies on a DNS name.
Here's my config:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group WAN-Primary {
//local addresses go here\\
description "Primary with failover to Secondary"
}
address-group WAN-Secondary {
//local addresses go here\\
description "Secondard with failover to Primary"
}
address-group WAN-VPN {
//local addresses go here\\
description "VPN Tunnel"
}
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe1
}
}
modify {
table main
}
}
rule 100 {
action modify
description "Primary with failover to Secondary"
modify {
lb-group lb-primary
}
source {
group {
address-group WAN-Primary
}
}
}
rule 101 {
action modify
description "Secondary with failover to Primary"
modify {
lb-group lb-secondary
}
source {
group {
address-group WAN-Secondary
}
}
}
rule 102 {
action modify
description "VPN Tunnel"
modify {
lb-group lb-vpn
}
source {
group {
address-group WAN-VPN
}
}
}
rule 110 {
action modify
description "Load balance Primary and Secondary"
modify {
lb-group lb-loadbalance
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description "SSH"
destination {
address X.X.X.X
port 22
}
log enable
protocol tcp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 22 {
action accept
description "HTTPS"
destination {
address X.X.X.X
port 443
}
log enable
protocol tcp
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Cable
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description DSL
duplex auto
pppoe 1 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password PASSWORD
user-id USERNAME
}
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
address X.X.X.1/24
description Local
duplex auto
firewall {
in {
modify balance
}
out {
}
}
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file /config/vpn.ovpn
}
}
load-balance {
group lb-loadbalance {
interface eth0 {
weight 80
}
interface pppoe1 {
weight 20
}
lb-local enable
sticky {
}
}
group lb-primary {
interface eth0 {
}
interface pppoe1 {
failover-only
}
lb-local enable
}
group lb-secondary {
interface eth0 {
failover-only
}
interface pppoe1 {
}
lb-local enable
}
group lb-vpn {
interface vtun0 {
}
lb-local enable
sticky {
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet X.X.X.0/24 {
default-router X.X.X.1
dns-server 209.244.0.3
dns-server 209.244.0.4
domain-name LAN.local
lease 86400
start X.X.X.100 {
stop X.X.X.243
}
static-mapping DEVICE1 {
ip-address
mac-address
unifi-controller X.X.X.10
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 10
listen-on eth5
}
}
gui {
http-port 80
https-port 443
older-ciphers disable
}
nat {
rule 1 {
description "SSH eth0"
destination {
port 22
}
inbound-interface eth0
inside-address {
address X.X.X.X
port 22
}
log enable
protocol tcp
type destination
}
rule 2 {
description "SSH pppoe1"
destination {
port 22
}
inbound-interface pppoe1
inside-address {
address X.X.X.X
port 22
}
log enable
protocol tcp
type destination
}
rule 3 {
description "HTTPS eth0"
destination {
port 443
}
inbound-interface eth0
inside-address {
address X.X.X.X
port 443
}
log enable
protocol tcp
type destination
}
rule 4 {
description "HTTPS pppoe1"
destination {
port 443
}
inbound-interface pppoe1
inside-address {
address X.X.X.X
port 443
}
log disable
protocol tcp
type destination
}
rule 5000 {
description "masquerade for Primary"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5002 {
description "masquerade for Secondary"
log disable
outbound-interface pppoe1
protocol all
type masquerade
}
rule 5004 {
description "masquerade for VPN"
log disable
outbound-interface vtun0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
name-server 209.244.0.3
name-server 209.244.0.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}My goals of the config are to have some traffic stick on the primary WAN with failover to secondard, some traffic stick on the secondary WAN with failver to the primary, some traffic stick on the VPN with no failover, and everyone else can just load balance at 80/20 weight between the primary and secondary.
Both devices are on v1.9.0. The ERL is currently unplugged and is slated for repurposing.
Any thoughts and guidance would be appreciated...