July 28, 2010 at 11:22 am #42553
I’m setting up two zeroshell installation between two offices. Am am using two WAN interfaces on each side, each of this WAN interfaces being connected to diffrent ISP through a router. Each zeroshell hardware have a third LAN interface.
What I want, is to have to VPN LAN-to-LAN tunnel bound together to provide load balancing and fail over functionality.
With this setup I experience packages lost when I ping the LAN interface on one side from a host inside the opposed side LAN network. This behavior only appear when there are two ISP connected on at least one side. I belive this have something to do with the VPN bonding mechanism as the ping will flow steady if a manually stop the fault VPN tunnel.
I’m using UDP for VPN.
Please help me to figure out if there may be something wrong in my config.
CiprianJuly 28, 2010 at 1:22 pm #50818
Show us the config and we might be able to help you.July 30, 2010 at 7:58 am #50819
Thank you so much for reply,
I see your reply and get back to it as soon as possible,
All my config is done trough web interface(I don’t know what are other options in configuring this)
I was using the profiles from zeroshell, to set up a test network using a vmware workstation appliances and have the same problem that I was talking about.
Here is my setup:
:(192.168.1.30)eth00 -- :(192.168.1.3)R01(192.168.50.31):
(side1)LAN1--eth02(10.10.10.31): ZS1 .BOND00(192.168.200.1) 192.168.50.0/24
:(192.168.2.30)eth01 -- :(192.168.2.3)R02(192.168.50.32):
:(192.168.50.33)R03(192.168.3.3): -- eth00(192.168.3.33):
192.168.50.0/24 BOND00(192.168.200.2). ZS2 :eth02(10.10.11.33) -- LAN2(side2)
:(192.168.50.34)R04(192.168.4.3): -- eth01(192.168.4.30):
the “–” are Ethernet connections and “:” are network interfaces
in my test env. the routers R01, R02, R03, R04 are Zeroshell installations with interfaces numbered as above and NAT enabled on the 192.168.50.0/24 network, and port forward to eth00 and eth01 respectively on both sides for VPN purpose.
I have NAT enable on ZS1 and ZS2 for eth00 and eth01 on both sides
The only static routes are 10.10.11.0/24 gw 192.168.200.2 on ZS1 and
10.10.10.0/24 gw 192.168.200.1 on ZS2.
The ZS1’s and ZS2’s netbalancer and BOND00 are configured for failover
As I described the problem is loosing packages when ping from 10.10.10.100 in LAN2 the 10.10.10.31 on ZS1
I think this is a simple setup, yet I don’t manage to get pass this problem, even after trying different configurations options
Thank you for any help in thisJuly 30, 2010 at 1:48 pm #50820
Dude what you write here is not easily understandable. Take a screenshot and paste it here. Use flickr or any other site that hosts images if you don’t have a server.
Actually I think it is the failover issue. Since you are bonding the interfaces you are already utilizing both of them, so there should be no Netbalancer.July 30, 2010 at 9:50 pm #50821
I have taken screenshoots of VPNs config and net balancer on both Zeroshell installations.
Testing with load balancer set to failover don’t helped either. Actually this will work until I brake the active connection, and once the net balancer switch to the spare connection the ping is loosing packages again.
I am almost sure there is something I am missing, yet I can’t do a statement on that.
Thank You once againJuly 31, 2010 at 11:37 am #50822
As I said, since you have a BOND, you don’t need the Netbalancer. BOND is implementing its own netbalancing technique, it is not advised to mix the Netbalancer in this. Try to remove it and use the remote BOND IP as gateway.August 1, 2010 at 3:25 pm #50823
I find that remote BOND interface IP cannot be the default gateway, because this IP will be accessible only after at least one tunnel is created.
For this there must be a gateway in the first place, to allow the tunnel authentication with the side.
Disabling the net balancer and setting a default gateway instead, on both sides, don’t helped either, as one tunnel will never came up and show a lot of read UDPv4 [ECONNREFUSED]: Connection refused (code=111) messages in the log.
Adding the –ping 10 –ping-exit 30 in Parameters field of VPN configuration will fix this problem, but this will cause another problem in that the VPN will never came back online, once his route will be back online.
As far as I go in researching this I discovered that, if one ISP will fail on one side, and once with it the corresponding end of the VPN tunnel(lets say VPN00 per exemple), the other side will keep trying to reconnect , signaling that in fact the tunnel is up and packages can be routed this way. I belive that eventually it should give up but it does not.
In this case if I manually bring that VPN00 down that packages are going smoothly again on the second tunnel. If I bing that VPN00 up again, the package lost appear again(around 40 to 60% packages lost).
If there is an issue in the way VPN is failover at least the VPN load balancing should run smoothly, but this is not the case. The package lost appear even when both routes are up and both VPN tunnels started.
Looking in the VPNs logs I can find that the VPN connections are keep restarting, and this can explain the packages lost but not why this ongoing restarting is happen.
If there is a conflict between net balancer and VPN bounding, at least static routes or net balancing rules that force the routing of UDP packages over a certain gateway, but this will not work either.
I can’t go without net balancer and letting only the VPN bounding to do his job, this is not possible as one tunnel will never be up, and then a single static default gateway is anyway unpractical if the ISP connection that routes that gateway goes down.August 1, 2010 at 5:41 pm #50824
After having a second thought I disabled the net balancer and added static routes for remote gateways instead. This fixed the problem.
Then also added a default gateway pointing to one of the router and work with this in place to.
I don’t know if this is the intended zeroshell config for handling this, probably more a workaround, because if net balancer is disabled the internet traffic from the clients on the LAN behind zeroshell will have to go always one route.
Anyway this will work fine in my setup.
Thank you ppalias, you helped me to get this going. You are Great!August 2, 2010 at 11:01 am #50825
You could read the tutorials page, there is a tutorial on bonding vpn tunnels together and thus you could save a lot of time.
When you create a VPN tunnel you can assign which gateway to use, so that you don’t need to worry about having netbalancer or any other static route working. Once the tunnels are up and BOND is working you can use it for default gateway.
You must be logged in to reply to this topic.