Bandwidth segregation needed (and not load balance or fail over)

richardsago

We successfully tested load balancing and fail over for the new WAN2. But for some devices under VLAN30 and all devices under VLAN40 we configured them for bandwidth segregation only and with no load balancing and no fail over. But load balancing (or fail over) is still being done on those devices. Can you please help me see where I'm doing things wrong? These are the settings:

The groups under the different VLANs are allocated bandwidth based on their "IN / OUT PIPE" values in the firewall rules using traffic limiter

WAN1 is static IP thru Fiber. Block Private networks and bogon networks

• is used for Online Classes, Faculty, and Staff
• lower bandwidth than WAN2 but has better latency

WAN2 is static IP thru Starlink. Block Private networks and bogon networks

• is used for Students, Family Members, and Guests
• these devices should not load balance or fail over to WAN1 because the bandwidth allocated to WAN1 (like the Online Classrooms) are needed in the business
• the problem is that these devices (Students, Family Members, Guests) load balance (or fail over) to WAN1

System > Routing > Gateways

• NAME | GATEWAY | MONITOR IP
• WAN1 | <WAN1's gateway IP> | 8.8.8.8
• WAN2 | <WAN2's gateway IP> | 8.8.4.4

System > Routing > Gateway Groups
Trigger Level: "Packet Loss or High Latency" for all three gateway groups below:

• GROUP NAME | GATEWAYS | PRIORITY
• loadbalance | WAN1 | Tier 1
• loadbalance | WAN2 | Tier 1
• failover1 | WAN1 | Tier 1
• failover1 | WAN2 | Tier 2
• failover2 | WAN1 | Tier 2
• failover2 | WAN2 | Tier 1

System > General Setup > DNS Server Settings
I used 8.8.8.8 under WAN1 and 8.8.4.4 under WAN2 (same as System > Routing > Gateways) because I saw on youtube that the DNS servers should be consistent with the Monitor IP under Gateways

• DNS SERVERS | GATEWAY
• 8.8.8.8 | WAN1
• 8.8.4.4 | WAN2
• <DNS IP 1 FROM ISP 1> | WAN1
• <DNS IP 2 FROM ISP 1> | WAN1

System > Advanced > Miscellaneous
check mark on 'Use sticky connections' <--did not uncheck after load balancing tests

Firewall Rules > Floating (no entries)

Firewall Rules > WAN1 (nothing except system's block private networks and bogon networks)

Firewall Rules > WAN2 (nothing except system's block private networks and bogon networks)

Firewall Rules > LAN (nothing except system's Anti-Lockout Rule for Destination LAN Address of Ports 443 and 80) <-- has zero bytes and packets

The "IN / OUT PIPE" values in the VLAN rules below are for use in traffic limiter

Firewall Rules > VLAN10 (Faculty)

• ADDRESS FAMILY : IPv4
• PROTOCOL : Any
• SOURCE : <alias of Faculty IP Addresses>
• DESTINATION : any
• GATEWAY : failover1
• IN / OUT PIPE : QVLAN10_FUpload / QVLAN10_FDownload

Firewall Rules > VLAN10 (Staff)

• ADDRESS FAMILY : IPv4
• PROTOCOL : Any
• SOURCE : <alias of Staff IP Addresses>
• DESTINATION : any
• GATEWAY : failover1
• IN / OUT PIPE : QVLAN10_SUpload / QVLAN10_SDownload

Firewall Rules > VLAN30 (Untrusted Device)

• ADDRESS FAMILY : IPv4
• PROTOCOL : Any
• SOURCE : <alias of Untrusted Device IP Addresses>
• DESTINATION : any
• GATEWAY : failover2
• IN / OUT PIPE : QVLAN30_UDUpload / QVLAN30_UDDownload

Firewall Rules > VLAN30 (Family Members and Guests) <--this has problem

• ADDRESS FAMILY : IPv4
• PROTOCOL : Any
• SOURCE : <alias of Family Members and Guests IP Addresses>
• DESTINATION : any
• GATEWAY : WAN2
• IN / OUT PIPE : QVLAN30_GuestUpload / QVLAN30_GuestDownload

Firewall Rules > VLAN40 (Students) <--this has problem

• ADDRESS FAMILY : IPv4
• PROTOCOL : Any
• SOURCE : <alias of Student IP Addresses>
• DESTINATION : any
• GATEWAY : WAN2
• IN / OUT PIPE : QVLAN40_Upload / QVLAN40_Download

We encounter problem with the last two entries above (VLAN30 Guests and VLAN40 Students) because they still get internet access even when WAN2 is turned off and the VLAN30 Guest or VLAN40 Student computer is restarted. Thank you in advance for the help

greenlight

@richardsago hi

what is your default gateway group?

richardsago

hi @greenlight

The gateway group does not have checkbox to let me choose which of the three gateway group will be the default. But at the bottom of the Gateways tab there's "Default gateway IPv4" with value of "Automatic". At the top of the Gateways tab there's a listing of gateways and WAN1 has the icon of the default gateway but I think that this can switch to WAN2 if WAN1 becomes disconnected. My pfsense version is 2.5.0-RELEASE

richardsago

hi @greenlight

The "Default gateway IPv4" was changed to "Automatic" yesterday. I think it used to be "WAN1" but I did not keep track and so it could have had the value of "loadbalance" or "failover1". There's a "None" value as a choice in the "Default gateway IPv4" dropdown list. Should I choose "None"?

greenlight

@richardsago As far as I understand, you want to stop some VLANs from accessing the Internet at certain times. So, will they access the network and go online during these times? Or will they not be able to access the network and the internet at the same time?

greenlight

@richardsago I also want to ask this. Do you want the internet to be cut off when WAN2 goes down, or do you want to manually turn off WAN2 and prevent the devices from accessing the internet?

richardsago

hi @greenlight

The "VLAN30 Guests" and "VLAN40 Students" will have internet access at all times but will only get internet access through WAN2. If WAN2 access goes down they should not get internet access from WAN1. This is because WAN1 bandwidth is not that high and it will be used in online classes.

greenlight

@richardsago I'm not sure, but it may be using the settings of the parent interface used by the vlan to connect to the internet. You can also try by creating a rule in the parent interface.

richardsago

hi @greenlight

I tried setting 'Default gateway IPv4' from 'Automatic' to 'None' and it seemed to fix the issue. I will observe more and update this post if it does not really fix the issue. Thank you I got the idea from your question earlier.