Load balancing not working with Wireguard client
-
@Gblenn Thanks. I'm afraid partially losing automatic failover to improve outbound VPN performance is not a great trade-off, unfortunately. Wireguard also doesn't use a fixed port. Various VPN servers use different ones. There is a list of the most common ones. If I could create rules that cover all outbound Wireguard connections on one interface, it seems that it would be possible for Netgate to implement automatic failover for them too, but as you say, that functionality seems to be missing for now.
Since I'm always home when I use outbound VPN, perhaps it is simpler to manually turn off the slower WAN, and reverse this if the faster WAN goes down, also manually..
-
@madbrain Well, wireguard is not using random ports, and all your clients or endpoints are known to you by looking at the configs for each. So you can easily create an alias containing all those ports and have any and all your wg connections be routed via the desired interface.
But perhaps you should rather be looking at changing the "weight" of the interfaces in your load balancing group. Since they are very different in capacity, your weight should also be set accordingly. Load balancing is a game of statistics, since the idea is to have many single stream connections to share the combined bandwidth of the interfaces.
If you set the weights so that roughly 71% of the traffic is going through the faster interface, you will be using that interface to a much higher degree, which makes sense from a capacity perspective. Then you maintain the failover capability whilst getting a much higher probability of your VPN going out the desired interface.
-
@Gblenn Thanks. I will look into doing that.
However, right now, I'm experiencing a more basic problem. The load balancing isn't working at all, even for Speedtest. All traffic goes through one interface. I'm not certain what might have changed in my configuration that could cause this.
I do have an extra NIC and a total of 3 ISPs rather than 2 ISPs before. But even disabling one interface for one of the ISPs does not restore the load balancing functionality.
I followed the guide at https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ . That initially worked with 2 ISPs. But it does not work anymore.
I even tried running simultaneous speedtests from 3 different hosts. All the traffic is going to only one WAN interface. This happens regardless of weights I give to each gateway.
-
@madbrain I had a config with load balancing working with 2 ISPs, which I restored.
If I add an interface for the 3rd ISP, without doing anything else, the load balancing stops working.
If I restore the same working config again, and rename the 2 WAN interfaces, the load balancing also stops working. I renamed WAN to Comcast and WAN2 to Sail. I wouldn't expect a cosmetic config change to affect functionality, but perhaps there are references by name somewhere else. I'm not sure what.
-
@madbrain Sounds really strange that a name change would have such an effect...
And when adding the third interface, all you do is put that into the existing group, also set as Tier 1 like the others? And that breaks the load balancing completely?
And what about policy rules? Do you have a rule both for the loadbalancer and the failover gateway as per that guide?
If so, you need to make sure the balancer rule is above the failover, since rules are handled from the top.BTW, how do you go about changing the names of the gateways? Did you edit the config file or do you copy the gateway, give it a new name and then delete the old one?
Changing name on a gateway can't be done without affecting other things, like the FW rules for example.
-
@Gblenn I agree it is strange. I can't reproduce the issue with the name anymore. But I can definitely reproduce the problem of load balancing not working.
I backed up my settings, and started over with a brand new confign and configured all 3 ISPs.
Still, all traffic is being directed at one ISP, even multiple hosts each initiating multiple connections .
In the following graph I had 4 devices running Ookla Speedtest - a Windows box, a Linux box, a Raspberry Pi4, and my S22 Ultra phone on Wifi. All except the phone were wired.
All traffic got routed to the Comcast WAN. Sail and Verizon WANs were untouched.
What am I missing ?
-
@madbrain One thing that I notice which you have set different to what I have, is the default gateway IPv4. I have it set to the failover group that I created, in your case "v4LB". Whereas you have it as Automatic...
-
@madbrain When I looked at instructions you linked to, or e.g. Lawrence Systems, they suggest using the Gateway Group in the LAN rule. But instead I have it set as Default... and it's working fine.
-
@Gblenn I tried setting the default gateway to the load balancer group also. That did not help, unfortunately. All traffic is still going through Comcast.
-
@Gblenn Are you using pfSense CE or Plus ? I'm using Plus. I don't see the same screen as you posted in your screenshot. Where is it at ?
Edit: found under Firewall -> Rules -> LAN -> Edit (IPv4 rule) -> Show advanced -> Gateway . I set the load balancing group for both IPv4 and IPv6.
And miraculously, the traffic started getting distributed across all 3 WANs !
Thanks for the tip. I wonder how you got it to work without setting the gateway.
-
@madbrain I have always had it set to the gateway group in that setting. It was the firewall rule that is suggested both in the instructions you linked to and by Lawrence Systems. There I keep it at default..
Great that it works now!
-
I guess now you could take a look at the weighting, to rebalance based on individual capacity of each connection. Not the Tier number, but rather for each individual Gateway (under System / Routing / Gateways) when you expand the Advanced button. First item there is weight...
-
@Gblenn Yes. I setup the weighting. Unfortunately, I ran into some issues with Netflix streaming, where buffering happened even though all 3 WANs were up. Will post a separate thread.
-
@madbrain said in Load balancing not working with Wireguard client:
I do have an extra NIC and a total of 3 ISPs rather than 2 ISPs before. But even disabling one interface for one of the ISPs does not restore the load balancing functionality.
I do have an extra NIC and a total of 3 ISPs rather than 2 ISPs before. But even disabling one interface for one of the ISPs does not restore the load balancing functionality.
-
@rikazkhan Your message was just a quote. Did you mean to add something ?