Dual wan and failover with dynamic ip address

hoba

Do you always get the same IP from the PPPoE dialin? If yes you don't need the "use modem as default static gateway" trick.

If no it should work. However I don't understand your ascii-diagram. Looks like you used 192.168.1.x Adresses at your WAN. Make sure this doesn't conflict with your LAN subnet (192.168.1.1/24 is the default LAN subnet after installation).

Your setup should look something like this:


ISP1--------ModemRouter(192.168.254.1/24)------(192.168.254.2/24)WAN
                                                                  pfSense LAN (192.168.1.1/24)------------LAN Clients
ISP2----------------Modem(bridge)--------------(some public IP)OPT-WAN

In this scenario you might need to uncheck "block private IPs) at interfaces>wan. Also if your ModemRouter provides a setting "DMZ IP" you should enter the pfSense WAN IP there. This way it will forward everything to the pfSense WAN and you only have to configure portforwards, firewallrules, … there.

sintar

in my experince you need to uncheck block private ips on any interface that has a private ip range

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

@hoba:

In this scenario you might need to uncheck "block private IPs) at interfaces>wan. Also if your ModemRouter provides a setting "DMZ IP" you should enter the pfSense WAN IP there. This way it will forward everything to the pfSense WAN and you only have to configure portforwards, firewallrules, … there.

sbyoon

I'm working for the dual wan loadbalancing and failover with dynamic gateways. For the gateway, I use "wan" and "opt1" instead of the real gateway's ip address. And now it works well. Pls see the attached images.

But I'd like to restart slbd when the wan's or opt1's ip address are changed. The problem is that I cannot figure out the process of it on pfsense. Is there anyone who can give me a hint how to do it. If it will be possible I will provide the diffs.

Thanks.

lb-pool.jpg_thumb

lb-pool-edit.jpg_thumb

lb-pool-status.jpg_thumb

jeroen234

i think you need to add some code to
/etc/rc.newwanip

hoba

Nice addition! While you are at it can you add wan-gateway and optx-gateway as variables to be optionally used for monitor IPs too? ;)

billm

@sbyoon:

I'm working for the dual wan loadbalancing and failover with dynamic gateways. For the gateway, I use "wan" and "opt1" instead of the real gateway's ip address. And now it works well. Pls see the attached images.

But I'd like to restart slbd when the wan's or opt1's ip address are changed. The problem is that I cannot figure out the process of it on pfsense. Is there anyone who can give me a hint how to do it. If it will be possible I will provide the diffs.

Thanks.

slbd config (and restart) is done in /etc/inc/vslb.inc. However, you likely want /etc/rc.newwanip (I'm not sure that runs for optx interfaces though).

–Bill

sbyoon

I think I succeeded in it. I added "slbd_configure();" into rc.newwanip to reload slbd. I found rc.newwanip is executed when ip change occurs at optx as well.

I tested it for several days and it works well for me. But I want it to be tested by other people who are in other various environment.

If you wan to test it, you can download loadbalance.zip file from below link.

http://www.monetcom.co.kr/download/loadbalance.zip

And decompress the file and upload each decompressed file to pfsense. (command promtp -> upload)
And then copy each file to below.

/etc/inc/vslb.inc
/usr/local/www/load_balancer_pool_edit.php
/etc/inc/filter.inc
/etc/rc.newwanip

If you are using embedded version, make sure that you should execute /etc/rc.conf_mount_rw before copying.

Any feedback will be appreciated.

And I'd like to make rc.newwanip to check whether outgoing loadbalancing is enabled or not before it execute "slbd_configure()". I tested it with adding "if ($config['load_balancer']['lbpool']['type'] == "gateway")" above "slbd_configure();" but it didn't work. Could anyone give me an advice for it?

Thanks.

lb-pool-edit.jpg_thumb

hoba

Just a question: Do you have to enter the OPTx-name or the substitute of it like WAN2 (in case you called OPT1 WAN2)?

sbyoon

You should use the interface name in interfaces -> assign. Pls see the attached image. In this case the interface name should be wan, opt1 or opt4.

interfacename.jpg_thumb

hoba

The substitutes of the interfacenames would be nicer but this is cool too :)

billm

@hoba:

The substitutes of the interfacenames would be nicer but this is cool too :)

We can work around this of course if the code works :)

–Bill

sbyoon

I found my mistake on load_balancer_pool_edit.php. When click add pool, the interface name was undifined. Now I corrected it. Pls download the correct one again if you already download it.

http://www.monetcom.co.kr/download/loadbalance.zip

And I found that rc.newwanip is not correctly copied to pfsense. If you have this problem also, you can edit it just adding below code at the bottom of rc.newwanip.

/* reload slbd */
slbd_configure();
log_error("Configuring slbd");

GotzBoost

Well I'd have to say this guy fixed all my issues with this little update, OMG this is awesome. Been working on getting load balancing to work with my cable modem and my DSL all day. Ran across this, implemented it, and wham, it's all working… Thank you sooooo much for this addition.

Well since he helped me so much, I thought I would add to it also. I modified the config interface to allow picking what interface you want to add to the pool from a list. And added the ability to pick the Gateway's address from a list also, among other options too. (See attached image)

A quick note though, one reason, on top of being dynamic, why I couldn't get the dang balancing to work all day was because my cable provider disabled ping to it's gateway.... As soon as I set it to my web hosting companies IP, it all come "online."

Just update the files appropriately in /usr/local/www
http://www.webhostingspot.com/pfSense.rar

Question, before I start messing around I'd thought I'd ask fisrt.
With all this load balancing working and all, how do I configure pfSense so that all SMTP traffic on my network goes out through the WAN interface only?

P.S. How the heck do I get my FTP outbound working now?

![Load Balance Setup.JPG](/public/imported_attachments/1/Load Balance Setup.JPG)
![Load Balance Setup.JPG_thumb](/public/imported_attachments/1/Load Balance Setup.JPG_thumb)
![Load Balance Setup.JPG_thumb](/public/imported_attachments/1/Load Balance Setup.JPG_thumb)

sai

@GotzBoost:

Question, before I start messing around I'd thought I'd ask fisrt.
With all this load balancing working and all, how do I configure pfSense so that all SMTP traffic on my network goes out through the WAN interface only?

Thats policy based routing.
set up a rule allowing SMTP and in that rule specify the WAN interface as gateway. make sure that this rule is above the others.

hoba

@GotzBoost:

P.S. How the heck do I get my FTP outbound working now?

http://forum.pfsense.org/index.php/topic,2282.msg13472.html#msg13472

GotzBoost

@sai:

Thats policy based routing.
set up a rule allowing SMTP and in that rule specify the WAN interface as gateway. make sure that this rule is above the others.

I'm assuming you are talking about a NAT rule and not a firewall rule. Adding this NAT rule is not going to mess up the auto generated load balancing rule? Am I supposed to select "Enable advanced outbound NAT" to add my own NAT rules? What exactly does "Enable advanced outbound NAT" mean and do? And if there was an auto generated NAT rule, where is it? Why doesn't it show up in the NAT rule list, it should? When need be, add auto generated NAT rules, for warn the admin though, and allow the admin to control the NAT rules. Don't control NAT rules, just help generate them.

Being Check Point FW1 NG certified, I'm very familiar with NAT and firewall rules. It's taking a bit of a learning curve to use pfSense, but not much. pfSense reminds me of CheckPoint a LOT! Personally, I think if you got this stable enough it could easily compete with a single instance CheckPoint setup.

Just need to add the capability of Application-level packet inspection, so that you can drop packets for a certain apps (like IM or P2P). And it would be neck and neck with CheckPoint.

GotzBoost

@hoba:

@GotzBoost:

P.S. How the heck do I get my FTP outbound working now?

http://forum.pfsense.org/index.php/topic,2282.msg13472.html#msg13472

Ok, I've verified that all my interfaces don't have "Disable the userland FTP-Proxy application" checked. And my firewall rules allow from LAN interface all outbound activity to any. Still no work.

P.S. What is the userland FTP-Proxy application? And why is it used? What's different from lets say SMTP connection and a FTP connection that is not allowing FTP?

hoba

Reread the post, you need to add an additional Rule at the top of your firewallrules. It's not only the ftp helper setting. For further information on the ftp helper please search the forum. This has been covered in deptch already several times.

GotzBoost

What about reply #22?

hoba

Firewallrules determine through which interface the traffic is leaving for policybased routing (gatewaysetting). Advanced outbound NAT let's you specify what happens with traffic that is leaving through an interface (if it should be natted or not or if you have multiple Virtual IPs to which of the IPs). If advanced outbound NAT is disable NAT will happen on all interfaces that have a gateway configured. It then will translate the traffic to the interface IP of the pfSense. If you enable advanced outbound NAT you have to set up your own rules. Everything not specified in the rules will just be routed without NAT. Enabling advanced outbound NAT will generate a NAT-rule for traffic going from LAN to WAN for your reference.