Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound load balancing + dedicated VPN

    2.0-RC Snapshot Feedback and Problems - RETIRED
    2
    3
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Blind
      last edited by

      I have a question about the multi-wan setup in 2.0, and would like to make sure I have my configuration setup optimally.

      I have 2 outbound connections, one our primary 7mb up/down line, and one a backup DSL connection.

      On our primary, we have a range of IP's, and are using 2 of them, 1 for our main outbound internet, and 1 for a dedicated VPN link.

      Our equipment is -

      pfsense w/3 NIC's
      1 x to LAN (172.16.0.1)
      1 x to Switch on Primary ISP (174.xx.xx.x2)
      1 x to DSL (66.xx.xx.xx)

      Linksys 350n wireless router (running dd-wrt)
      1 x to LAN (172.16.1.2)
      1 x to VPN Router (192.168.5.246)

      Linksys rv042 VPN router
      1 x to wireless router WAN port (uplink)(192.168.5.245)
      1 x to Switch on Primary ISP (174.xx.xx.x3)

      I have a gateway group configured with tier1 for Primary ISP, tier2 for DSL

      Under the routing, under each gateway under advanced there is a weight setting, but I can't find it discussed anywhere? What should the weight be set to for these?

      For the VPN link I have the wifi router 172.16.1.2 setup as a gateway under routing, with alternate monitoring set to the VPN router.
      I have the wifi router in the middle because the other side of the VPN link uses the same internal IP addressing scheme as we do, is this the best way to do this? I'm not sure.
      Under the firewall rules, for LAN, I have rules configured to use the VPN gateway if the destination IP is on the other side of the VPN. (172.25.0.0/16, 160.33.0.0/16)

      In my logs, I'm seeing traffic being blocked with 172.25.44.63:443, why is this happening - shouldn't my firewall rules allow that traffic?  When I click on the "pass this traffic/easy rule" a new rule is added to the LAN section under firewall.

      Should I be using stating routes under the routing section instead?

      The configuration now is "working" but I am seeing some weird issues with resources over the VPN link, seemingly random time-outs, etc, but there's no errors or issues with the actual link, just getting traffic from the pfsense2 gateway to the VPN router. Also the DSL line seems to hardly ever be used - I'm seeing peaks up around 7mbps on the primary link, but during the same period on the DSL link it peaks at 75kbps. We have 60 users and have google apps for email/IM/etc, looking to replacing our internet connections with 2 x 35mbps FIOS links but still waiting on red tape to get the line into the building, when we do get it I want to be positive that we're able to load balance on the 2 lines properly.

      thanks for any help!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The weight setting is for load balancing, not failover. It lets you set the approximate bandwidth ratio of the links, relative to each other. For example, I have 3Mbit DSL and 10Mbit cable, so I use a weight of 1 for DSL, and 3 for Cable, so for every 4 connections, 3 will use cable.

        The traffic that is being blocked is likely due to it being out of state traffic, which is probably happening due to the asymmetric routing you have going on. Under advanced options, you may want to try checking the option to "bypass firewall rules for traffic on the same interface" which can improve the situation in your case.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          Blind
          last edited by

          @jimp:

          The weight setting is for load balancing, not failover. It lets you set the approximate bandwidth ratio of the links, relative to each other. For example, I have 3Mbit DSL and 10Mbit cable, so I use a weight of 1 for DSL, and 3 for Cable, so for every 4 connections, 3 will use cable.

          The traffic that is being blocked is likely due to it being out of state traffic, which is probably happening due to the asymmetric routing you have going on. Under advanced options, you may want to try checking the option to "bypass firewall rules for traffic on the same interface" which can improve the situation in your case.

          interesting, I've enabled the bypasss fw rules for traffic on same iface, and it seems to have improved the vpn traffic, although I did enable and start playing with the traffic shaping at the same time.

          thank you.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.