Monitor IP for multi-wan config in pfsense 2.0

Nachtfalke · Dec 24, 2011, 3:57 PM

As far as I understand the problematic is only, that if you are using LoadBalancing known as Multi-WAN.

So if WAN1 hast monitor IP 8.8.8.8
and
WAN2 has monitor IP 8.8.4.4

Than als traffic from clients to 8.8.8.8 will go through WAN1 and will not be load balanced.

But I am using Multi-WAN and I am using googles DNS server 8.8.8.8 als monitor IP and my clients do not have any connection problems.
So you can choose any IP you want as long as this IP responses to ICMP packets.

kevindd992002 · Dec 24, 2011, 4:09 PM

Ok. Well I also use multi-wan, two modems with the same ISP. One is behind a NAT (router) to not conflict with the other one that is directly connected to the pfsense box. WAN1 (the one directly connected) has monitor IP = gateway IP and WAN2 has monitor IP of ISP primary DNS server. In this way, WAN1 will never receive packets from the ISP primart DNS server?

kevindd992002 · Dec 26, 2011, 8:25 AM

Bump!

Nachtfalke · Dec 26, 2011, 11:33 AM

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Selecting a Monitor IP address

pfSense monitor's each WAN connection by pinging the monitor address you specify. If the ping fails, the link is marked down and the appropriate filover configuration is used (actually if the ping fails it retries a few times to be sure, this avoids false indications of the connection going down).

Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it is monitoring, so don't use a popular web site as this will force all its traffic down 1 link. Better to use a router or server in your ISP's network.

Good addresses to use are the default gateway your modem has assigned (if it responds to ping!), your ISP's DNS server, webmail server, or a router within your ISP's network - you can find one of these by using traceroute to a public service, be careful though, larger ISPs will have networks that dynamically adapt so a router you see now may not be there an hour later!

kevindd992002 · Dec 26, 2011, 1:18 PM

Well, that is the manual for the older version of pfsense. That's exactly the one I was referring to. But does it apply to pfsense 2.0.1 as well?

Nachtfalke · Dec 26, 2011, 2:46 PM

I don't know is this is still present in 2.x but it just says that if an IP is the monitor IP of WAN1 all clients which want to reach the same IP as the monitor IP will always use WAN1.
For this destination IP there will NOT be any LoadBalancing. Thats all.

Perhaps I just do not understand what you want to know ;-)

cmb · Jan 3, 2012, 2:50 AM

@Nachtfalke:

I don't know is this is still present in 2.x but it just says that if an IP is the monitor IP of WAN1 all clients which want to reach the same IP as the monitor IP will always use WAN1.
For this destination IP there will NOT be any LoadBalancing. Thats all.

That's not true as long as you're policy routing traffic from those hosts, which is what you're doing in the case of load balancing.

kevindd992002 · Jan 3, 2012, 9:47 AM

@cmb:

@Nachtfalke:

I don't know is this is still present in 2.x but it just says that if an IP is the monitor IP of WAN1 all clients which want to reach the same IP as the monitor IP will always use WAN1.
For this destination IP there will NOT be any LoadBalancing. Thats all.

That's not true as long as you're policy routing traffic from those hosts, which is what you're doing in the case of load balancing.

Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?

cmb · Jan 3, 2012, 11:46 PM

@kevindd992002:

Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?

No, I'm talking about traffic that gets policy routed, which won't be the case for traffic initiated by the firewall (unless you're getting deep into floating rules, which does give you the flexibility to break your monitor IPs).

kevindd992002 · Jan 4, 2012, 7:08 AM

@cmb:

@kevindd992002:

Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?

No, I'm talking about traffic that gets policy routed, which won't be the case for traffic initiated by the firewall (unless you're getting deep into floating rules, which does give you the flexibility to break your monitor IPs).

Ok. And a pinging a monitor IP is traffic initiated by the firewall? So any IP I use, it doesn't matter because it will come back still load balanced?