Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
-
I am using 2.0.3 PreRelease and I think you can load balance directly with transparent squid even without adding the first 6 LAN rules.
All you have to do is add the floating rule and the last LAN rule in your HowTo.
Of course you need to setup squid as stated by your procedures.But my network requirement is that I need to use three gateway groups. LoadBalance, FailOver1 and FailOver2. LoadBalance is a fail over already but there are some LAN clients that I want to use FailOver ONLY and use ISP1 as their primary WAN and same with FailOver2.
LoadBalance = ISP1 (tier1) and ISP2 (tier1)
FailOver1 = ISP1 (tier1) and ISP2 (tier2)
FailOver2 = ISP1 (tier2) and ISP2 (tier1)Inside my LAN, i have three groups like LAN1, LAN2 and LAN3. LAN1 will use LoadBalance as GW, LAN2 for FailOver1 and LAN3 for FailOver2.
I created three floating rules for each gateway group.
Under LAN tab, i assigned the specific gateway group.The problem is, whatever the last rule in the Floating tab, it will be followed by the other gateway groups. For example, if the last rule is the LoadBalance, all my LAN groups will use LoadBalance even if I specify them to use FailOver1 or FailOver2.
-
I am using 2.0.3 PreRelease and I think you can load balance directly with transparent squid even without adding the first 6 LAN rules.
All you have to do is add the floating rule and the last LAN rule in your HowTo.
Of course you need to setup squid as stated by your procedures.But my network requirement is that I need to use three gateway groups. LoadBalance, FailOver1 and FailOver2. LoadBalance is a fail over already but there are some LAN clients that I want to use FailOver ONLY and use ISP1 as their primary WAN and same with FailOver2.
LoadBalance = ISP1 (tier1) and ISP2 (tier1)
FailOver1 = ISP1 (tier1) and ISP2 (tier2)
FailOver2 = ISP1 (tier2) and ISP2 (tier1)Inside my LAN, i have three groups like LAN1, LAN2 and LAN3. LAN1 will use LoadBalance as GW, LAN2 for FailOver1 and LAN3 for FailOver2.
I created three floating rules for each gateway group.
Under LAN tab, i assigned the specific gateway group.The problem is, whatever the last rule in the Floating tab, it will be followed by the other gateway groups. For example, if the last rule is the LoadBalance, all my LAN groups will use LoadBalance even if I specify them to use FailOver1 or FailOver2.
jikjik101
The rules I used in the article were required to support the environment that I described, which was more than just outboard WAN Load Balancing.
The first 6 rules provide the environment for PINGs for testing, DNS forwarder, NTP, direct (not transparent) squid usage and access to the pfSense GUI.
All the sort of stuff you need to do in a real implementation.It's important to understand that the floating rule is there to balance requests that go via squid.
The source IP of HTTP requests, when using the configuration I documented, will be 127.0.0.1
regardless of the LAN interface they originated from. Because of this you cannot build rules that handle
traffic from different LAN interfaces in different ways with squid intercepting the requests.If, however, you do not use squid and allow the LAN requests to flow directly through pfSense, you can
add rules for each LAN interface that balance or failover as required.Richard
-
Hi Richard,
I understand you put the 6 rules because that is the requirement of your network, but unlike mine, I am more "flexible": http://forum.pfsense.org/index.php/topic,57606.msg316361.html#msg316361
Can we skip for the first 6 rules because I am more interested with the Multiwan Squid?
If you can see in my floating rule, HTTP for LoadBalance is at the bottom. No matter what gateway group I assign in my LAN, they will still use the LoadBalance gateway and this puzzles me.
If you want more details, I can give it to you. You don't know how desperate I am to run MultiWan Squid. ;D
-
It looks like you may not have fully read my last post.
-
It looks like you may not have fully read my last post.
i read but i don't quite understand ;D
It's important to understand that the floating rule is there to balance requests that go via squid.
The source IP of HTTP requests, when using the configuration I documented, will be 127.0.0.1
regardless of the LAN interface they originated from. Because of this you cannot build rules that handle
traffic from different LAN interfaces in different ways with squid intercepting the requests.As I said, i need three different gateway groups for my network, not just LoadBalance or FailOver but LoadBalance, FailOver1 and FailOver2.
I tried your HowTo and it works for one gateway group only. Have you tried adding only the floating rule and the tcp_outgoing_address on squid? I believe it will yield to same results as your HowTo.it didn't work for me. ???
I will change this to: even if there is no special setup, all you have to do is add a floating rule, assign it to a gateway group, add the tcp_outgoing_address on squid then squid will use that floating rule. this is for http traffic only.
-
As I said "You cannot build rules that handle traffic from different LAN interfaces in different ways with squid intercepting the requests."
-
how about from single LAN interface? still cannot?
-
Any traffic handled by squid is handled by squid wherever it comes from.
So you cannot build rules that handle different parts of the address range on the LAN
for the same reason as you cannot do it for different interfaces. -
that quite explain it. thanks and cheers ;)
i wish i have a simple setup as yours.
How about this sir?
@jikjik101:Have you tried adding only the floating rule and the tcp_outgoing_address 127.0.0.1 on squid? I believe it will yield to same results as your HowTo.
If on your LAN is allow all with multiwan gateway, i think the result is the same, right?
-
If on your LAN is allow all with multiwan gateway, i think the result is the same, right?
I'm sorry I don't understand what you mean??
-
I mean in your LAN rule, instead of having 7 rules, you can just add a single rule of allowing from any to any using the multiwan gateway.
Or do you specifically assign the dns, ping and etc to use your default gateway? -
I suggest you read the aricle.
-
i read your article and it is quite amusing to read and congratulations to that.
but no offense sir, i can't understand why you need the first 6 rules in your LAN?i am not here to argue, but i just want to learn from you. ;D
you are familiar with this stuff, and i am just starting to learn.
so i just want to know why you did this, why you didn't do that?
moving forward, thanks for your time and patience sir. ;)
i will ask no more. -
I really cant explain it better than I already have done in the article.
Unless you have any specific questions. -
congratulations on the documentation, Ill try it my self will see if it works :)
-
I read your article just because I was interested in and you faced some problems with NTP and RADIUS.
Perhaps this is something which could help you in your situation:
http://forum.pfsense.org/index.php/topic,60925.0.html -
I read your article just because I was interested in and you faced some problems with NTP and RADIUS.
Perhaps this is something which could help you in your situation:
http://forum.pfsense.org/index.php/topic,60925.0.html@Nachtfalke what was it about that thread that you thought would help?
Richard -
I read your article just because I was interested in and you faced some problems with NTP and RADIUS.
Perhaps this is something which could help you in your situation:
http://forum.pfsense.org/index.php/topic,60925.0.html@Nachtfalke what was it about that thread that you thought would help?
RichardYou wrote something about that RADIUS accoutning is only going through the default Gateway.
When you intercept RADIUS accounting port with NAT rules and then define an Outbound NAT rule which uses different Outgoing addresses - could this solve your issue ? -
No, they are different things really.
-
I've added a small update to my original article concering squid/squidguard.
http://www.communig8.com/articles/64-open-source/146-pfsense-multi-wan-update