Carp plus multi wan load balance plus outbound nat

dougsk

Currently running on 2.0.2 with a carp array with a single 10x10Mbps WAN.  Adding a 15x2Mbps 2nd WAN link specifically for bulk http(s) download traffic.  In CARP array I have manual outbound NAT, do I just add more manual outbound nat entries to correspond to the WAN2 VIP?  How does the traffic ever match the WAN2 VIP with WAN1 nat rule preceding WAN2 NAT rule?  .. or I'm just missing it, which could be true :D

In the book (Section 11.10.4) Unequal Cost Load Balancing, since I'm 10x10 on WAN1 gateway and 15x2 on WAN2 gateway to load balance appropriately I'd add 2 WAN1 entries and 3 WAN2 entries on the load balance pool and that would get me the expected 40/60 split.

Is that pretty much it?

I want to favor WAN1 for the IPSEC VPN, do I need to do something special there  or since phase1 is the a WAN1 VIP? or just leave it at that and I'm good to go?

Although it doesn't look like it, from my image this is all just router on a stick 802.1q vlans for all the different interfaces.

jimp

@dougsk:

Currently running on 2.0.2 with a carp array with a single 10x10Mbps WAN.  Adding a 15x2Mbps 2nd WAN link specifically for bulk http(s) download traffic.  In CARP array I have manual outbound NAT, do I just add more manual outbound nat entries to correspond to the WAN2 VIP?  How does the traffic ever match the WAN2 VIP with WAN1 nat rule preceding WAN2 NAT rule?  .. or I'm just missing it, which could be true :D

Yes, just add more manual outbound NAT rules that refer to the WAN2 CARP VIP.

They match because they're on different interfaces. The rules only apply as traffic exits the interface specified on the rule. So they match interface then source, then destination, etc, etc.

@dougsk:

In the book (Section 11.10.4) Unequal Cost Load Balancing, since I'm 10x10 on WAN1 gateway and 15x2 on WAN2 gateway to load balance appropriately I'd add 2 WAN1 entries and 3 WAN2 entries on the load balance pool and that would get me the expected 40/60 split.

That's a bit outdated. On 2.x you use the 'weight' parameter on the gateway to select how they're weighted. You can set one at 2, and one at 3.

@dougsk:

I want to favor WAN1 for the IPSEC VPN, do I need to do something special there  or since phase1 is the a WAN1 VIP? or just leave it at that and I'm good to go?

IPsec won't fail over on 2.0.x, it will use whatever interface you have selected. On 2.1 you can specify a failover gateway group for IPsec and it will use whichever WAN you set to prefer in the group.

dougsk

@jimp:

Yes, just add more manual outbound NAT rules that refer to the WAN2 CARP VIP.

They match because they're on different interfaces. The rules only apply as traffic exits the interface specified on the rule. So they match interface then source, then destination, etc, etc.

Light bulb moment!  Thank you!

dougsk

I have a followup.  I've got this setup and it seems to work, hurrah, thanks jimp!

However when I change the 0.0.0.0/0 to us the gateway group, my VPN tunnels crash and burn.  Is this still good advice?  I note it's for 1.2.  Basically add the remote networks using WAN1 gateway explicitly and then use the 0.0.0.0/0 via gateway group after the remote network rules.  Does that sound right or am I going down the wrong path?