Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.1 Floating rules for Multi Wan doesn't work.

    Scheduled Pinned Locked Moved Routing and Multi WAN
    86 Posts 35 Posters 50.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miami71it
      last edited by

      scusa non capisco provo a postarti le cose che ho fatto

      alias : host(s) e poi sotto ho aggiunto www.speedtest.net
      ruels : Pass - LAN - IMCP - any - 192.168.0.15 - speedtest.net - GTWOPT1

      la regola l'ho messa anche in varie posizioni ma non va se vado su speedtest mi mostra l'ip della WAN e non della OPT1 e funziona se spendo la WAN mi va in failover e solo in quel caso va in OPT1

      ma la mia domanda era oltre a fare la regola su ruels devo fare qualcosa su out/nat ecc ecc?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Uh, English please!

        1 Reply Last reply Reply Quote 0
        • H
          hyrol
          last edited by

          I have been using another method "Use sticky connections", but not Load Balacing i want, it is just temporary use.

          ![Use sticky connections.png](/public/imported_attachments/1/Use sticky connections.png)
          ![Use sticky connections.png_thumb](/public/imported_attachments/1/Use sticky connections.png_thumb)

          1 Reply Last reply Reply Quote 0
          • technicalT
            technical
            last edited by

            i stuck that problem to 2.1

            squid - (wpad configured) - loadbalance not working.

            Necati Selim GÜNER
            IT Technician

            1 Reply Last reply Reply Quote 0
            • G
              gautham1435
              last edited by

              Hi..

              I've done extensive tests on pfSense 2.1 with multiwan load balancing, squid and squidguard. I've followed the same configuration which was working on pfSense 2.0.3 (with floating rules, manual NAT, tcp_outgoing_traffic 127.0.0.1 custom option, etc.,).

              But now in 2.1 load balancing is not working with squid, it only uses the default gateway.
              Failover is working with squid.

              Load balancing and failover mutiwan works perfectly fine without squid.

              Is there any specific configuration required for making squid use the load balancing feature and in 2.1 version.

              Please help!!

              1 Reply Last reply Reply Quote 0
              • F
                fisi91
                last edited by

                I've got the same problem with squid and multiWAN since Upgrade to 2.1…
                Only WAN(1) default WAN is used by squid, not WAN2 + WAN3 into Gateway-Group on Same
                Tier1.

                1 Reply Last reply Reply Quote 0
                • K
                  klazoid
                  last edited by

                  I didn't have a two-WAN setup prior to 2.1.
                  Now I have two WAN and I tried to setup one using the pdf from Dimitri S.
                  Like others already mentioned, only the default gateway is used.
                  From the moment I define floating rules (the solution in 2.x), all hell brakes lose and connections time-out.
                  Without floating rules, default gateway is used.

                  WAN 1 = DHCP
                  WAN 2 = local ip of ISP router as gateway with FULL NAT to pfSense

                  Squid isn't transparant and listens to port 8080.

                  I'm now even in a situation where my https filter got broken :(
                  Blame me for not taking a snapshot prior to this change.

                  This guy is having the same problems: http://forum.pfsense.org/index.php/topic,67215.0.html

                  On top of this, I noticed that when running squid (2.7 and 3), the multi-wan environment seems to not work. Even after trying the well written guides on the forum. As an example, without squid, I can get speedtest results that reflect wan1 + wan2 + wan3. With squid enabled, I just get a speedtest result of wan1 (the default gateway). And if wan1 is switched off, internet access dies with it.

                  Is there someone with a working loadbalance setup on 2.1?

                  1 Reply Last reply Reply Quote 0
                  • K
                    klazoid
                    last edited by

                    I did a totally clean setup last Saturday when I left the office. When I came back on Monday, I saw +5GB traffic on the traffic summary of both interfaces. I opened the traffic graphs and saw traffic on both interfaces. Not sure why it suddenly worked. No floating rules, no custom options on squid, default allow –> gateway, sticky connections and switch gateway is on.

                    1 Reply Last reply Reply Quote 0
                    • G
                      gautham1435
                      last edited by

                      Hi klazoid,

                      I think some other service/application/browser must have used the bandwidth without proxy..

                      1 Reply Last reply Reply Quote 0
                      • R
                        ruggero
                        last edited by

                        i think i have a solution :
                        instead of squid use squid3_dev .

                        in custom options :
                        "
                        acl venticinque random 1/4
                        acl settantacinquediv2 random 0.5

                        tcp_outgoing_address 192.168.4.1 venticinque

                        tcp_outgoing_address 192.168.3.1  settantacinquediv2

                        tcp_outgoing_address 192.168.2.1

                        "

                        i have three wan with different speed so i try to balance the throughput with different weigth

                        1 Reply Last reply Reply Quote 0
                        • G
                          gautham1435
                          last edited by

                          Hi Ruggero,

                          Can you write this in clear steps..

                          Thanks in advance..

                          1 Reply Last reply Reply Quote 0
                          • R
                            ruggero
                            last edited by

                            first install squid3-dev  from available packages.

                            ++++++in this way you can use configuration directive acl random .
                            from squid doc :
                            changes in 3.2 acl : random

                            New type random. Pseudo-randomly match requests based on a configured probability .

                            now you can do all the configuration you need for multiwan in Custom options - Custom setting of proxy server.

                            in my situation ( 3 wan ) :

                            "
                            acl venticinque random 1/4
                            acl settantacinquediv2 random 0.5

                            tcp_outgoing_address 192.168.4.254 venticinque

                            tcp_outgoing_address 192.168.3.254  settantacinquediv2

                            tcp_outgoing_address 192.168.2.254

                            "

                            192.168.4.254 = ipv4 address wan 1
                            192.168.3.254 = ipv4 address wan 2
                            192.168.2.254 = ipv4 address wan 3

                            random 1/4 = 25 % = wan1 25% of traffic
                            random 0.5 = (100-25)/2 = wan2 37,5 % of traffic
                            else = wan3 37,5 % of traffic

                            i do this because my 3 wan are not equal.

                            in case of 2 wan :

                            "
                            acl cinquanta random 0.5

                            tcp_outgoing_address 192.168.4.254 cinquanta

                            tcp_outgoing_address 192.168.2.254

                            "

                            you do not need extra rule on firewall ( floating rule ) .
                            Also it bypass gateway groups.

                            1 Reply Last reply Reply Quote 0
                            • H
                              hyrol
                              last edited by

                              Squid3 not stable, i try install i check in services, always stop services, how about when i have PPPoE Multi-WAN dynamic IP. Can u screen capture in Custom options.

                              1 Reply Last reply Reply Quote 0
                              • R
                                ruggero
                                last edited by

                                squid3 need lib update.
                                check  squid 3.3.4 package for pfsense with ssl filtering

                                1 Reply Last reply Reply Quote 0
                                • technicalT
                                  technical
                                  last edited by

                                  So i understand but some ppl using wan interface for bridge mode (pppoe)  .
                                  what they can do bridge (pppoe) users.
                                  and some ppl have dynamic wan ip adresses.

                                  @ruggero:

                                  first install squid3-dev  from available packages.

                                  ++++++in this way you can use configuration directive acl random .
                                  from squid doc :
                                  changes in 3.2 acl : random

                                  New type random. Pseudo-randomly match requests based on a configured probability .

                                  now you can do all the configuration you need for multiwan in Custom options - Custom setting of proxy server.

                                  in my situation ( 3 wan ) :

                                  "
                                  acl venticinque random 1/4
                                  acl settantacinquediv2 random 0.5

                                  tcp_outgoing_address 192.168.4.254 venticinque

                                  tcp_outgoing_address 192.168.3.254  settantacinquediv2

                                  tcp_outgoing_address 192.168.2.254

                                  "

                                  192.168.4.254 = ipv4 address wan 1
                                  192.168.3.254 = ipv4 address wan 2
                                  192.168.2.254 = ipv4 address wan 3

                                  random 1/4 = 25 % = wan1 25% of traffic
                                  random 0.5 = (100-25)/2 = wan2 37,5 % of traffic
                                  else = wan3 37,5 % of traffic

                                  i do this because my 3 wan are not equal.

                                  in case of 2 wan :

                                  "
                                  acl cinquanta random 0.5

                                  tcp_outgoing_address 192.168.4.254 cinquanta

                                  tcp_outgoing_address 192.168.2.254

                                  "

                                  you do not need extra rule on firewall ( floating rule ) .
                                  Also it bypass gateway groups.

                                  Necati Selim GÜNER
                                  IT Technician

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    ataru75
                                    last edited by

                                    hi, here it does not work the "acl random" always comes out with the wan1.
                                    I have version 2.1 and squid pfsense 3.3.8-dev pkg 2.2.

                                    here is my custom options

                                    acl fifty random 0.5 (I also tried 1/2 instead of 0.5)
                                    tcp_outgoing_address fifty 192.168.100.2 (no gateway ip, ip pfsense wan1)
                                    tcp_outgoing_address 192.168.2.3 (not ip gateway, ip pfsense WAN2)

                                    here continue to browse only the wan1 while if I disable the transparent proxy balancing works well.
                                    Works to you?
                                    how did you set the "outbound nat" in automatic or manual?
                                    thanks
                                    bye

                                    –-------------------------------------------------------------------------------------
                                    correction, with the "Automatic outbound NAT rule generation" everything works.

                                    Thank you, Regards

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      Reiner030
                                      last edited by

                                      Hi,

                                      nice idea with the different tcp_outgoing addresses…
                                      I found yesterday also a site which show this option (before I found this thread ^^):
                                      http://linuxaria.com/pills/setup-squid-to-use-multiple-outgoing-ip-addresses

                                      This thread seems the only one (with "content") who mentioned that there is a bug in pfSense 2.1 with floating rules.
                                      Because of right topic I add my information here, too.

                                      Since update from 2.0.1 to 2.1.0 we have in remote office also the problem that only our default WAN interface is accessible from outside... :( Here my test from yesterday night; we are using there 1st WAN with PPPoE, 2nd WAN with local modem-router.

                                      Here each a test to http://ident.me :

                                      21:48:14.600710 IP 177.103.xxx.xxx.51527 > 176.58.123.25.32362: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064842937 ecr 0], length 0
                                      21:48:17.599925 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064845937 ecr 0], length 0
                                      21:48:20.799857 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064849137 ecr 0], length 0
                                      21:48:23.999792 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
                                      21:48:27.199723 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
                                      21:48:30.399660 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
                                      
                                      [code]21:51:46.841211 IP 192.168.0.2.1286 > 176.58.123.25.24577: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065055182 ecr 0], length 0
                                      21:51:49.840521 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065058182 ecr 0], length 0
                                      21:51:53.040452 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065061382 ecr 0], length 0
                                      21:51:56.240386 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,sackOK,eol], length 0
                                      21:51:59.440321 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,sackOK,eol], length 0
                                      
                                      Interesting part: the 1st line connects over backup WAN Interface with right IP but to wrong destination port... and every repeated initializing packet goes to right destination port but over wrong main WAN interface ?
                                      
                                      I was thinking about testing today if there is a difference between localhost and lan interface by accessing remote pbx but I forgot to deactivate floating rules so the employees had tested it before I had time for it ^^.
                                      
                                      Using normal rules works nice so it must be a floating rule bug... 
                                      => Is it perhaps possible easy to fix it with a "remote github" patch ?
                                      
                                      First I was not sure if it's really a floating rule bug because
                                      [list]
                                      [li] incoming connections to firewall on slave WAN interface are unusable since update, too.
                                      If you have same problems here the solution:
                                      => I fixed it with NATting:[list]
                                      [li]WAN1:22   => localhost:22,[/li]
                                      [li]WAN1:443 => localhost:443,[/li]
                                      [li]WAN2:22   => localhost:22 and[/li]
                                      [li]WAN2:443 => localhost:443.[/li]
                                      [/list][/li]
                                      [li]DynDNS service can't be updated anymore, too...
                                      But the service should be bound on 2nd WAN interface directly?[/li]
                                      [/list]
                                      
                                      Bests[/s][/s][/s][/s][/s][/code][/s][/s][/s][/s][/s][/s]
                                      
                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        Reiner030
                                        last edited by

                                        mmh… addititional strange behavior... I manually run / later re-checked on webgui.
                                        The registered dynamic name service is registered to use WAN2 ... but got IP from WAN1 and switched here to wrong IP

                                        Dec 3 14:55:58	php: rc.dyndns.update: phpDynDNS (xxx.no-ip.org): (Success) DNS hostname update successful.
                                        Dec 3 14:55:58	php: rc.dyndns.update: phpDynDNS: updating cache file /conf/dyndns_wannoip'xxx.no-ip.org'0.cache: 177.103.xxx.xxx
                                        Dec 3 14:55:57	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
                                        Dec 3 14:55:57	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): Current Service: noip
                                        Dec 3 14:55:57	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): DynDns _checkStatus() starting.
                                        Dec 3 14:55:56	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): DynDns _update() starting.
                                        Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): DynDns: cacheIP != wan_ip. Updating. Cached IP: 201.83.xxx.xxx WAN IP: 177.103.xxx.xxx
                                        Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): Current WAN IP: 177.103.xxx.xxx Cached IP: 201.83.xxx.xxx
                                        Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
                                        Dec 3 14:55:53	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): running get_failover_interface for wan. found re0
                                        Dec 3 14:55:53	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
                                        Dec 3 14:55:53	php: rc.dyndns.update: DynDns: updatedns() starting
                                        

                                        Perhaps better for a new thread:
                                        Why is checkip.dyndns.org used for other dyndns services ?
                                        Would be nice if checking service can be made selectable.

                                        I knew its is / was a nice service. But since yesterday I don't think so anymore…
                                        I used them for my SQuiD loadbalancing tests... and got 127.0.0.1 back :D

                                        Also DynDNS won't check IPv6 addresses because they say in their supportforum it would always stay same IP.
                                        Ok this should be normally the case (especially for firewalls) but it would be nice service to get them either in response for re-check settings.

                                        http://ident.me offer IPv6/IPv4 address and showed me yesterday 127.0.0.1 and the right local IP address in answer page.
                                        http://v4.ident.me only IPv4
                                        http://v6.ident.me only IPv6

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          Reiner030
                                          last edited by

                                          Hi,

                                          on normal usage a very nice option ;)

                                          @ruggero:

                                          i think i have a solution :
                                          instead of squid use squid3_dev .

                                          in custom options :
                                          "
                                          acl venticinque random 1/4
                                          acl settantacinquediv2 random 0.5

                                          tcp_outgoing_address 192.168.4.1 venticinque
                                          tcp_outgoing_address 192.168.3.1  settantacinquediv2
                                          tcp_outgoing_address 192.168.2.1

                                          I justed tested it with this additional ACL RegEx (needs perhaps some improvements) so we can let Youtube videos through the good line and block it in the not so good backup line:

                                          acl_youtube urlpath_regex http://www.youtube.com/watch\?v=.*
                                          acl wan2 random 1/2
                                          
                                          tcp_outgoing_address <wan1 ip=""> youtube
                                          tcp_outgoing_address <wan2 ip=""> wan2
                                          tcp_outgoing_address <wan1 ip=""></wan1></wan2></wan1>
                                          

                                          Pitily there is a problem if one of the lines are down… then every x request is timing out... :(

                                          Is it perhaps possible to let SQuiD know by local files/checks what lines are up?

                                          Not very RAM friendly would be a solution to run for each WAN interface a SQuiD instance and in front of it the main SQuiD with these SQuiDs as parents... then he can auto-select/fallback as he is allowed to ask them by rule.

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            Reiner030
                                            last edited by

                                            @Reiner030:

                                            acl_youtube urlpath_regex http://www.youtube.com/watch\?v=.*
                                            acl wan2 random 1/2
                                            
                                            tcp_outgoing_address <wan1 ip=""> youtube
                                            tcp_outgoing_address <wan2 ip=""> wan2
                                            tcp_outgoing_address <wan1 ip=""></wan1></wan2></wan1>
                                            

                                            ah, squid3-dev matches irregulary in transparent mode also urlpath_regex - correct is url_regex.
                                            And I added further sniffed URLs also for HTML5 blocking (perhaps too much, but better than too few ;)):

                                            acl Youtube_Streams url_regex (youtube.com|youtube.be|m.ytimg.com|s.ytimg.com|s2.ytimg.com|s3.ytimg.com|googlevideo.com)/(.*\.(flv|swf)|player204|stream_204|watchtime|generate_204|videoplayback)
                                            
                                            tcp_outgoing_address <wan2 ip=""> Youtube_Streams</wan2>
                                            

                                            Actual my testing "live" pfSense goes out only on WAN1 even I set tcp_outgoing_address onto WAN2 IP ???.
                                            So I can't test it correctly but I guess it can be made shorter like this with ReGex:

                                            acl Youtube_Streams url_regex (youtube.com|youtube.be|m.ytimg.com|s\d*.ytimg.com|i\d*.ytimg.com|googlevideo.com)/(.*\.(flv|swf)|(player|stream_|generate_)204|watchtime|videoplayback)
                                            
                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.