How to Multi-WAN setup as Loadbalancing and route all traffic over VPN-Provider like mullvad?
-
@DaddyGo
Hi
Thank you very much! I did as you told me and did manage that now everything is running as desired.But:
I already had set for all my configured VPN client(s) as Gateway my gateway group (multi-WAN load balanced) before.-
So then i first updated the pfsense ( i am at 2.50 dev) to latest as for yesterday. But no changes.
-
After that I saved all the vpn-client settings again chosing again my specific Gateway-group (load balanced). Saved all and applied the changes.
After that i hade the the bandwidth of both ISP and still had the outgoing LAN-Traffic loadbalaned between the vpn-servers.
What i did not understand was what you have suggested with the printscreen of the firewall rules:
I guess that you suggested with that printscreen that i should add a rule for each VPN-Interface to route the traffic explicit through my loadbalanced WAN-Gateway Group or what was your suggestion?
Best Regards
Santo -
-
@ihrewerbung said in How to Multi-WAN setup as Loadbalancing and route all traffic over VPN-Provider like mullvad?:
i am at 2.50 dev
Hi,
for now, I don't recommend 2.5 -dev in the production environment... https://redmine.pfsense.org/projects/pfsense/roadmap
stay with 2.4.5-p1 if you want more serious stability...
@ihrewerbung "What i did not understand was what you have suggested with the printscreen of the firewall rules:
I guess that you suggested with that printscreen that i should add a rule for each VPN-Interface to route the traffic explicit through my loadbalanced WAN-Gateway Group or what was your suggestion?"
YES
I use multi-port NICs (I350-T4 and I350-F4) so I can have VPNs on a separate interface and handle them separately according to firewall rules++++edit:
this is good for the deep network segmentation -
Hi
Thank you for your fast reply. Now I perfectly understand this with your suggestion (I use multi-port NICs (I350-T4 and I350-F4) so I can have VPNs on a separate interface and handle them separately according to firewall rules). I must admit that I never thought about that but now i see some potential for optimazing!
Of course you are right with 2.5 -dev and 2.4.5-p1 - at the time i switched i had not much of a choice as the issue with the slow Web-Gui forced me to do something. But you are right, i should have switched back by now - but as this is not done as fast as an update i hesitated :-) but it is no excuse.
Once again thank you! You helped me a lot.
Best regards
santo -
@DaddyGo Hi,
Update:
I will re-try it on version 2.4.5-p1 as on 2.5 -dev its no working consistently. I would even say its "randomly" if it loadbalances my two WAN-Gateway or not.
Allways after I change settings in Gatewaygroup (even do i dont make any changes) save it and apply it, it will balance and sum up the bandwidth and balance it through my vpn-clients. Same if I save again the OPENVPN-Client-Settings (without changing them and letting my Grouped-WAN in the Interface-settings.) it works for a short while as desired and then falls back to my "primary" WAN-interface.
I could not figure out why this happens. Might eventually be a bug in version 2.50 -dev or just something I messed up in my settings. For now I dont find the problem on my side.
best regards
santo -
@ihrewerbung said in How to Multi-WAN setup as Loadbalancing and route all traffic over VPN-Provider like mullvad?:
on 2.5 -dev its no working consistently.
2.5 is a development snapshot. YES
there is still work to be done on it, as the "road map" shows, so I recommended 2.4.5-p1,if you still insists to 2.5, many have experience with this version here in the forum and can help
but I do not recommend it for production environments yet, although the date is approaching.....
-
No, no, i dont insist on the development version.
I am now on a fresh 2.4.5-p1 and testet all the settings again. no change. That means loadbalanced WAN and balanced VPN does not work.
My settings:
Here some traffic is routet through WAN (ISP DSL-Cable and some over 4G-LTE):
...
Here: all traffic goes over WAN (ISP DSL-Cable), nothing over 4GLTE Modem. its not balanced or sum up of both).
...
LAN-Firewall rules:
..
Example of one VPN-Client-Interfaces. It does not change anything if protocol is UDP or any and IPV4-6.
...
Here you can see that i route my LTE/4G-Modem with VLAN-Tag on igb0
...
VPN-Interfaces:
...
Gateway generell:
...
Gateway-Group for DSL-Modem and LTE/4G-Modem (Trigger is "meber down"):
...
Gateway-Group for Balancing VPN-Interfaces:(Trigger is "meber down"):
...
any suggestions? do see where i messed up, if ever? I apperciate any idea.Best regards
santo -
-
hi all
the official description says clearly, there is no loadbalancing in Gateway Groups on openvpn clients:
OpenVPN assigned to a Gateway Group
A Gateway Group (Gateway Groups) may be selected as the Interface for an OpenVPN instance. Such a gateway group must be configured for failover only, not load balancing. Failover groups only have one gateway per tier. When creating the gateway group, a VIP may also be chosen for use with a specific gateway. When selected for a VPN server, the interface or VIP of the Tier 1 gateway in the group will be used first. If that gateway goes down, it will move to tier 2, and so on. If the tier 1 gateway comes back up, the VPN will resume operating on that WAN immediately. When used for a VPN server, this means that the server is only active on one WAN at a time. Some of the other methods described below may be better for most common circumstances, such as needing both WANs usable concurrently with the VPN. When used with OpenVPN clients, the outbound interface will be switched according to the gateway group tiers.best regards
santo -
Can you make a purposeful plan, your scribbled PRTSC is very opaque?
I look forward to........ and may be able to help, I donโt understand the complicated VPN either
what is the goal? exactly?
-
@DaddyGo said in How to Multi-WAN setup as Loadbalancing and route all traffic over VPN-Provider like mullvad?:
Can you make a purposeful plan, your scribbled PRTSC is very opaque?
Hi
Its a pitty my printscreens did not help but confused. You state my setting as too complex / complicated what might be true.
However now for me everything is fine. I know now what for a Gatewaygroup in Interface at VPN-Client is ment for. So far all good.
My goal was to have VPN-balanced (to more then one server) which functions great and get the bandwidth of two ISP (multi wan balanced) which also works fine with a workaround i made by adding to each VPN Client another "(ISP)-Interface".
Maybe a Floating rule would be another workaround?
Best regards
Santo -
@ihrewerbung said in How to Multi-WAN setup as Loadbalancing and route all traffic over VPN-Provider like mullvad?:
Maybe a Floating rule would be another workaround?
worth a try
