Ipsec over multi wan

  • Hey guys,
    I was looking for some info on the forums but was unable to find an answer.

    I have a multi wan setup + IPSEC tunnel through one of them.
    I have also configured GW groups for outgoing load balancing (load sharing). Everything works like a charm ;)

    Since our upload speeds are pretty shameful, I was wondering if its possible to use the gateways for said IPSEC tunnel. (some sort of load sharing).

    Is that possible?



  • Rebel Alliance Developer Netgate

    No, you can't load balance IPsec in that way.

    You can pull that off with OpenVPN (one tunnel always up on each WAN, interfaces assigned, using a gateway group of VPN gateways, etc)

  • Hi @Jimp.
    Thanks for your reply.

    Would you be able to explain the difference?
    If I understand you correctly, one tunnel always up using a gateway group would essentially be a Failover rather than a load balance. will it not?

  • Rebel Alliance Developer Netgate

    It depends on the gateway group and how you set it up.

    IPsec and OpenVPN can only use a failover group (one gateway per tier) on their actual VPN settings, but what I mentioned is different.

    In the load balancing setup with OpenVPN, OpenVPN would be always active on both WANs – two clients/two servers, one on each WAN, always connected. When you assign the OpenVPN interfaces, the firewall creates automatic dynamic gateways for the OpenVPN connection itself. Those would be added to a new gateway group that can be set to load balance. So you don't tell OpenVPN to load balance directly.

    You have to be careful with the assignment and placement of the rules, but you can policy route connections into the tunnel and reply-to will send the responses back the correct path. It's still only connection-based load balancing though so a single connection can't max out both VPNs, but with multiple connections/clients it can utilize both.

  • Fair point.
    I am trying to find a solution for an offsite backup while utilizing multiple WANs.
    Any thoughts?


  • Rebel Alliance Developer Netgate

    A high speed dedicated fiber circuit? :-)

    Unless you can get MLPPP DSL there won't be a way to bond multiple WANs or VPNs on pfSense into a single larger pipe that will accelerate one connection.

  • Thank you  ;)

Log in to reply