Load balance with failover but use default routing between LANs?



  • All of the load balance guides I've seen involve specifying a gateway group for the outbound allow rule of a LAN interface. Not all outbound traffic is destined for the internet though. We have about 4 LANs with varied amounts of communication allowed between them, depending on which LAN it is. My understanding is that hard specifying the gateway in each LAN's outbound allow rule overrides the router's routing table, affecting my inter-LAN routing.

    My understanding is that I could put a rule on each LAN interface to allow RFC1918 private network WITHOUT a gateway specified above the other rule which does specify a gateway but I'd prefer to keep the amount of firewall rules to a bare minimum if there is a way. Is there a way to utilise floating rules here?

    What is the way to implement load balancing of WAN links (obviously with automatic failover), while still maintaining inter-LAN routing as well as static routes with the least amount of interface-specific firewall settings possible?

    Thanks in advance!


  • LAYER 8 Netgate

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    This requires firewall rules. No other way. That's what they're for.

    If you need the same thing done on multiple interfaces you might consider an interface group. I would suggest that over floating rules.



  • @Derelict:

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    This requires firewall rules. No other way. That's what they're for.

    If you need the same thing done on multiple interfaces you might consider an interface group. I would suggest that over floating rules.

    I can't use interface groups because every subnet has at least some different rules. I guess I'll do my best to get it done with the minimum rules possible. Instead of a pass all rule at the bottom, I'll just have to have a pass RFC1918 addresses rule without a gateway specified, followed by a pass all with the gateway group specified.

    Another question:

    Can I just have one gateway group with two gateways, both Tier 1 (a.k.a. load balance), and if one gateway goes down, it still works perfectly using the other gateway? That's what the PFSense docs seems to suggest. If that is the case, why do people suggest to also have two more gateway groups with the gateways on different tiers? Why do people say this part is necessary? Surely the router does not continuing doing round robin between two gateways on the same tier in a group after one is recognised as down.


  • LAYER 8 Netgate

    @bradsm87:

    @Derelict:

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    This requires firewall rules. No other way. That's what they're for.

    If you need the same thing done on multiple interfaces you might consider an interface group. I would suggest that over floating rules.

    I can't use interface groups because every subnet has at least some different rules. I guess I'll do my best to get it done with the minimum rules possible. Instead of a pass all rule at the bottom, I'll just have to have a pass RFC1918 addresses rule without a gateway specified, followed by a pass all with the gateway group specified.

    That is generally the case with interface groups, unfortunately. They might be able to be leveraged for the rules that are the same between interfaces. Note that for things like passing DNS to addresses on "this firewall" it can sometimes be done by giving every interface the same DNS server on one interface, LAN for example, instead of telling them to use their specific interface address as the DNS server. That way the same pass rule can be used on all interfaces. Just an example of a method to make common rules across interfaces.

    Another question:

    Can I just have one gateway group with two gateways, both Tier 1 (a.k.a. load balance), and if one gateway goes down, it still works perfectly using the other gateway? That's what the PFSense docs seems to suggest. If that is the case, why do people suggest to also have two more gateway groups with the gateways on different tiers? Why do people say this part is necessary? Surely the router does not continuing doing round robin between two gateways on the same tier in a group after one is recognised as down.

    You can make your gateway groups behave in whatever manner is beneficial to you and helps you accomplish your specific task. Make them both tier 1, policy route to it, and call it a day. Set gateway weights on the gateways if you want to skew the load one way or the other.

    Let me add that gateway failures are never "perfect." You always have a down interface full of firewall states that will require whatever started them to stall and reconnect. Unavoidable. You also have to carefully configure your DNS if you are running it on the firewall. You typically need to use forwarding mode and be sure each gateway has at least one good DNS server in System > General Setup.



  • Thanks heaps.

    I have two good DNS servers for each gateway in System > General.

    I decided not to do load-balance due to the issues with change of IP address causing issues with individual sessions, even with sticky connections enabled. I instead set up two gateway groups, one with each gateway as Tier 1 and the other Tier 2. I then use one of the groups in half of my LANs and the other in the remaining LANs.

    The firewall rules ended up still being very tidy. I simply put an allow RFC1918 rule with default routing above the last rule which specifies the gateway group. That way, no matter how many LANs and/or VPN connections I add in the future, they will work properly.


Log in to reply