Load Balancing and Failover - Firewall Rules?



  • Hi there!

    I understand that for load balancing you need to create a gateway group with both WAN interfaces a Tier 1, and if you want additional failover you need to create 2 more gateway groups with WAN 1 Tier 1 WAN 2 Tier 2 and vice versa.

    So in the end you have 3 Gateway groups.

    Now you need to assign your Load Balancing Gateway Group to a certain firewall Rule to be applied on. Let's assume we talk about the Rule for HTTP traffic.

    Now I assign the Load Balancing Gateway group to the HTTP Rule, if one WAN interface goes down, I have no access to the Internet anymore.

    What do I need to do to get Failover to work in this scenario?

    So far I just had 1 gateway group with both WAN's on Tier 1 and didn't assign this gateway group to any firewall rule (so no load balancing), but Failover was working fine that way.

    How do I need to set this up that Failover actually works? Because I can just assign 1 Gateway Group to a Firewall rule anyway, why do I have to have 2 other Gateway Groups for Failover then and how do they work?

    Do I have to have 3 gateway groups if I just have 2 WAN interfaces? Shouldnt the Load Balancing rule be enough for both Failover and Load Balancing? Or does Failover not work as soon as you assign this GW Group to a Firewall rule?

    I didn't fully understand this and would be more than happy if someone can enlighten me :)

    Thanks!


  • Netgate

    No.

    People generally make the different gateway groups so they can OPTIONALLY policy route different traffic in different ways. They do something like this:

    WANLOADBALANCE
    WAN1 Tier 1
    WAN2 Tier 1

    WAN1THENWAN2
    WAN1 Tier 1
    WAN2 Tier 2

    WAN2THENWAN1
    WAN1 Tier 2
    WAN2 Tier 1

    That gives them the OPTION to make rules for specific traffic that is not load balanced, but is purely failover (everything goes out one WAN unless it is down then the other WAN is used). It is a purely optional step. What really matters is the gateway group you set on the policy routing rules.

    A load balance group (all gateways in the same tier) is inherently a failover group in that when a gateway in the group is marked as down, it will get no new states. When it comes back up the load balancing algorithm will start distributing states (traffic) to it again.



  • Ahh I see.

    So if I don't care which Interface is preferred I'm fine with my Load Balance Group with both Interfaces on Tier 1 and just assign this Gateway Group to the Firewall Rules I want it applied on?

    So for example WAN 1 and WAN 2 are both Tier 1 and I assign this GW Group to my HTTP Firewall Rule, WAN 1 goes down, HTTP now uses WAN 2 automatically for HTTP traffic?

    Just to wrap it up :D

    Thanks for the explanation!


  • Netgate

    No.

    That would be the behavior of the WAN1THENWAN2 group noted above.

    If they are both Tier1 then some HTTP states will go out WAN1 and some out WAN2. You know, Load Balanced.



  • @Derelict:

    No.

    That would be the behavior of the WAN1THENWAN2 group noted above.

    If they are both Tier1 then some HTTP states will go out WAN1 and some out WAN2. You know, Load Balanced.

    Ok, I quickly build up a testlab to demonstrate the Issue I'm running in.

    I set 2 WAN interfaces, 1 Load Balance GW Group and assigned that to all relevant rules.

    Now I run a ping on google.com -> Take WAN1 down -> Ping continues to run, DNS seems to have stopped working, no pages are loading anymore.

    If I do not assign LoadBalance as a gateway on those firewall rules and take WAN1 down, everything still works fine. So Failover is working without having LoadBalance asigned as the Gateway for the Firewall rules.

    I probably just miss a step somewhere in the DNS config?

    Default Gateway Switching is enabled by the way.

    Hope that can give you a better understanding of the issue I'm running in.

    Ceo

    ![2017-10-11 09_58_32.png](/public/imported_attachments/1/2017-10-11 09_58_32.png)
    ![2017-10-11 09_58_32.png_thumb](/public/imported_attachments/1/2017-10-11 09_58_32.png_thumb)
    ![2017-10-11 09_59_01.png](/public/imported_attachments/1/2017-10-11 09_59_01.png)
    ![2017-10-11 09_59_01.png_thumb](/public/imported_attachments/1/2017-10-11 09_59_01.png_thumb)
    ![2017-10-11 09_59_15.png](/public/imported_attachments/1/2017-10-11 09_59_15.png)
    ![2017-10-11 09_59_15.png_thumb](/public/imported_attachments/1/2017-10-11 09_59_15.png_thumb)


  • Netgate

    Hmm. Getting the same gateway address on both WANs? What, exactly, are you doing there? That needs to be separate networks.



  • @Derelict:

    Hmm. Getting the same gateway address on both WANs? What, exactly, are you doing there? That needs to be separate networks.

    It's running in VirtualBox just for testing purposes. I have the exact same behaviour on my live Firewall with seperate networks.


  • Netgate

    If the clients are configured to use the firewall as their DNS server, you have to use the DNS forwarder, or the resolver in forwarding mode, when you use Multi-WAN.

    You need to be sure that there are outside DNS server configured for forwarding that are on each WAN.

    Otherwise the DNS Resolver will try to use the default gateway for DNS, which will be down.

    You cannot policy route traffic sourced from the firewall, such as DNS queries from the resolver process. Policy routing happens when traffic enters an interface. Traffic sourced from the firewall never does that.

    The actual best solution for DNS and Multi-WAN is to use a couple of inside DNS resolvers. If everything on the inside asks them to resolve names, the queries they make to the internet will arrive on LAN and be load balanced/policy routed.



  • @Derelict:

    If the clients are configured to use the firewall as their DNS server, you have to use the DNS forwarder, or the resolver in forwarding mode, when you use Multi-WAN.

    You need to be sure that there are outside DNS server configured for forwarding that are on each WAN.

    Otherwise the DNS Resolver will try to use the default gateway for DNS, which will be down.

    You cannot policy route traffic sourced from the firewall, such as DNS queries from the resolver process. Policy routing happens when traffic enters an interface. Traffic sourced from the firewall never does that.

    The actual best solution for DNS and Multi-WAN is to use a couple of inside DNS resolvers. If everything on the inside asks them to resolve names, the queries they make to the internet will arrive on LAN and be load balanced/policy routed.

    Alright, I now entered 2 DNS Servers on System / General and unticked Allow DNS Server list to be overridden….

    Under Services > DNS Resolver I ticked Enable Forwarding Mode.

    Now internet access works even I disable WAN1.

    That was what I was looking for. Although, having Enable Forwarding Mode ticked now means that All DNS queries are forwarded now and the Resolver is not actually being used anymore, or am I wrong?

    Thanks for your patience by the way, but I want to fully understand how this works.


  • Netgate

    Note that if the resolver is in forwarding mode and DNSSEC is enabled, things can appear to break randomly if the forwarding servers do not properly support DNSSEC so it is generally best to disable that in forwarding mode. Even the popular ones like google and opendns don't do it right.