Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Load Balancing and Failover - Firewall Rules?

    Routing and Multi WAN
    2
    10
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ceofreak
      last edited by

      Hi there!

      I understand that for load balancing you need to create a gateway group with both WAN interfaces a Tier 1, and if you want additional failover you need to create 2 more gateway groups with WAN 1 Tier 1 WAN 2 Tier 2 and vice versa.

      So in the end you have 3 Gateway groups.

      Now you need to assign your Load Balancing Gateway Group to a certain firewall Rule to be applied on. Let's assume we talk about the Rule for HTTP traffic.

      Now I assign the Load Balancing Gateway group to the HTTP Rule, if one WAN interface goes down, I have no access to the Internet anymore.

      What do I need to do to get Failover to work in this scenario?

      So far I just had 1 gateway group with both WAN's on Tier 1 and didn't assign this gateway group to any firewall rule (so no load balancing), but Failover was working fine that way.

      How do I need to set this up that Failover actually works? Because I can just assign 1 Gateway Group to a Firewall rule anyway, why do I have to have 2 other Gateway Groups for Failover then and how do they work?

      Do I have to have 3 gateway groups if I just have 2 WAN interfaces? Shouldnt the Load Balancing rule be enough for both Failover and Load Balancing? Or does Failover not work as soon as you assign this GW Group to a Firewall rule?

      I didn't fully understand this and would be more than happy if someone can enlighten me :)

      Thanks!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        No.

        People generally make the different gateway groups so they can OPTIONALLY policy route different traffic in different ways. They do something like this:

        WANLOADBALANCE
        WAN1 Tier 1
        WAN2 Tier 1

        WAN1THENWAN2
        WAN1 Tier 1
        WAN2 Tier 2

        WAN2THENWAN1
        WAN1 Tier 2
        WAN2 Tier 1

        That gives them the OPTION to make rules for specific traffic that is not load balanced, but is purely failover (everything goes out one WAN unless it is down then the other WAN is used). It is a purely optional step. What really matters is the gateway group you set on the policy routing rules.

        A load balance group (all gateways in the same tier) is inherently a failover group in that when a gateway in the group is marked as down, it will get no new states. When it comes back up the load balancing algorithm will start distributing states (traffic) to it again.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          ceofreak
          last edited by

          Ahh I see.

          So if I don't care which Interface is preferred I'm fine with my Load Balance Group with both Interfaces on Tier 1 and just assign this Gateway Group to the Firewall Rules I want it applied on?

          So for example WAN 1 and WAN 2 are both Tier 1 and I assign this GW Group to my HTTP Firewall Rule, WAN 1 goes down, HTTP now uses WAN 2 automatically for HTTP traffic?

          Just to wrap it up :D

          Thanks for the explanation!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            No.

            That would be the behavior of the WAN1THENWAN2 group noted above.

            If they are both Tier1 then some HTTP states will go out WAN1 and some out WAN2. You know, Load Balanced.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              ceofreak
              last edited by

              @Derelict:

              No.

              That would be the behavior of the WAN1THENWAN2 group noted above.

              If they are both Tier1 then some HTTP states will go out WAN1 and some out WAN2. You know, Load Balanced.

              Ok, I quickly build up a testlab to demonstrate the Issue I'm running in.

              I set 2 WAN interfaces, 1 Load Balance GW Group and assigned that to all relevant rules.

              Now I run a ping on google.com -> Take WAN1 down -> Ping continues to run, DNS seems to have stopped working, no pages are loading anymore.

              If I do not assign LoadBalance as a gateway on those firewall rules and take WAN1 down, everything still works fine. So Failover is working without having LoadBalance asigned as the Gateway for the Firewall rules.

              I probably just miss a step somewhere in the DNS config?

              Default Gateway Switching is enabled by the way.

              Hope that can give you a better understanding of the issue I'm running in.

              Ceo

              ![2017-10-11 09_58_32.png](/public/imported_attachments/1/2017-10-11 09_58_32.png)
              ![2017-10-11 09_58_32.png_thumb](/public/imported_attachments/1/2017-10-11 09_58_32.png_thumb)
              ![2017-10-11 09_59_01.png](/public/imported_attachments/1/2017-10-11 09_59_01.png)
              ![2017-10-11 09_59_01.png_thumb](/public/imported_attachments/1/2017-10-11 09_59_01.png_thumb)
              ![2017-10-11 09_59_15.png](/public/imported_attachments/1/2017-10-11 09_59_15.png)
              ![2017-10-11 09_59_15.png_thumb](/public/imported_attachments/1/2017-10-11 09_59_15.png_thumb)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Hmm. Getting the same gateway address on both WANs? What, exactly, are you doing there? That needs to be separate networks.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • C
                  ceofreak
                  last edited by

                  @Derelict:

                  Hmm. Getting the same gateway address on both WANs? What, exactly, are you doing there? That needs to be separate networks.

                  It's running in VirtualBox just for testing purposes. I have the exact same behaviour on my live Firewall with seperate networks.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    If the clients are configured to use the firewall as their DNS server, you have to use the DNS forwarder, or the resolver in forwarding mode, when you use Multi-WAN.

                    You need to be sure that there are outside DNS server configured for forwarding that are on each WAN.

                    Otherwise the DNS Resolver will try to use the default gateway for DNS, which will be down.

                    You cannot policy route traffic sourced from the firewall, such as DNS queries from the resolver process. Policy routing happens when traffic enters an interface. Traffic sourced from the firewall never does that.

                    The actual best solution for DNS and Multi-WAN is to use a couple of inside DNS resolvers. If everything on the inside asks them to resolve names, the queries they make to the internet will arrive on LAN and be load balanced/policy routed.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • C
                      ceofreak
                      last edited by

                      @Derelict:

                      If the clients are configured to use the firewall as their DNS server, you have to use the DNS forwarder, or the resolver in forwarding mode, when you use Multi-WAN.

                      You need to be sure that there are outside DNS server configured for forwarding that are on each WAN.

                      Otherwise the DNS Resolver will try to use the default gateway for DNS, which will be down.

                      You cannot policy route traffic sourced from the firewall, such as DNS queries from the resolver process. Policy routing happens when traffic enters an interface. Traffic sourced from the firewall never does that.

                      The actual best solution for DNS and Multi-WAN is to use a couple of inside DNS resolvers. If everything on the inside asks them to resolve names, the queries they make to the internet will arrive on LAN and be load balanced/policy routed.

                      Alright, I now entered 2 DNS Servers on System / General and unticked Allow DNS Server list to be overridden….

                      Under Services > DNS Resolver I ticked Enable Forwarding Mode.

                      Now internet access works even I disable WAN1.

                      That was what I was looking for. Although, having Enable Forwarding Mode ticked now means that All DNS queries are forwarded now and the Resolver is not actually being used anymore, or am I wrong?

                      Thanks for your patience by the way, but I want to fully understand how this works.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Note that if the resolver is in forwarding mode and DNSSEC is enabled, things can appear to break randomly if the forwarding servers do not properly support DNSSEC so it is generally best to disable that in forwarding mode. Even the popular ones like google and opendns don't do it right.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.