Load balancing cluster with a failover capability for a lan party

Infected

Hey,

I couldn't find a tutorial that suited my needs so i thought to ask if this is doable with pfsense. I am planning a setup like this:

The thing is that I want the traffic from the partynet to be divided to the three pfsense boxes based on a port that is used. This is because I want the first box to handle all the "uncategorized" (eg. bittorrent, dc++ etc.) traffic, the second box to handle www,ssh,irc, etc. and the third box to handle gaming related traffic.

I can probably make failover work, but how can I make the boxes understand that the traffic on port 6667 belongs to the second pfsense box if all the traffic hits the virtual ip 10.1.0.1 shared between the three firewalls?

GruensFroeschli

You cant.
What you want is an active/active setup.
Technically it's possible, but not implemented in the GUI.
Currently you can only have active/passive.
–> When the primary firewall goes down, the secondary takes over.

But why do you need that anyway?
It's not like some decent hardware couldnt route Gbit speed and i hardly believe that you have Gbit internet at your LAN ;)

Infected

well actually it's something between 1GB-10GB thanks to our friends at the ISP but it seems that I will have to do with just failover then :)
thx for the fast answer

GruensFroeschli

Nice :)
Well if you have that much bandwidth at hand i suppose you also have appropriate hardware otherwise.
You could split your LAN in multiple DHCP-domains with different gateways but with the users still in the same broadcast-domain.

I'd do this with VLAN's.
Have every client in two VLAN's.
Say VLAN 42 for the broadcast domain.
Everyone in this VLAN can talk with each other.
–> Only clients are in this VLAN (defined by PVID) but not the pfSense.
Additionally every pfSense has its own VLAN.
Say VLAN 100, 200 and 300 (again by the PVID).

Now if a client requests an IP all pfSenses will receive the request.
But only the pfSense on the corresponding VLAN can answer.

NOTE:
The VLAN should NOT be configured on the pfSense.
Egress all packets on all ports untagged (well except the trunks to connect all the switches ;) ).
Inbound packets of the clients should have the PVID of the global domain --> 42
Inbound packets of the pfSense should have the local PVID --> 100, 200 or 300
All ports are members of 42
Only the ports of the local domain are member of 100, 200 or 300.

pfSense1: 10.0.0.1/16 - DHCP-range 10.0.0.2/16 to 10.0.0.255/16, gateway 10.0.0.1
pfSense2: 10.0.1.1/16 - DHCP-range 10.0.1.2/16 to 10.0.1.255/16, gateway 10.0.1.1
pfSense3: 10.0.2.1/16 - DHCP-range 10.0.2.2/16 to 10.0.2.255/16, gateway 10.0.2.1

blak111

You could also accomplish this using static only DHCP entries for the machines on each firewall if you don't have VLAN capable switches.

@GruensFroeschli:

Nice :)
Well if you have that much bandwidth at hand i suppose you also have appropriate hardware otherwise.
You could split your LAN in multiple DHCP-domains with different gateways but with the users still in the same broadcast-domain.

I'd do this with VLAN's.
Have every client in two VLAN's.
Say VLAN 42 for the broadcast domain.
Everyone in this VLAN can talk with each other.
–> Only clients are in this VLAN (defined by PVID) but not the pfSense.
Additionally every pfSense has its own VLAN.
Say VLAN 100, 200 and 300 (again by the PVID).

Now if a client requests an IP all pfSenses will receive the request.
But only the pfSense on the corresponding VLAN can answer.

NOTE:
The VLAN should NOT be configured on the pfSense.
Egress all packets on all ports untagged (well except the trunks to connect all the switches ;) ).
Inbound packets of the clients should have the PVID of the global domain --> 42
Inbound packets of the pfSense should have the local PVID --> 100, 200 or 300
All ports are members of 42
Only the ports of the local domain are member of 100, 200 or 300.

pfSense1: 10.0.0.1/16 - DHCP-range 10.0.0.2/16 to 10.0.0.255/16, gateway 10.0.0.1
pfSense2: 10.0.1.1/16 - DHCP-range 10.0.1.2/16 to 10.0.1.255/16, gateway 10.0.1.1
pfSense3: 10.0.2.1/16 - DHCP-range 10.0.2.2/16 to 10.0.2.255/16, gateway 10.0.2.1

GruensFroeschli

@blak111:

You could also accomplish this using static only DHCP entries for the machines on each firewall if you don't have VLAN capable switches.

Yeah.
We did that at the last LAN party i helped organize.
But if you cannot get your guests to register their MAC before the party it's a pain in the ass…
People check in; someone has to go to their place and get their virus-check and their MAC, go back to the checkin, add their MAC to the list at the correct place....
Maybe in the end too much of a hassle.