(SOLVE)OVPN Load Balance Review

  • Hi guys.

    With a pfsense with 2 wans and a pfsense client with 2 wans, is possible to setup a load-balance between both system if I follow my diagram?


    Any comment or suggestion will be appreciated, thanks.

  • Rebel Alliance Developer Netgate

    If you have the OpenVPN interfaces assigned so they have gateways, then yes, you just setup a gateway group using the VPN gateways on the same tier. It is still only connection-based load balancing, though, so don't expect to get the full bandwidth of both WANs for a single transfer/stream.

  • Hi Jimp.

    1 of mi doubts is related to route, because I have 2 ovpn servers on the same box and each on different wan, the same in the client side.

    How do I manage my routes on each side?

    IPv4 Remote Network(s)

    Can I add the route on each ovpn created or how do each box know who to route the traffic?

    Thanks for your help Jimp.

  • Rebel Alliance Developer Netgate

    You don't use routes, you policy route everything. With the interfaces assigned and rules only on the assigned interface tabs to pass, you can policy route from LAN to LAN and reply-to will handle the return traffic.

    You could use FRR and setup BGP or OSPF between the sites as well but that's not usually necessary.

    I'd keep routes on one of the VPNs so the firewalls can talk to each other over the VPN, but then use policy routing and reply-to to get the rest.

  • I had tested but looks like both system doesn't know who to route the traffic.

    I run tcpdump on clients behind both networks and they receive the packets, the reply is receive by the LAN interface and there stop.

    Looks like the GW-Group Tier created is not working.

    Once the LAN interface receive, I had the policy to use the GW create with both

    Load Balance GW with the ovpn interfaces is working, because I can see traffic in both links.



    Comunication between tunels 10.0.0.x works.
    But networks behind pfsense's won't.

    Policy Routing is not working.

    What is missing...

    Thanks for your time.

  • Rebel Alliance Developer Netgate

    Make sure the OpenVPN firewall rule tab does not have any rules on it. Only on the assigned interface tabs.

  • Please confirm if I understand your point.


    Thanks Jimp.

  • Rebel Alliance Developer Netgate

    Yes, that should be right

  • Jimp my hi5 to u, that was the trick.
    Now I will create a Load-Balance, FailOver1, FailOver2 for my connections.
    Thanks Jimp.

Log in to reply