Is this configuration going to work? (multiple WANs and Captive portal)



  • Hi,
    I'm going to set up a temporary network for a LANparty with maximum ~150 users. The problem is that we is a lite low on bandwith to internet, but I think we can get a hold of two conections. Thats when I get my eyes up for pfsense couse i realized it had multiple WAN support (I use m0n0wall in other cases and was planing to use it in this to before).

    One of the connections is going to be a firm connection from the folks that we borrow the place from, its 2/2mbit.
    The other are we going to get from a WLAN with a 24/1 ADSL connection in the other end direcley from a ISP.

    As you probably understand I want to use som form of loadbalancing betwean them so we could have atleast a surf friendley connection. And what I understand from the documentation this will be no problem? We dont need any portforwards or something like that. Both connections has DHCP assignment of IP-adresses ut i think i can get a static on the 2/2 if it's needed. Is this going to sute itself ore do i have to point out a stack of roules and stuff before it works? Is it eaven possible to have to connections when both are going to be used for same kind of traffic? What hapends if one of the lines goes down?

    we also would like to use the Captive Portal function connected to a extern Radius server, we have get this working with m0n0wall so I think it's going to be the same under pfsense, I'm i right?

    One problem we have had earlier is that the WLAN adapter we used dont work with m0n0wall so we had to plug it in to the Windows server that we used for Radius and then make som "bridge" or what it's called and then via TP-cable link it to the m0n0wall. What i have understand is that pfsense is better then m0n0 of supporting WLAN-cards, right? The adapter is a USB version from netgear (i dont have the exakt modell in my head), could it work under pfsense or is it hopeless for USB adapters?

    The problem is that if we have to run the WLAN thrue the Windows-server we would have the radius on the WAN side of the Pfsense and i can image that could be a problem when using multiple WANs. Maby if you could make som static route for that IP to take the right WAN-connection it will work?

    Is there som more i shuld think of before i start setting this up?

    I'm greatfull for all help i can get :)

    Sorry, I'm asking before I have tested myself first byt i only have a few hours to get it up and running after we get inside de place before the guest are coming. And sorry for my bad english to. Dident realy know where to place then topic because it containd a lite of both.

    //tofen



  • As pfSense is based on freebsd 6.1 it has support for a lot of wireless cards though I recommend atheros based (most features and most tested with). However I wouldn't use an USB nic for several reasons (the most important one is that freebsd's usb stack has some issues atm from my experience with several wired usb nics atm). Get a PCI card based on atheros chipset and you should be fine.

    For loadbalancing to work you need static IPs or at least static gateways (DHCP might work with that then, at least I have some reports). You can setup a pool with both gateway IPs and can specify monitor IPs for link failure detection that will be polled every 5 seconds. If a monitor IP is unreachable the gateway will be excluded from the pool until it becomes available again ( see http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing for details).

    Loadbalancing can be used in combination with policybased routing if needed (some webservices like https for example don't like your client coming from different public IPs).

    The captive portal is a 100% copy from m0n0, so it should just work the same way like with m0n0.



  • Hi, thank you for your reply!

    Could be a lite problem for me to get a new WLAN-NIC, but I will try. Do you have any examples of atheros based cards?, I know i have seen a list of it someware but I can't find it now :-\

    I have read the Wiki link, any I think I understand moste of it. I have a lite problem understanding what de Monitor IP thing was doing. I understands that it has something with checking if the connection is up to do but whitch IP I am going to put in there I does not understand.

    The thing with connections from different IPs I havent  thought of earlier. This must me a huge problem for online games aswell? I maby shuld skip the load balancing part and just setup so all games goes on one connection and http/https, ftp, IM, and so on goes on the other? Problem is that it will take a lot of time and i dont realy know how to do it.

    Is the Captive portal part copy from the latest version of m0n0? I know that they have done a lot of changes to it reasentley.

    //tofen



  • http://madwifi.org/wiki/Compatibility has a list of supported cards.

    The captive portal is not the most recent version of m0n0. I think it should be from m0n0 1.21 (not 100% sure right now).

    The monitor IP should be from a hop near you. It could be the gateway IP itself but that might not make sense for your sdsl router as the provider probably gave you a router to use at your local end. In that case use the next hop (the gateway of this router, a tracert will tell you).

    Loadbalancing games will only be a problem for games that use a bunch of ports. In case the game only needs one port this will not be a problem as the state will be kept on the wan it was initiated. However, there is some kind of hack (that I don't recall right now) to not balance connectionwise but ipwise. This way the client will always stay at the same wan but the clients will be assigned to the wans roundrobin. Might not make too much sense with one wan being 24 mbit and the other 2 mbit though.

    However, if you want to set it up with policybased routing I would send dedicated ports to one wan and all the rest to another one (like http,https,pop3,smtp,…) to wan1 and the rest(which then most likely will be games and all other apps) to wan2. This can be done with 2 single rules if using an ports alias.



  • Thanks for the list, it will look att it.

    Hmm, that was not so good that it's not the latest version. But i hope there will yet be enough configuration opportunities.

    The games that will be playd are most Word of Warcraft and Counter Strike (Thats what the kids plays most i think ;)). Is there any way to se if these games takes more than one port?

    "However, if you want to set it up with policybased routing I would send dedicated ports to one wan and all the rest to another one (like http,https,pop3,smtp,…) to wan1 and the rest(which then most likely will be games and all other apps) to wan2. This can be done with 2 single rules if using an ports alias."

    Thats exactley what I thinked of. Sounds quite easy to set up aswell.

    The "monitor IP" thing I have to say i still dont understand (My bad english witch lets me down I think). But if you say you have the this order:

    "internet server" --> ISP --> modem/fiberconvertor (has no own IP) --> pfsense router --> Computers.

    If you could point it out in that scale it will make things easier :)

    Thanks for your help //tofen



  • @tofen:

    The games that will be playd are most Word of Warcraft and Counter Strike (Thats what the kids plays most i think ;)). Is there any way to se if these games takes more than one port?

    Check games forums for these games or run the trafficshaper and check the games you would like to see the ports for (if listed there). After the rules have been created look at the trafficshaperrules for these games.

    @tofen:

    The "monitor IP" thing I have to say i still dont understand (My bad english witch lets me down I think). But if you say you have the this order:

    "internet server" –> ISP --> modem/fiberconvertor (has no own IP) --> pfsense router --> Computers.

    If you could point it out in that scale it will make things easier :)

    Thanks for your help //tofen

    The monitor IP should be the first hop outside your location. In your example it's the first IP that is behind the modem/fiberconverter (the gateway of your pfSense which you entered at WAN).



  • I think i understand the most now :). thanks for the help.


Log in to reply