• Can Pfsense do multiwan Bonding via VPN?

    So for instance say I had 2x 5Mbit pipes at home but I wanted it to appear to the internet as a single 10Mbit pipe (becuase although load balancing works in some situations in others, having multiple wan ip's becomes problematic)  Now obviously it would require something at the other with suffcient bandwidth to send at the 2x 5Mbit/s

    Not sure i'm explaining it very well

    site1 has 2x 5Mbit connections 
    site2 has 1x 100Mbit/s connection.

    VPN from site 1 > site2 then site2> internet , the internet just sees the 1 Wan ip connected to the Large 100Mbit pipe but in reality it gets load balanced across the 2x 5Mbit/s pipes by the VPN concentrators thus allowing a single threaded transfer to the internet at Site1 to hit ~10Mbit/s (the combined speed of the 2 smaller pipes obviously some would be lost in overheads)

    I'm actually using load balancing at home (my connections are 20Mbit/s down 2.5 up) but it's my friend who's more interested than me as he gets a lot lower speeds on his DSL lines (He lives a lot further from the exchange).  I have a possible VPN end-point (My box in Co-lo is on a 100Mbit/s pipe i'll have to double check the providers T&C but i don't recall anything saying I can't use it as a VPN gateway)

  • You can do this with Zeroshell, or starting from scratch from a Linux box. I suppose that it is doable as well with BSD. What needs to be done is not really complex.

    First you need two or more level2 tunnels, you can use openvpn in tap mode, but a simpler Vtun is enough.

    Then you need to use the bonding driver to make the tunnel agregation. If you are using the failover mode, then you can use bonding at one side, and bridging at the other side.

    The bonding driver is not a simple thing, there are about 5 different modes, and documentation is a bit light. But it does work ok.

    You have the option to use ICMP or ARP monitoring for failover switching. This is selected in the bonding driver options. ARP monitoring can be very fast (settable). In my tests, i was able to switch from a failed link to a working link in about 40 ms. This is more than fast enough to keep telephony trunks up, with very little audio cut.

    This setup is the only one really working and fast enough for telephony failover without loosing calls. Level3 failover does not work because of changing IP. BGP routing is even slower.

    Only drawback is that you need a serious network knowledge and two boxes to do this. You can' t directly use WAN interfaces, you need a bonding server somewhere on Internet to make the agregation.

    But if you are connecting two sites together, each one with a router box, this is the setup to use.

    You can use as well level2 hardware agregation MultiWan boxes, but the cost will be in the 10 000 $ range…

  • My friend actually did manage it with zeroshell although I was just wondering about pfsense as I'm already running it.  ;)

  • Pfsense 2.0 should be able to do this, but it is alpha state. So you'll need two or three years, perhaps more, to get those advanced functions fully tested inside PFsense 2.0 as very few users are testing them.

    It is not only a Pfsense debug problem, because OS supporting those functions need to be clean as well.

    When we see that NAT maskerading is still not working correctly inside linux in some situations, it is important to not trust directly a system before to have a good knowledge about his capabilities.

    When using high availibility tools, they need to be fully reliable, or the result will be less reliable than using standard tools. this is the main problem with advanced tools.

  • Do any of you know how to actually do it in zeroshell? All the guides are only written for the case where you have zeroshell on both ends, I just have it on one end and I'm trying to get it to work with OpenVPN/Vtun and ifenslave.. if you know how to do it please help me!