Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN Load balancing - Firewall Disabled

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 3 Posters 566 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zeds
      last edited by

      I am running pfSense as a routing only platform - To clarify I have enabled "Disable all packet filtering" under the System->Advanced->Firewall & NAT section of the config.

      I created a gateway group with multiple gateways, all on the same tier, but load balancing does not seem to occur. Failover seems to work fine.

      I read through the documentation and I think its saying that load balancing is a function of the firewall engine.

      I'm looking for verification of that and to understand if that is the case, is there is any way to do gateway load balancing with the firewall disabled.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Policy routing, load balancing, etc all require pf. You can't do those with pf disabled.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • Z
          Zeds
          last edited by Zeds

          I did some testing and can get a little over 9gbps through it with pf disabled (on a 10gbps links).

          If I enable pf and add bidirectional any/any allow rules, what kind of overhead should I expect to see?

          Also, with enabling pf, which settings and features would I want to disable to make it the least firewally?

          I like the idea of some of these features, but want it to feel more like a router than a firewall.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @Zeds said in WAN Load balancing - Firewall Disabled:

            but want it to feel more like a router than a firewall.

            Kind of what TNSR is for - high speed routing..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              The overhead could be significant but it entirely depends on your hardware so there isn't any hard and fast set of rules/percentages to estimate it.

              As for what you would need to add or disable, just add rules to pass anything you need in and out, and make sure you disable outbound NAT. Otherwise things should be just about the same whether or not pf is enabled or disabled.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • Z
                Zeds
                last edited by Zeds

                Just to close the loop on this - I re-enabled pf with any/any inbound and outbound with NAT disabled and have not found any resulting issues.

                From a performance perspective, I saw about a 50% performance hit in throughput. Luckily, I'm running this instance as a VM so by adding a second core to this instance, I'm back to near wire speed with pf running.

                ESXi 7 on AMD Ryzen 5 3600 CPU if anyone is interested.

                Thanks for the replies on this.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.