Multi-WAN Question

  • Greetings,

    I have noticed a lot of people have been asking questions about how to set up load-balancing.

    Now, im looking at doing it slightly differently.
    I have 2 modems (Diff ISP, Diff Gateway etc etc)
    Both are set at 20mbit

    Is there a way I can Bridge the 2 together, so essnetially i get a 40mbit connection.
    Even if this requires me to setup something on the internet side (Past my ISP's, like a 3rd party VPN, etc etc)
    I would like to know how, because this is something I would really like to do, the cost of doing it, isnt so much of a problem, but I would like done.

    Is there any possible way someone could go through this with me, on how to setup pfsence, to do it this way, and if i would require a 3rd party device outside of my ISP's

    Thanks in advance

  • To the best of knowledge i don't think you can achieve that.

  • What are your goals here? Load balancing isn't all that hard to set up, but it does have some limitations and I can't tell if you're asking if there is a way to overcome them or not.

    Built-in to pfSense is the functionality to send each independent TCP connection through a different WAN. That means that each individual connection will be limited to the single-link speed, but if you have a large number of connections, overall utilization will be decent. For most applications though, this is fine as it offers failover and increased performance for common workloads (lots of users accessing the internet).

    If you're going for a single connection with 40mbit though, this isn't achievable using pfSense, or any other router for that matter (at least with different ISPs, anyway). There is a potential hacky solution, but I think it would be easier to implement using Linux or a bare FreeBSD install:

    a) Run an external server with at least 3 static IPs and 40mbit of bandwidth
    b) Set up OpenVPN in bridging mode on 2 of the IPs
    c) Set up static routes to send traffic to each of the IPs out a separate WAN
    d) Use link aggregation to trunk the two links into a single 40mbit link

    Potentially simpler would be to use EoIP instead of an OpenVPN bridge, but the topology would be similar.

    This has limitations of its own (the two separate routes with different latency etc. could cause strange behaviour and possibly reduced performance, among other issues), is costly and easy to screw up, but in theory it should work.

  • I've Looked into Link aggregation, and this seams to be the more appropriate choice for me, (other then the VPN solution and bridging the 2 connections together, which im still kinda stuck on in getting working)

    Would pfSence 2.0 support link aggregation yet, or is it still a planned feature thats not yet implimented (if its planned at all) ?

    I ask because, I dont particually care too much about failover, its for my home connection, and both connections have been on for a year with 0 downtime, im more interested in the speed I could be getting from utilising both connections

  • Link aggregation only works if the two connections are on the same layer-2 network segment. It can't be used to span providers, and even on a single provider, most DSL/Cable ISPs won't support this configuration. About the only exception is that some PPPoE-based DSL ISPs can do ML-PPP aggregation (I know of at least one in eastern Canada). Either way, both connections would have to be on the same ISP and probably terminated at the same CO.

  • So my only other real option is OpenVPN… I figured this would prolly be my only option, but I laid in hope.

    Essentially could i do this in pfsence, and what sort of NAT problems could I run into, me and the mrs play XBox Live a lot, and well without full control over an IP, its pretty pointless.

    Could I run something on the OpenVPN host, to allow me full control over the IP I want to use, etc etc.

    Do you have any example config files I could use for OpenVPN in order to make this as (lets say) simple as possible, im a complete noob with OpenVPN, ive only ever toyed with it, and well, im not sure on what im doing

    Another question, would the tap/tun connections have to be bridged at both ends of the tunnel, or just at mine/hosts end?

  • In the proposed configuration youd probably want to bridge the endpoint onto an actual NIC, and then assign a public IP from that network to your home gateway. Or do some kind of 1:1 NAT or something similar instead, but that would be easiest.

    I dont think youd have to actually bridge the tunnel onto a physical network, but you would have to run OpenVPN in bridge mode so that the two links could be aggregated. In fact, since you want to aggregate them, youd specifically *not* want to bridge them onto a physical network because youd want to aggregate them.

    There are a lot of complications in getting this working though, and I haven`t done it (nor do I have a setup where I can try it out), but it should work in theory. You may look to the Mikrotik bulletin boards as apparently some users there have done it using EoIP layer-2 tunnels instead of OpenVPN, but the basic idea is very similar.

  • The problem i have with the EoIP function, is the servers I have access to are all linux based with other stuff running on them, by the looks of things, I would have to have there OS installed on both sides of the network in order for it to function properly.

  • It was just a suggestion so you can get a better idea of how such a setup would work. OpenVPN layer-2 tunnels server the same basic purpose and work similarly to the EoIP tunnels used there. AFAIK the Mikrotik OS is Linux-based anyway.

    It's not in the Linux trunk, but there is a module available for RFC 3378 (EoIP) support here

Log in to reply