Multi WAN with wireguard confused

gwaitsi

I have two access providers;

1. Local Provider 120/60Mbit/s - Fibre RTT 4.8ms RTTsd 0.6ms

• speedtest results = 121/61Mbit/s
• speedtest via ExpressVPN = 101/51Mbit/s RTT 14.9ms RTTsd 2.5ms
• ProtonVPN Wireguard = 115/59Mbit/s RTT 4.6ms RTTsd 0.7ms

2. Vodafone 250/50Mbit/s - Cable RTT 13.1ms RTTsd 1.6ms

• speedtest results = 262/53Mbit/s
• speedtest via ExpressVPN = 232/43Mbit/s RTT 25.8ms RTTsd 1.9ms
• ProtonVPN Wireguard = 115/59Mbit/s

I don't see how to tell wireguard which access to use.
I guess it is the default gateway no?
If that is correct, then in scenario 1) there would appear
to be a slight performance benefit from wireguard right?

I have two WAN gateway groups and two VPN gateway groups configured as Tier 1 + 2 based on Member Down

Primary: WAN1 + WAN2 (VPN1 + VPN2)
Secondary: WAN2 + WAN1 (VPN2 + VPN1)

I am trying to figure out which is the most optimal configuration, when I set the gateways as follows;

• PCs, Internal WiFi and Work PCs -> Primary
• Multi-Media i.e. TVs, etc -> Secondary

Dobby_

• Built a Gateway group with Tier1 and Tier2.
• Set the Ratio 1 for 120/60 and Ratio 2 for 250/50
• Setup load balancing with failover rules
• Choose load balancing method;
• Session based load balancing
• Service based load balancing
• Policy based load balancing

WAN - is WAN
DMZ - for all the multimedia things such as smart TV,
gaming console, internet radio, web server, mail server,...
LAN - VLAN for servers VLAN for PCs
WiFi - WiFi network, can be a LAN port from pfSense or
a WiFi card internal depending on what you run
WiFi VLAN for privat (family) - radius certificates
WiFi VLAN for friends - radius certificates or vouchers
WiFi VLAN for other guests - vouchers over sms

Inside of the VLANs you may tray out traffic shaping
and over the VLANs together you may work with QoS
rules. But all depends on the other network equipment
in the LAN.

gwaitsi

@dobby_ I had load balancing previously, but was having issues with different services. from memory i.e. was related to split paths causing issues with apps. I think from memory, it was because openvpn didn't like the balancing and i put everything over the vpn with only some exceptions

That is why I adopted a dual failover type setup and just directed traffic to either primary or secondary based on importance.

I switched the default route to the secondary (vodafone) and protonwireguard still gives me only 115Mbit/s, so it seems the limitation is for proton.

Dobby_

@gwaitsi

It can be that proton is doing traffic shaping on their side for all customers.

having issues with different services

service based load balancing could be then do the trick
for you.

gwaitsi

protonvpn say they don't have any bandwidth limitation, how can i be sure which wan access the tunnel is going over?

gwaitsi

@dobby_ tried putting load balancing back. Before doing it;

• i confirmed in the docs, that the wireguard tunnel goes through the default gateway
• i speed tested the local provider net at 115Mbit/s
• i speed tested the vodafone at 232Mbit/s
• i then set the priority to 1 on the 100Mbit local provider and 2 on the 250Mbit vodafone connection.
• i set the default gateway as the load balance gateway group (with both wan having tier 1 )

with the load balancing, i get a significant drop in the speed.
65Mbit using speedtest.net
47Mbit using speedtest.vodafone

gwaitsi

@dobby_ did as you suggest.

• setup load balancing on the wans again with the ratio you suggested.
• setup wireguard as primary vpn with failure over to openvpn.

So far, so good.

Next challenge.
How to setup multiple wireguard tunnels to different access points with protonvpn.
I want to phase out expressvpn, and also run an independant vpn for my TVs to get the country programming of choice, as opposed to the general access to have the best performance.

Bob.Dig

@gwaitsi said in Multi WAN with wireguard confused:

How to setup multiple wireguard tunnels with protonvpn.

Isn't proton using the same ip configuration for every tunnel? With that you can not have more than one tunnel reliably with pfSense, at least to my knowledge.

gwaitsi

@bob-dig i think so.
The end point address is different, but the interface is 10.2.0.2 i believe.
so i probably have to migrate the expressvpn to nordvpn if i want to use wireguard and phase out openvpn

Bob.Dig

@gwaitsi They might have the same problem and also I am not sure if they made Wireguard outside of their app accessible.

gwaitsi

@bob-dig I will use wireguard as the primary with failover to openvpn and setup a setup openvpn to deal with the country exception. shame, seems wireguard does perform better on the same h/w are access