Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bandwidth segregation needed (and not load balance or fail over)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    9 Posts 2 Posters 784 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      richardsago
      last edited by

      We successfully tested load balancing and fail over for the new WAN2. But for some devices under VLAN30 and all devices under VLAN40 we configured them for bandwidth segregation only and with no load balancing and no fail over. But load balancing (or fail over) is still being done on those devices. Can you please help me see where I'm doing things wrong? These are the settings:

      The groups under the different VLANs are allocated bandwidth based on their "IN / OUT PIPE" values in the firewall rules using traffic limiter

      WAN1 is static IP thru Fiber. Block Private networks and bogon networks

      • is used for Online Classes, Faculty, and Staff
      • lower bandwidth than WAN2 but has better latency

      WAN2 is static IP thru Starlink. Block Private networks and bogon networks

      • is used for Students, Family Members, and Guests
      • these devices should not load balance or fail over to WAN1 because the bandwidth allocated to WAN1 (like the Online Classrooms) are needed in the business
      • the problem is that these devices (Students, Family Members, Guests) load balance (or fail over) to WAN1

      System > Routing > Gateways

      • NAME | GATEWAY | MONITOR IP
      • WAN1 | <WAN1's gateway IP> | 8.8.8.8
      • WAN2 | <WAN2's gateway IP> | 8.8.4.4

      System > Routing > Gateway Groups
      Trigger Level: "Packet Loss or High Latency" for all three gateway groups below:

      • GROUP NAME | GATEWAYS | PRIORITY
      • loadbalance | WAN1 | Tier 1
      • loadbalance | WAN2 | Tier 1
      • failover1 | WAN1 | Tier 1
      • failover1 | WAN2 | Tier 2
      • failover2 | WAN1 | Tier 2
      • failover2 | WAN2 | Tier 1

      System > General Setup > DNS Server Settings
      I used 8.8.8.8 under WAN1 and 8.8.4.4 under WAN2 (same as System > Routing > Gateways) because I saw on youtube that the DNS servers should be consistent with the Monitor IP under Gateways

      • DNS SERVERS | GATEWAY
      • 8.8.8.8 | WAN1
      • 8.8.4.4 | WAN2
      • <DNS IP 1 FROM ISP 1> | WAN1
      • <DNS IP 2 FROM ISP 1> | WAN1

      System > Advanced > Miscellaneous
      check mark on 'Use sticky connections' <--did not uncheck after load balancing tests

      Firewall Rules > Floating (no entries)

      Firewall Rules > WAN1 (nothing except system's block private networks and bogon networks)

      Firewall Rules > WAN2 (nothing except system's block private networks and bogon networks)

      Firewall Rules > LAN (nothing except system's Anti-Lockout Rule for Destination LAN Address of Ports 443 and 80) <-- has zero bytes and packets

      The "IN / OUT PIPE" values in the VLAN rules below are for use in traffic limiter

      Firewall Rules > VLAN10 (Faculty)

      • ADDRESS FAMILY : IPv4
      • PROTOCOL : Any
      • SOURCE : <alias of Faculty IP Addresses>
      • DESTINATION : any
      • GATEWAY : failover1
      • IN / OUT PIPE : QVLAN10_FUpload / QVLAN10_FDownload

      Firewall Rules > VLAN10 (Staff)

      • ADDRESS FAMILY : IPv4
      • PROTOCOL : Any
      • SOURCE : <alias of Staff IP Addresses>
      • DESTINATION : any
      • GATEWAY : failover1
      • IN / OUT PIPE : QVLAN10_SUpload / QVLAN10_SDownload

      Firewall Rules > VLAN30 (Untrusted Device)

      • ADDRESS FAMILY : IPv4
      • PROTOCOL : Any
      • SOURCE : <alias of Untrusted Device IP Addresses>
      • DESTINATION : any
      • GATEWAY : failover2
      • IN / OUT PIPE : QVLAN30_UDUpload / QVLAN30_UDDownload

      Firewall Rules > VLAN30 (Family Members and Guests) <--this has problem

      • ADDRESS FAMILY : IPv4
      • PROTOCOL : Any
      • SOURCE : <alias of Family Members and Guests IP Addresses>
      • DESTINATION : any
      • GATEWAY : WAN2
      • IN / OUT PIPE : QVLAN30_GuestUpload / QVLAN30_GuestDownload

      Firewall Rules > VLAN40 (Students) <--this has problem

      • ADDRESS FAMILY : IPv4
      • PROTOCOL : Any
      • SOURCE : <alias of Student IP Addresses>
      • DESTINATION : any
      • GATEWAY : WAN2
      • IN / OUT PIPE : QVLAN40_Upload / QVLAN40_Download

      We encounter problem with the last two entries above (VLAN30 Guests and VLAN40 Students) because they still get internet access even when WAN2 is turned off and the VLAN30 Guest or VLAN40 Student computer is restarted. Thank you in advance for the help

      G 1 Reply Last reply Reply Quote 0
      • G
        greenlight @richardsago
        last edited by

        @richardsago hi

        what is your default gateway group?

        R 1 Reply Last reply Reply Quote 0
        • R
          richardsago @greenlight
          last edited by

          hi @greenlight

          The gateway group does not have checkbox to let me choose which of the three gateway group will be the default. But at the bottom of the Gateways tab there's "Default gateway IPv4" with value of "Automatic". At the top of the Gateways tab there's a listing of gateways and WAN1 has the icon of the default gateway but I think that this can switch to WAN2 if WAN1 becomes disconnected. My pfsense version is 2.5.0-RELEASE

          R G 2 Replies Last reply Reply Quote 0
          • R
            richardsago @richardsago
            last edited by

            hi @greenlight

            The "Default gateway IPv4" was changed to "Automatic" yesterday. I think it used to be "WAN1" but I did not keep track and so it could have had the value of "loadbalance" or "failover1". There's a "None" value as a choice in the "Default gateway IPv4" dropdown list. Should I choose "None"?

            G 1 Reply Last reply Reply Quote 0
            • G
              greenlight @richardsago
              last edited by

              @richardsago As far as I understand, you want to stop some VLANs from accessing the Internet at certain times. So, will they access the network and go online during these times? Or will they not be able to access the network and the internet at the same time?

              1 Reply Last reply Reply Quote 0
              • G
                greenlight @richardsago
                last edited by

                @richardsago I also want to ask this. Do you want the internet to be cut off when WAN2 goes down, or do you want to manually turn off WAN2 and prevent the devices from accessing the internet?

                R 1 Reply Last reply Reply Quote 0
                • R
                  richardsago @greenlight
                  last edited by

                  hi @greenlight

                  The "VLAN30 Guests" and "VLAN40 Students" will have internet access at all times but will only get internet access through WAN2. If WAN2 access goes down they should not get internet access from WAN1. This is because WAN1 bandwidth is not that high and it will be used in online classes.

                  G 1 Reply Last reply Reply Quote 0
                  • G
                    greenlight @richardsago
                    last edited by

                    @richardsago I'm not sure, but it may be using the settings of the parent interface used by the vlan to connect to the internet. You can also try by creating a rule in the parent interface.

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      richardsago @greenlight
                      last edited by

                      hi @greenlight

                      I tried setting 'Default gateway IPv4' from 'Automatic' to 'None' and it seemed to fix the issue. I will observe more and update this post if it does not really fix the issue. Thank you I got the idea from your question earlier.

                      1 Reply Last reply Reply Quote 0
                      • R richardsago referenced this topic on
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.