Dual pfSense setup.



  • Hi,

    Perhaps I am too ambitious, but here goes.

    My goal is to load balance across 4 ADSL lines, use a captive portal (to a free FreeRadius box) and use traffic shaping to restrict p2p.

    As traffic shaping only works on one WAN, I decided to use one box (let's call that gateway) to do the load balancing and captive portal. This works perfectly. Its LAN IP is 192.168.1.10. This is running as a DHCP server starting and ending on 192.168.1.20. This seemed to be necessary as the DHCP added a required route.

    Next I added another pfSense box (let's call that shaper) on my new LAN, with a view to this box performing the traffic shaping. To make life easier I am trying to keep to one LAN range so shapers wan IP address is 192.168.1.20 and it's LAN is 192.168.1.30. This also runs as a DHCP server starting with 192.168.1.21. At this point there are no shaping rules set up on the shaper. The firewall, with and without NAT, has been turned on and off.

    Shaper can resolve DNS and successfully ping public URLD (as of course can the Gateway).

    My next goal is to get a client of shaper to reach the outside world. The client can ping the LAN IP of gateway but can't ping a WAN IP of the Gateway.

    Now, am I being too ambitious and asking pfSense to do the impossible or can anyone give me some pointers?

    Stuart



  • @stfi:

    As traffic shaping only works on one WAN, I decided to use one box (let's call that gateway) to do the load balancing and captive portal. This works perfectly. Its LAN IP is 192.168.1.10. This is running as a DHCP server starting and ending on 192.168.1.20. This seemed to be necessary as the DHCP added a required route.

    Next I added another pfSense box (let's call that shaper) on my new LAN, with a view to this box performing the traffic shaping. To make life easier I am trying to keep to one LAN range so shapers wan IP address is 192.168.1.20 and it's LAN is 192.168.1.30. This also runs as a DHCP server starting with 192.168.1.21. At this point there are no shaping rules set up on the shaper. The firewall, with and without NAT, has been turned on and off.

    It somehow looks like the gateway box as well as the shqaper box has the same subnet at all interfaces '(192.168.1.0/24?). This won't work. You need to setup a non conflicting routing. Btw, where are the additional WANs? As far as I understand your setup you can handle everything with one pfSense.



  • @hoba:

    It somehow looks like the gateway box as well as the shqaper box has the same subnet at all interfaces '(192.168.1.0/24?). This won't work. You need to setup a non conflicting routing. Btw, where are the additional WANs? As far as I understand your setup you can handle everything with one pfSense.

    Thanks for the fast reply.

    You are right, all interfaces (except the gateway's WAN) have the same subnet. This was a desperate attempt late last night.

    The gateway box has a 4 port NIC for the 4 ADSL WANS (OPT1,2,3 if you prefer) and a single port NIC for the LAN. The shaper has two single port NICs.

    As a one box solution it all worked fantastically well until I tried traffic shaping. This, as I currently understand, only works between the LAN and one WAN, hence the introduction of box two. Am I mistaken? Hopefully I am as a one box solution would be easier to maintain.



  • Yes, you only can shape between 2 interfaces. However the problem with your setup is the following:
    If you shape at the LAN side of the gatewaybox you can shape the overall bandwidth of all WANs of the gatewaybox only. So let's say each WAN has 1 mbit/s upd and down to keep it simple for calulation. This means your overall upstream isw 4 mbit/s. Now your shaper let's a single connection go out with 4 mibt/s. Now that single connection only can use 1 WAN at the same time, so it will max out the line at 1 mbit/s though it is allowed to use 4 mibt/s at the shaper box. This will overload 1 line whereas the other 3 lines are still idle. It won't work efficiently in that scenario. To make this work with multiple boxes you would need one gateway and 4 shapers at eah WAN of the gateway. This is an ugly setup and I agree to that, however it's the onyl way to do this right with multiple boxes. I have played around with custom shaperrules and a 2 WAN, 1 LAN setup but haven't managed to get it working the way I wanted it to work. However there are people reporting some kind of success with custom rules and multiple WANs. We'll hopefully have a multi interface shaper after 1.0 is out but trafficshaping gets pretty complex when using multiple interfaces so there is no timeframe for that feature yet.


Locked