Dual wan and failover with dynamic ip address



  • Hello I have two adsl connections with dynamic ip address, it uses pppoe and my pfsense has 3 nics, wan (adsl 1) and opt1 (adsl2) can anyone tell me if it is posible to setup a dual wan failover with dynamic public ip. My isp gives me a different public ip everytime i connect.
    I can make my adsl modem make the connection and give me a private ip on eahc wan and redirect all the wan traffic from each modem to that private ip (nat)
    Thanks in advanced.



  • You can loadbalance the lines if you use the Modems as Routers (you need static gateways for the IPs) and it will detect if a link is down and exlude it from the pool. However a failover from one interface to the other (use WAN1 and only if it'S not working move to WAN2) is not yet possible though it's already been worked on in our developement tree.



  • i´ve been reading on in the forum, the two adsl are from the same provider, each wan will have private ips say
    lan: 192.168.1.1 / 24

    wan: 10.0.0.2 / 30
    gw: 10.0.0.1 / 30 (adsl router)

    opt1: 10.0.1.2 / 30
    gw: 10.0.1.1 / 30 (adsl router)

    when i make the load balancer what should i put as the listen ip (can it be the dns server?) or should it be the private ip address of each connection?

    The other quetion is, what will happen with all the traffic that is going through the failed connection? will it start going out the other one that is still active?



  • You should use a gateway behind your modemrouters. If a ping to that IP fails the link is considered down. Monitoring IPs have to be unique btw. Links will be polled every 5 seconds. Already established connections through that link will stall but the reconnection will go out the next wan that is up.



  • Thanks hoba. I´ll try it out and tell you how it goes.
    I have a last question: when on of the link tha went down comes up again it will automatically start load balancing again with every new connection? The established connections will remain on the link that did not fail is this correct?
    Thanks for everything



  • Yes, links are dynamically included and excluded when they become available/unavailable within the next 5 seconds.



  • Newbie here, please be gentle on me!  :D
    I've installed PFSENSE 1.0 release, and your software is the answer to all my needs in a firewall!

    I'm trying to setup a dual WAN, one ISP is static ADSL and one is ADSL via PPPoE.
    Both WAN is functional now in my PFSENSE, routing some ports to WAN1 and others to WAN2.
    I wanted to do load balancing with failover, so here it goes.
    I've read that static IP's is needed to do load balancing, so my problem is my PPPoE ADSL account.
    I'm using a modemrouter for that PPPoE account, set to bridge mode.
    As i had read from previous posts, i set the modemrouter to routing mode so that PFSENSE can get a static IP for WAN.
    Here are my configs:

    ISP–- (203.172.x.x via PPPoE)modem router(192.168.1.2)
                                                                    l
                                                                    l
                                                          (192.168.1.3)WAN1(192.168.1.1)------------PFSENSE

    What rules do i have to set in PFSENSE (or maybe in my modemrouter) so that i can access www via WAN1, i can't do web browsing if i set WAN 1 as static IP unlike if it is set to PPPoE.

    Thanks in advance.



  • Do you always get the same IP from the PPPoE dialin? If yes you don't need the "use modem as default static gateway" trick.

    If no it should work. However I don't understand your ascii-diagram. Looks like you used 192.168.1.x Adresses at your WAN. Make sure this doesn't conflict with your LAN subnet (192.168.1.1/24 is the default LAN subnet after installation).

    Your setup should look something like this:

    
    ISP1--------ModemRouter(192.168.254.1/24)------(192.168.254.2/24)WAN
                                                                      pfSense LAN (192.168.1.1/24)------------LAN Clients
    ISP2----------------Modem(bridge)--------------(some public IP)OPT-WAN
    
    

    In this scenario you might need to uncheck "block private IPs) at interfaces>wan. Also if your ModemRouter provides a setting "DMZ IP" you should enter the pfSense WAN IP there. This way it will forward everything to the pfSense WAN and you only have to configure portforwards, firewallrules, … there.



  • in my experince you need to uncheck block private ips on any interface that has a  private ip range

    10.0.0.0 - 10.255.255.255
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255

    @hoba:

    In this scenario you might need to uncheck "block private IPs) at interfaces>wan. Also if your ModemRouter provides a setting "DMZ IP" you should enter the pfSense WAN IP there. This way it will forward everything to the pfSense WAN and you only have to configure portforwards, firewallrules, … there.



  • I'm working for the dual wan loadbalancing and failover with dynamic gateways. For the gateway, I use "wan" and "opt1" instead of the real gateway's ip address. And now it works well. Pls see the attached images.

    But I'd like to restart slbd when the wan's or opt1's ip address are changed. The problem is that I cannot figure out the process of it on pfsense. Is there anyone who can give me a hint how to do it. If it will be possible I will provide the diffs.

    Thanks.











  • i think you need to add some code to
    /etc/rc.newwanip



  • Nice addition! While you are at it can you add wan-gateway and optx-gateway as variables to be optionally used for monitor IPs too?  ;)



  • @sbyoon:

    I'm working for the dual wan loadbalancing and failover with dynamic gateways. For the gateway, I use "wan" and "opt1" instead of the real gateway's ip address. And now it works well. Pls see the attached images.

    But I'd like to restart slbd when the wan's or opt1's ip address are changed. The problem is that I cannot figure out the process of it on pfsense. Is there anyone who can give me a hint how to do it. If it will be possible I will provide the diffs.

    Thanks.

    slbd config (and restart) is done in /etc/inc/vslb.inc.  However, you likely want /etc/rc.newwanip (I'm not sure that runs for optx interfaces though).

    –Bill



  • I think I succeeded in it. I added "slbd_configure();" into rc.newwanip to reload slbd. I found rc.newwanip is executed when ip change occurs at optx as well.

    I tested it for several days and it works well for me. But I want it to be tested by other people who are in other various environment.

    If you wan to test it, you can download loadbalance.zip file from below link.

    http://www.monetcom.co.kr/download/loadbalance.zip

    And decompress the file and upload each decompressed file to pfsense. (command promtp -> upload)
    And then copy each file to below.

    /etc/inc/vslb.inc
    /usr/local/www/load_balancer_pool_edit.php
    /etc/inc/filter.inc
    /etc/rc.newwanip

    • If you are using embedded version, make sure that you should execute /etc/rc.conf_mount_rw before copying.

    Any feedback will be appreciated.

    And I'd like to make rc.newwanip to check whether outgoing loadbalancing is enabled or not before it execute "slbd_configure()". I tested it with adding "if ($config['load_balancer']['lbpool']['type'] == "gateway")" above "slbd_configure();" but it didn't work. Could anyone give me an advice for it?

    Thanks.





  • Just a question: Do you have to enter the OPTx-name or the substitute of it like WAN2 (in case you called OPT1 WAN2)?



  • You should use the interface name in interfaces -> assign. Pls see the attached image. In this case the interface name should be wan, opt1 or opt4.





  • The substitutes of the interfacenames would be nicer but this is cool too  :)



  • @hoba:

    The substitutes of the interfacenames would be nicer but this is cool too  :)

    We can work around this of course if the code works :)

    –Bill



  • I found my mistake on load_balancer_pool_edit.php. When click add pool, the interface name was undifined. Now I corrected it. Pls download the correct one again if you already download it.

    http://www.monetcom.co.kr/download/loadbalance.zip

    And I found that rc.newwanip is not correctly copied to pfsense. If you have this problem also, you can edit it just adding below code at the bottom of rc.newwanip.

    /* reload slbd */
    slbd_configure();
    log_error("Configuring slbd");



  • Well I'd have to say this guy fixed all my issues with this little update, OMG this is awesome. Been working on getting load balancing to work with my cable modem and my DSL all day. Ran across this, implemented it, and wham, it's all working… Thank you sooooo much for this addition.

    Well since he helped me so much, I thought I would add to it also. I modified the config interface to allow picking what interface you want to add to the pool from a list. And added the ability to pick the Gateway's address from a list also, among other options too. (See attached image)

    A quick note though, one reason, on top of being dynamic, why I couldn't get the dang balancing to work all day was because my cable provider disabled ping to it's gateway.... As soon as I set it to my web hosting companies IP, it all come "online."

    Just update the files appropriately in /usr/local/www
    http://www.webhostingspot.com/pfSense.rar

    Question, before I start messing around I'd thought I'd ask fisrt.
    With all this load balancing working and all, how do I configure pfSense so that all SMTP traffic on my network goes out through the WAN interface only?

    P.S. How the heck do I get my FTP outbound working now?

    ![Load Balance Setup.JPG](/public/imported_attachments/1/Load Balance Setup.JPG)
    ![Load Balance Setup.JPG_thumb](/public/imported_attachments/1/Load Balance Setup.JPG_thumb)
    ![Load Balance Setup.JPG_thumb](/public/imported_attachments/1/Load Balance Setup.JPG_thumb)



  • @GotzBoost:

    Question, before I start messing around I'd thought I'd ask fisrt.
    With all this load balancing working and all, how do I configure pfSense so that all SMTP traffic on my network goes out through the WAN interface only?

    Thats policy based routing.
    set up a rule allowing SMTP and in that rule specify the WAN interface as gateway. make sure that this rule is above the others.



  • @GotzBoost:

    P.S. How the heck do I get my FTP outbound working now?

    http://forum.pfsense.org/index.php/topic,2282.msg13472.html#msg13472



  • @sai:

    Thats policy based routing.
    set up a rule allowing SMTP and in that rule specify the WAN interface as gateway. make sure that this rule is above the others.

    I'm assuming you are talking about a NAT rule and not a firewall rule. Adding this NAT rule is not going to mess up the auto generated load balancing rule? Am I supposed to select "Enable advanced outbound NAT" to add my own NAT rules? What exactly does "Enable advanced outbound NAT" mean and do? And if there was an auto generated NAT rule, where is it? Why doesn't it show up in the NAT rule list, it should? When need be, add auto generated NAT rules, for warn the admin though, and allow the admin to control the NAT rules. Don't control NAT rules, just help generate them.

    Being Check Point FW1 NG certified, I'm very familiar with NAT and firewall rules. It's taking a bit of a learning curve to use pfSense, but not much. pfSense reminds me of CheckPoint a LOT! Personally, I think if you got this stable enough it could easily compete with a single instance CheckPoint setup.

    Just need to add the capability of Application-level packet inspection, so that you can drop packets for a certain apps (like IM or P2P). And it would be neck and neck with CheckPoint.



  • @hoba:

    @GotzBoost:

    P.S. How the heck do I get my FTP outbound working now?

    http://forum.pfsense.org/index.php/topic,2282.msg13472.html#msg13472

    Ok, I've verified that all my interfaces don't have "Disable the userland FTP-Proxy application" checked. And my firewall rules allow from LAN interface all outbound activity to any. Still no work.

    P.S. What is the userland FTP-Proxy application? And why is it used? What's different from lets say SMTP connection and a FTP connection that is not allowing FTP?



  • Reread the post, you need to add an additional Rule at the top of your firewallrules. It's not only the ftp helper setting. For further information on the ftp helper please search the forum. This has been covered in deptch already several times.



  • What about reply #22?



  • Firewallrules determine through which interface the traffic is leaving for policybased routing (gatewaysetting). Advanced outbound NAT let's you specify what happens with traffic that is leaving through an interface (if it should be natted or not or if you have multiple Virtual IPs to which of the IPs). If advanced outbound NAT is disable NAT will happen on all interfaces that have a gateway configured. It then will translate the traffic to the interface IP of the pfSense. If you enable advanced outbound NAT you have to set up your own rules. Everything not specified in the rules will just be routed without NAT. Enabling advanced outbound NAT will generate a NAT-rule for traffic going from LAN to WAN for your reference.



  • We may want the interface dialog to be a drop down of interfaces. Not sure if that works with the current javascript though.

    Looks like we want this in.



  • Hold on, didn't read the second page. Looks like we want to split the server side load balancing and outbound load balancing.

    I'll have a look at this tomorrow.



  • GotzBoost. I tried your page but it doesn't work yet. It does not appear to set the correct interface name via javascript into the poolbox.

    Are those 2 files in the pfsense.rar really the only edited files?



  • No, my files are an addition to sbyoon's modification. So apply his mod first, and then mine.



  • Well, it worked fine after refreshing everything. I think the javascript got cached. Because it worked for others the first time.

    I have up-to-date patches available on my site. http://iserv.nl/files/pfsense/slbd/

    The code is already committed into CVS. Releng_1 is under discussion.



  • What is Releng_1? At the moment the drop down for ping/gateway IP get's set to what ever the IP is at that point in time. It doesn't get updated when ever the WAN/OPTx gets a new IP. I was going to look at how sbyoon modified the code to update the IP upon a DHCP renew and make it allow to do the same for the ping/gateway IP.

    Even though it's preferrably to find a hard coded IP out in the space to ping, as in some gateways don't allow you to ping them. As it was in my case.

    Or here's another better idea, don't ping somthing to see if the net is up or down. Rather do a trace route with a max hop of ~3(let this be configurable), if it comes back with ~3 hops at least, then the interface is up. That will do one of two thing, make sure that you can actually get to the net and not just your ISP, and also cut down on unwanted/needed ping traffic.

    Case in point, Time Warner had a router go out >:( (for about 48 hours :o), I could get to any of TW sites, but not the net. So, half of my traffic that was going out my cable modem was failing and the other half that was going out my DSL was OK. If the trace route was in use, then my cable modem would have been automaticly set to down, and fail over to my DSL.



  • That's a slbd issue and currently not feasible to implement. The slbd checks need to be fast and light, and traceroute is neither. Furthermore I have seen far more routers block traceroute then I have them seen ping.

    I'll have to look at the gateway ping implementation. Although I think that is handled by the rc.newwanip code and the filter.inc fixes syboon already applied.

    For all intents and purposes, a router should never block ICMP traffic is that is integral to the operation of the tcp/ip protocol.

    We are currently testing multi interface dhcp with the new dhcp clients but at this point in time it is not working just yet.



  • Ok, let me rephrase that. The router blocked ICMP traffic to itself, not all ICMP traffic going through it. And yes they do this quite often for security precautions. In some of the CCNA classes I've been in they've even tought that as a rule of thumb. "The only thing a public router needs to do is route, don't let it waste's it's time on anything else. And the last thing you want is a router that crashed from a flaw overlooked in some TCP stack from a ping."

    Security: Rule of thumb, block everything, then only open what's needed.

    What are you testing with multi interface dhcp? I have it now, with this fix, and it's working perfectly.



  • multi dhcp specifically in the later snapshots > 20-12-2006.

    1.0.1 should work fine in that respect.



  • I have put the modified version of the files on my site so other people can easily test them.
    http://iserv.nl/files/pfsense/slbd/

    those correspond to the files.
    /etc/rc.newwanip
    /etc/inc/filter.inc
    /etc/inc/vslb.inc
    /usr/local/www/pool.js
    /usr/local/www/load_balancer_pool_edit.php (use load_balancer_pool_edit2.txt )

    Cheers



  • Is there anything diff about them then what is already up? Or just a combination of all the patches stuck together?



  • A combination thereof but, uptodate with current snapshots.



  • It's been merged into RELENG_1 and should show up in a snapshot soon. Whenever soon is.


Locked