Distributed multiwan with multiple pfsenses



  • A few evenings ago some friens and i where discussing about networking our homes together with directional WLAN antennas. The idea is to combine our internet bandwith, but eveyone still has his own network.
    Since then i've thought about it a lot and came up with some questions i hope someone can answer for me.

    1: Everyone of us has a WRAP at home.
    Lets assume the
    network will look like that.

    pf1:
    WAN: dynamic Internet
    LAN: 192.168.1.1
    1to2: 10.10.10.1/30
    1to3: 10.10.10.5/30

    pf2:
    WAN: dynamic Internet
    LAN: 192.168.2.1
    2to1: 10.10.10.2/30
    2to3: 10.10.10.9/30
    2to4: 10.10.10.13/30

    pf3:
    WAN: dynamic Internet
    LAN: 192.168.3.1
    3to2: 10.10.10.10/30
    3to1: 10.10.10.6/30

    pf4:
    WAN: dynamic Internet
    LAN: 192.168.4.1
    4to2: 10.10.10.14/30

    pf1 
          |     
          |       
          pf2–--- pf3
          |
          |
          pf4

    since we have on every pf static link-IP's we can setup multiwan.
    now here comes the problem i see:
    when pf1 sends 1/3 of it's data directly on it's own WAN, 1/3 to pf2 and 1/3 to pf3, wont they do the same thing with the incomming data?
    that pf2 will send:
    1/4 to pf3.
    1/4 to pf4
    1/4 on own WAN
    1/4 back to pf1
    and pf3 will do the same thing again. send 1/3 of traffic from pf2 to pf1, thus creating a loop.
    also that 1/3 of the incomming traffic will be sent back to the origin.

    will that happen like i think it will and if yes. can someone think of a way to avoid it?

    thanks in advance :)



  • This will work if you set it up correctly. You just have to setup correct firewallrules for loadbalancing. The trick is to only use the gatewaypool in rules at interfaces LAN and not at any of the connections coming in from one of the other pfSense's.

    The mainproblem that I see is that you have dynamic WANs at all the involved boxes which won't work as you manually have to enter a static gateway for the pool. You can fake this by using simply modemrouters.

    *** Typo corrected, Thanks Bill! ***



  • @hoba:

    This will work if you set it up correctly. You just have to setup correct firewallrules for loadbalancing. The trick is to only use the gatewaypool in rules at interfaces wan and not at any of the connections coming in from one of the other pfSense's.

    Hoba meant lan here naturally, not wan :)  And yes, this could work, good luck debugging it! :)

    –Bill



  • ok i did some testing today with a few old computers i've set PfSense up on.
    Right now i'm able to get to the internet with loadbalancing from every "private" lan.

    i'v set up firewall rules:

    pub. == "not private address-range"
    pri. == "private address-range"
    1to2 == link-interface-name for connection between pfSense1 and Pfsense2

    LAN-Interface
    destination: pub. –> gatewaypool WAN & 1to2
    destination: pri. --> gatewaypool 1to2


    If i find the time i'll setup a test-system in the network-labor at school which will look about like that:

    6
          /  | 
        /    |   
      5----1-----2
      \    / \      /
        \ /    \  /
        4------3

    If i'm not mistaken i will have to make a lot of different pools.
    i'll post them here to have them written down when i'll do them ^^"

    PfSense1:
    from LAN
    dest. = pub. --> pool WAN, 2, 3, 4, 5, 6
    dest. = priv. --> pool 2, 3, 4, 5, 6

    from 1to2
    source = 2, dest. = pub. --> pool WAN, 3, 4, 5, 6
    source = 3, dest. = pub. --> pool WAN, 4, 5, 6
    source = 4, dest. = pub. --> pool WAN, 3, 5, 6
    source = 5, dest. = pub. --> pool WAN, 3, 4, 6
    source = 6, dest. = pub. --> pool WAN, 3, 4, 5

    source = 2, dest. = priv. --> pool 3, 4, 5, 6
    source = 3, dest. = priv. --> pool 4, 5, 6
    source = 4, dest. = priv. --> pool 3, 5, 6
    source = 5, dest. = priv. --> pool 3, 4, 6
    source = 6, dest. = priv. --> pool 3, 4, 5

    and so on for every interface on every PfSense.

    this would be a lot of work whenever a new PfSense gets added to the system and i think it's still not quite good with how the traffic can take long ways.

    edit: moving questions regarding OLSR/RIP


Log in to reply