NEED >> Basic Load Balance Howto for V.2



  • Can someone write a simple howto Load Balance + Fail over for version 2 ?

    I have a basic setup, both Wan & OPT3 are connected to NAT routers just like any PC would. each to a different ISP.
    I want all Interfaces, Lan, Opt1 & 2 to have the benefit of double speed and fail over.

    In the Wiki there is only Howto V 1.x.x



  • Maybe you can find some help here:
    http://forum.pfsense.org/index.php/topic,28121.0.html


  • Rebel Alliance Developer Netgate

    This is something that does need documented, but it's a lot easier now.

    • Under System > Routing, create a gateway group
      ** For load balancing, select more than one gateway on the same tier (e.g. tier 1)
      ** For failover, select gateways on different tiers (e.g. wan on tier 1, when down will fail to wan2 on tier 2)
    • For trigger level, pick the mode you want to trigger a failure to remove a gateway from a group, (I always use "packet loss or high latency")
    • Fill in a description

    Then use the gateway group in firewall rules on the LAN or other internal interfaces to direct outbound traffic to the gateway group, which will make it load balance (or failover).

    I have three gateway groups, one to balance, and one to prefer WAN, and one to prefer WAN2. That way I can direct certain traffic out one path or another.

    If you want to tweak gateway options like the monitor IP and loss/latency thresholds, they can be edited under the Gateways tab under System > Routing as well.



  • When I'll have little time I'll make a visual howto for this.


  • Rebel Alliance Developer Netgate

    Might not be worth the effort yet, at least until 2.0 hits the RC stage. There is still a chance that some parts of the UI could change slightly (not likely, but possible) so I wouldn't spend too much time on it just yet.



  • jimp, I've fully rewritten the mini-howto following your indications at the original page at http://forum.pfsense.org/index.php/topic,28121.0.html
    The first version was terribly wrong! :)
    I hope this one will be better. If someone see any mistake or have suggestions, feel free to tell.
    I'll be glad to update it. I perform the setup in a virtual environment, so it is easy for me to test any change.
    I wrote the guide because I needed this feature for version 2.0 and I didn't find it in the documentation.
    Thanks!



  • BTW, does anyone knows how to change the ping frequency sent by pfsense to monitor IP addresses in Load Balancing?
    It sends 1 ping/second by default!



  • @jimp:

    Might not be worth the effort yet, at least until 2.0 hits the RC stage. There is still a chance that some parts of the UI could change slightly (not likely, but possible) so I wouldn't spend too much time on it just yet.

    several screen shot's and some text is not a problem.
    I just need to put Photoshop on my new graphic's computer.


  • Rebel Alliance Developer Netgate

    No need for Photoshop, that's like using a cannon to swat a fly. Grab Jing or something similar for simple captures. (I use SnagIt but it's not free)



  • I use PrtScr  ;D

    I already know Photoshop and in the army I was in heavy artillery…
    And there is this…....



  • I used HoverSnap, free and effective. No time to play with Photoshop for a couple of captures. ;D


  • Rebel Alliance Developer Netgate

    Snagit is awesome, it's what we use to make screencaps for the book, and it has lots of nifty features like "scrolling web page" captures where it will take a screencap of an entire website no matter how long it is. :-)

    http://pingle.org/files/loooongcat.png



  • I was under the impression that by simply putting both Gateways on the same tier that loadbalancing and failover was handled automatically. Is there a need for the extra Failover groups and the added ruleset in LAN?
    I understand how the described failover groups and rule entrys would work but is it needed for anything but specific requirements and situations

    if that's the case I don't see how this is considered an easier setup than v 1.2.3
    Either way I suppose I need to test my current configuration to see if Failover is working properly.


  • Rebel Alliance Developer Netgate

    You do not need the extra groups if you just want to load balance.

    I have some thing I want to prefer my WAN1, and others I want to prefer WAN2, that's why I have the extra failover groups.

    With a load balance group where they are all on the same tier, there really isn't a concept of failover, they both work all the time and if a gateway fails, it is marked down and disabled so only the remaining WAN(s) in the group are used. It's not really "failover" since both were already in use. But I suppose that would be getting a tad pedantic on my part. :)



  • I think it is failover as if one of the interfaces dies, it automatically move all data using the working interfaces.

    What I am missing is a way to bypass the checkup ip address.
    In my case both interfaces, WAN & OPT1 are connected to NAT routers. some times the routers drop the connection to the internet, but toward the LAN, where pfSence is connected, they still ping happily.
    If I had a way to chenge the IP then I can use something actually on the internet and get a true response.


  • Rebel Alliance Developer Netgate

    Just change the monitor IPs to something external. I use 8.8.8.8 for wan, and 8.8.4.4 for wan2.



  • @townsenk:

    I was under the impression that by simply putting both Gateways on the same tier that loadbalancing and failover was handled automatically. Is there a need for the extra Failover groups and the added ruleset in LAN?
    I understand how the described failover groups and rule entrys would work but is it needed for anything but specific requirements and situations

    if that's the case I don't see how this is considered an easier setup than v 1.2.3
    Either way I suppose I need to test my current configuration to see if Failover is working properly.

    The first time I thought like you. In fact, that configuration works as described in my original howto. :)

    But then, thank to jimp I realized that creating different groups for Load Balancing and Failover is a more acurate solution. In addition, it gives you more control over both features.

    Although it's a bit more complex, it worth the effort.



  • @jimp:

    Just change the monitor IPs to something external. I use 8.8.8.8 for wan, and 8.8.4.4 for wan2.

    Poor Google DNS, hehehe!!   :P

    Another option could be to make a traceroute to an external IP from each ISP and start pinging some closer IP addresses.

    Why? On one hand, those IP addresses are closer to you (less latency), and on the other hand, if Google is down (ok, maybe in parallel universe…) your router doesn't think that the whole Internet is down.

    BTW, what an awesome feature from Snagit! It's a pity that there isn't a free version.  8)


  • Rebel Alliance Developer Netgate

    Well with my Cable ISP, they have a habit of losing connectivity to their upstream, so I have to ping something off their network, or I wouldn't detect many of their failures. Past their network, it could be any of a number of unpredictable routers at their peering, so I use something on the Internet in general.



  • @jimp:

    Well with my Cable ISP, they have a habit of losing connectivity to their upstream, so I have to ping something off their network, or I wouldn't detect many of their failures. Past their network, it could be any of a number of unpredictable routers at their peering, so I use something on the Internet in general.

    It makes sense. It was just an option. And Google has demonstrated ability to handle awesome amounts traffic, better than any existing ISP (until theyselves become an ISP).



  • @jimp:

    Just change the monitor IPs to something external. I use 8.8.8.8 for wan, and 8.8.4.4 for wan2.

    OK
    found it under "System: Gateways: Edit gateway"
    I knew there was an option when set to static IP but not for DHCP…


Log in to reply