NEED >> Basic Load Balance Howto for V.2

daedalous

Maybe you can find some help here:
http://forum.pfsense.org/index.php/topic,28121.0.html

jimp

This is something that does need documented, but it's a lot easier now.

• Under System > Routing, create a gateway group
  ** For load balancing, select more than one gateway on the same tier (e.g. tier 1)
  ** For failover, select gateways on different tiers (e.g. wan on tier 1, when down will fail to wan2 on tier 2)
• For trigger level, pick the mode you want to trigger a failure to remove a gateway from a group, (I always use "packet loss or high latency")
• Fill in a description

Then use the gateway group in firewall rules on the LAN or other internal interfaces to direct outbound traffic to the gateway group, which will make it load balance (or failover).

I have three gateway groups, one to balance, and one to prefer WAN, and one to prefer WAN2. That way I can direct certain traffic out one path or another.

If you want to tweak gateway options like the monitor IP and loss/latency thresholds, they can be edited under the Gateways tab under System > Routing as well.

roi

When I'll have little time I'll make a visual howto for this.

jimp

Might not be worth the effort yet, at least until 2.0 hits the RC stage. There is still a chance that some parts of the UI could change slightly (not likely, but possible) so I wouldn't spend too much time on it just yet.

daedalous

jimp, I've fully rewritten the mini-howto following your indications at the original page at http://forum.pfsense.org/index.php/topic,28121.0.html
The first version was terribly wrong! :)
I hope this one will be better. If someone see any mistake or have suggestions, feel free to tell.
I'll be glad to update it. I perform the setup in a virtual environment, so it is easy for me to test any change.
I wrote the guide because I needed this feature for version 2.0 and I didn't find it in the documentation.
Thanks!

daedalous

BTW, does anyone knows how to change the ping frequency sent by pfsense to monitor IP addresses in Load Balancing?
It sends 1 ping/second by default!

roi

@jimp:

Might not be worth the effort yet, at least until 2.0 hits the RC stage. There is still a chance that some parts of the UI could change slightly (not likely, but possible) so I wouldn't spend too much time on it just yet.

several screen shot's and some text is not a problem.
I just need to put Photoshop on my new graphic's computer.

jimp

No need for Photoshop, that's like using a cannon to swat a fly. Grab Jing or something similar for simple captures. (I use SnagIt but it's not free)

roi

I use PrtScr  ;D

I already know Photoshop and in the army I was in heavy artillery…
And there is this…....

daedalous

I used HoverSnap, free and effective. No time to play with Photoshop for a couple of captures. ;D

jimp

Snagit is awesome, it's what we use to make screencaps for the book, and it has lots of nifty features like "scrolling web page" captures where it will take a screencap of an entire website no matter how long it is. :-)

http://pingle.org/files/loooongcat.png

townsenk

I was under the impression that by simply putting both Gateways on the same tier that loadbalancing and failover was handled automatically. Is there a need for the extra Failover groups and the added ruleset in LAN?
I understand how the described failover groups and rule entrys would work but is it needed for anything but specific requirements and situations

if that's the case I don't see how this is considered an easier setup than v 1.2.3
Either way I suppose I need to test my current configuration to see if Failover is working properly.

jimp

You do not need the extra groups if you just want to load balance.

I have some thing I want to prefer my WAN1, and others I want to prefer WAN2, that's why I have the extra failover groups.

With a load balance group where they are all on the same tier, there really isn't a concept of failover, they both work all the time and if a gateway fails, it is marked down and disabled so only the remaining WAN(s) in the group are used. It's not really "failover" since both were already in use. But I suppose that would be getting a tad pedantic on my part. :)

roi

I think it is failover as if one of the interfaces dies, it automatically move all data using the working interfaces.

What I am missing is a way to bypass the checkup ip address.
In my case both interfaces, WAN & OPT1 are connected to NAT routers. some times the routers drop the connection to the internet, but toward the LAN, where pfSence is connected, they still ping happily.
If I had a way to chenge the IP then I can use something actually on the internet and get a true response.

jimp

Just change the monitor IPs to something external. I use 8.8.8.8 for wan, and 8.8.4.4 for wan2.

daedalous

@townsenk:

I was under the impression that by simply putting both Gateways on the same tier that loadbalancing and failover was handled automatically. Is there a need for the extra Failover groups and the added ruleset in LAN?
I understand how the described failover groups and rule entrys would work but is it needed for anything but specific requirements and situations

if that's the case I don't see how this is considered an easier setup than v 1.2.3
Either way I suppose I need to test my current configuration to see if Failover is working properly.

The first time I thought like you. In fact, that configuration works as described in my original howto. :)

But then, thank to jimp I realized that creating different groups for Load Balancing and Failover is a more acurate solution. In addition, it gives you more control over both features.

Although it's a bit more complex, it worth the effort.

daedalous

@jimp:

Just change the monitor IPs to something external. I use 8.8.8.8 for wan, and 8.8.4.4 for wan2.

Poor Google DNS, hehehe!!   :P

Another option could be to make a traceroute to an external IP from each ISP and start pinging some closer IP addresses.

Why? On one hand, those IP addresses are closer to you (less latency), and on the other hand, if Google is down (ok, maybe in parallel universe…) your router doesn't think that the whole Internet is down.

BTW, what an awesome feature from Snagit! It's a pity that there isn't a free version.  8)

jimp

Well with my Cable ISP, they have a habit of losing connectivity to their upstream, so I have to ping something off their network, or I wouldn't detect many of their failures. Past their network, it could be any of a number of unpredictable routers at their peering, so I use something on the Internet in general.

daedalous

@jimp:

Well with my Cable ISP, they have a habit of losing connectivity to their upstream, so I have to ping something off their network, or I wouldn't detect many of their failures. Past their network, it could be any of a number of unpredictable routers at their peering, so I use something on the Internet in general.

It makes sense. It was just an option. And Google has demonstrated ability to handle awesome amounts traffic, better than any existing ISP (until theyselves become an ISP).

roi

@jimp:

Just change the monitor IPs to something external. I use 8.8.8.8 for wan, and 8.8.4.4 for wan2.

OK
found it under "System: Gateways: Edit gateway"
I knew there was an option when set to static IP but not for DHCP…