PFsense 2.0 - load balancing between 2 ISP's
-
I've tried everything, but can't get it done…
I have 2 VDSL connections:
ISP 1 (Scarlet) : 25mbit down - 3.5mbit up - WAN IP of VDSL = variable - 2 PPPOE sessions possible
ISP 2 (Dommel) : 30mbit down - 4.5mbit up - WAN IP of VDSL = fixed IP - 2PPPOE sessions possible (1 fixed IP - 1 variable IP)I use the internal nick of my motherboard as LAN (IP-range : 10.0.0.x) and a 4-in-1 PCI NIC for the 2 ISP's : 2 UTP cables for Scarlet, 2 UTP cables for dommel. In that way, i can use the 2 PPPOE sessions that my ISP provides, and bundle it together.
I want to make a load-balanced network using those 2 ISP's with pfsense 2.0. Can anyone please help me.
IP Range that i want to use:
10.0.0.1 = pfsense
10.0.0.2 = dd-wrt wireless router (192.168.100.x range = private - 192.168.200.x range = public)
10.0.0.3 = linksys ATA PAP2T 01 (voip ATA)
10.0.0.4 = linksys ATA PAP2T 02 (voip ATA)
10.0.0.5 = networkdrive 1
10.0.0.6 = networkdrive 2
10.0.0.7 = networkdrive 3
10.0.0.8 = networkdrive 4
10.0.0.9 = printer
10.0.0.10 = SMS gateway server
10.0.0.100 = begin DHCP range
10.0.0.254 = end DHCP range10.100.0.1 = IP homeserver (using openVZ)
10.100.0.2 = IP VPS 01 (webserver) => using fixed IP of ISP Dommel
10.100.0.3 = IP VPS 02 (testserver)
10.100.0.4 = IP Asterisk server (VOIP)Can anyone please help me out of this, if possible with screenshots so i can do it right this time?
Thanks!!!
-
Just follow the existing how-tos, once you have your WANs setup the instructions shouldn't be any different than they are for others:
http://forum.pfsense.org/index.php/topic,28121.0.html
Though if you want multi-wan to work you should be on a snapshot from last Monday. There were various problems through last week and by the end of the week load balancing didn't work at all. It's being worked on now, but isn't ready yet.
-
Hi Jimp!
I do have 2 ISP's right now (Dommel and Scarlet) and did follow that how-to. Either way when my Scarlet line is downloading at full speed, the load-balancing doesn't switch to the Dommel line. I've checked that on http://www.whatismyip.com/ and it's always a Scarlet IP that's listed…
Screenshots
http://krisken.dommel.be/pfsense/firewallrules.jpg
http://krisken.dommel.be/pfsense/gatewaygroups.jpg
http://krisken.dommel.be/pfsense/gatewaygroups2.jpg
http://krisken.dommel.be/pfsense/gateways.jpg
http://krisken.dommel.be/pfsense/generalsetup.jpg -
First, the only one of those rules that would match is the first one.
Second, the Unknown status on the gateway groups isn't right. It should show online.
Are there any entries in the system log saying that the gateway groups are unknown/skipped?
My guess is (as I said before) you're on a snapshot with non-functioning load balancing and you need to back up to an earlier one that I mentioned before, or wait for a few one.
-
First, the only one of those rules that would match is the first one.
Second, the Unknown status on the gateway groups isn't right. It should show online.
Are there any entries in the system log saying that the gateway groups are unknown/skipped?
My guess is (as I said before) you're on a snapshot with non-functioning load balancing and you need to back up to an earlier one that I mentioned before, or wait for a few one.
I know that two of the gateways are offline, but i only do use the first two (other two are disabled) : scarlet fixed and dommel fixed. So that's normal (the two PPPOE gateways were tests). I use the snapshot of today, 16th of september. How can i downgrade to an earlier version?
I do have to delete every rule, except the first one?
Because on the tutorial you gave me, they tell to make those rules (http://forum.pfsense.org/index.php?action=dlattach;topic=28121.0;attach=10320;image) -
You don't have to delete the other rules, but perhaps you don't understand their purpose, and some other rule basics.
First, rules are processed top-down, so the most specific rules need to go first. Anything that is the equivalent of a "pass all" rule should be at the very end, under any other specific rules.
Second, you need to match specific traffic to direct them into those groups. Such as: pass * from <ip of="" a="" game="" console="">to * gateway: FO_WAN2_WAN1 - That would make traffic from that IP use WAN2 primarily, and fail to WAN1. Similar rules can be made for other traffic to prefer either WAN1 or WAN2.
You didn't answer my question about the system logs. Are there any entries there that reference gateways?
And are you using i386 or amd64? There isn't an i386 snapshot from today.</ip>
-
You don't have to delete the other rules, but perhaps you don't understand their purpose, and some other rule basics.
First, rules are processed top-down, so the most specific rules need to go first. Anything that is the equivalent of a "pass all" rule should be at the very end, under any other specific rules.
Second, you need to match specific traffic to direct them into those groups. Such as: pass * from <ip of="" a="" game="" console="">to * gateway: FO_WAN2_WAN1 - That would make traffic from that IP use WAN2 primarily, and fail to WAN1. Similar rules can be made for other traffic to prefer either WAN1 or WAN2.
You didn't answer my question about the system logs. Are there any entries there that reference gateways?
And are you using i386 or amd64? There isn't an i386 snapshot from today.</ip>
Sorry, the version i use seems to be from yesterday.2.0-BETA4 (i386)
built on Wed Sep 15 09:52:13 EDT 2010 FreeBSD 8.1-RELEASEThe meaning of the thing i want to do is auto-loadbalancing. So that the system use the LB_WAN1andWAN2 gateway everytime (so all traffic will be spread betwean WAN1 and WAN2). When there is too much traffic using WAN1 (eg http download, ftp, newsservers, …), all the other traffic goes to WAN2. In that case i can download and eg play some games at the same time without high latency. Or i can download big files (several GB's) without slowing down the other users on the network. Only in case WAN 1 or WAN2 is down (broken modem, link problemns, ...), everything (all traffic) have to go take the other gateway as default gateway.
How can i see the logs of pfsense?
And indeed, i'm just learning about some network stuff, and that little thing above is something i really want to use :-)
WAN1 = Scarlet = 25mbit down, 3.5 mbit up (unmetered)
WAN2 = Dommel = 30mbit down, 4.5mbit up (unmetered) -
That snapshot will have broken load balancing. Wait for a new snapshot.
Logs are under Status > System Logs
-
Do i understand you that when there is a new snapshot available (without the bug), everything should work like i want to (see above)?
And that the logs will be at status=> logs…sorry so logic that i didn't see it :)
Sep 16 17:20:31 dhcpd: Copyright 2004-2008 Internet Systems Consortium.
Sep 16 17:20:31 dhcpd: All rights reserved.
Sep 16 17:20:31 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Sep 16 17:20:31 dnsmasq[8859]: read /etc/hosts - 1 addresses
Sep 16 17:20:31 last message repeated 2 times
Sep 16 17:20:31 check_reload_status: reloading filter
Sep 16 17:20:31 php: : Gateways status could not be determined, considering all as up/active.
Sep 16 17:20:31 last message repeated 2 times
Sep 16 17:20:31 php: : The gateway: LB_WAN1andWAN2 is invalid/unkown not using it.
Sep 16 17:20:32 php: : The gateway: FO_WAN2_WAN1 is invalid/unkown not using it.
Sep 16 17:20:32 php: : The gateway: FO_WAN1_WAN2 is invalid/unkown not using it.
Sep 16 17:22:08 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 17:22:08 dnsmasq[8859]: read /etc/hosts - 2 addresses
Sep 16 17:46:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 17:46:52 dnsmasq[8859]: read /etc/hosts - 2 addresses
Sep 16 17:46:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 17:51:45 php: /index.php: Successful login for user 'admin' from: 10.0.0.243
Sep 16 17:51:45 check_reload_status: syncing firewall
Sep 16 17:51:47 check_reload_status: reloading filter
Sep 16 17:51:48 php: : Gateways status could not be determined, considering all as up/active.
Sep 16 17:51:48 last message repeated 2 times
Sep 16 17:51:48 php: : The gateway: LB_WAN1andWAN2 is invalid/unkown not using it.
Sep 16 17:51:48 php: : The gateway: FO_WAN2_WAN1 is invalid/unkown not using it.
Sep 16 17:51:48 php: : The gateway: FO_WAN1_WAN2 is invalid/unkown not using it.
Sep 16 17:52:08 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 17:52:08 dnsmasq[8859]: read /etc/hosts - 2 addresses
Sep 16 17:52:08 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 18:13:12 check_reload_status: syncing firewall
Sep 16 18:16:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 18:16:52 dnsmasq[8859]: read /etc/hosts - 2 addresses
Sep 16 18:16:52 last message repeated 2 times
Sep 16 18:46:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 18:46:52 dnsmasq[8859]: read /etc/hosts - 2 addresses
Sep 16 18:52:08 last message repeated 4 times
Sep 16 18:52:08 last message repeated 2 times
Sep 16 19:16:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 19:16:52 dnsmasq[8859]: read /etc/hosts - 1 addresses
Sep 16 19:16:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 19:46:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 19:46:52 dnsmasq[8859]: read /etc/hosts - 1 addresses
Sep 16 19:46:52 last message repeated 2 times
Sep 16 20:16:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 20:16:52 dnsmasq[8859]: read /etc/hosts - 1 addresses
Sep 16 20:16:52 last message repeated 3 times
Sep 16 20:16:52 dnsmasq[8859]: read /etc/hosts - 1 addresses
Sep 16 20:46:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 20:46:52 dnsmasq[8859]: read /etc/hosts - 1 addresses
Sep 16 20:46:52 dhcpleases: Ignoring DHCP lease for wifi.office.it2go.eu because it has an illegal domain part
Sep 16 20:54:24 php: /index.php: Successful login for user 'admin' from: 10.0.0.235
Sep 16 21:11:46 php: /index.php: Successful login for user 'admin' from: 10.0.0.235 -
The next new snapshot should have enough of the fixes to let your load balancing work, yes.
Sep 16 17:20:31 php: : The gateway: LB_WAN1andWAN2 is invalid/unkown not using it. Sep 16 17:20:32 php: : The gateway: FO_WAN2_WAN1 is invalid/unkown not using it. Sep 16 17:20:32 php: : The gateway: FO_WAN1_WAN2 is invalid/unkown not using it.That is what I was referring to, which indicates you are on a snapshot with broken load balancing for dynamic gateways.
-
Super! So the only thing i have to do is … wait for a new snapshot.
When the update is there, i shouldn't change a thing to my config? Neither in the firewall rules? -
The config should be ok. Just install the update and when it boots up it should hopefully all work.
-
The config should be ok. Just install the update and when it boots up it should hopefully all work.
OK, i'll let you know using this thread.
Any idea when a snapshot should be available with that bug fixed? -
A few more hours. It's building now.
-
-
Just downloaded this new firmware to my pfsense router and it works great now. If i hit F5 several times on www.watismijnip.be (kind of whatismyip.com) i get a mix between dommel and scarlet.
Thanks guys!! -
Is the hotfixed available for load balancing now?
Cheer
Leap -
Is the hotfixed available for load balancing now?
Yes, It should be fixed in current snapshots.
-
Hi jimp,
Should this have fixed the failover issue as well? Since updating to BETA4 WAN failover is no longer working correctly.
I have the same issue posted here: http://forum.pfsense.org/index.php/topic,28415.0.html
When a link goes down it will not automatically flick over… im guessing because its not retrieving the info for the gateways?
This is the error appearing in the logs:php: : Gateways status could not be determined, considering all as up/active.Also i am running the latest snapshot:
2.0-BETA4 (i386)
built on Sat Sep 18 23:15:00 EDT 2010Cheers.
