Pfsense 2.0 multiwan



  • So I was seeing some entries on how to do load balancing on pfsense 2.0, but what is the easiest way to do it? I've seen some people agree/disagree.

    Anyway, 2 wan interfaces. I just tried assigning the 2nd one OPT1, and just enabled it under interfaces, DHCP to get address.

    Ok, then I just went to the firewall > load balancer, and did that.
    Doesn't work though, didn't think it would. At least I don't think it works. I am torrenting on my wan1 interface, was hoping it would switch to opt1.



  • Load balancing is only used for inbound traffic in pfSense 2. For multiwan, use System->Routing then the Groups tab and create Gateway Groups specifying the WAN connections and priority. Then in each firewall rule specify the Gateway (under Advanced Features for each rule) as a gateway group rather than a single gateway address to use, so you can balance, failover, or force a specific gateway per firewall rule.



  • Any particular reason it's a bit of a lengthy multi step process? Would be neato if it was implemented with a single wizard  ;)



  • Eh I have a question
    http://forum.pfsense.org/index.php?topic=28121.0

    It says The monitor IP address in the figure was taken from OpenDNS as example. Please, use your own IP addresses in your setup.

    Does this statement mean just use any ip and ping that to see if it works, or use your own WAN ip? I want to think it just means use any online host that stays up? Amirite?



  • There are walkthroughs out there but it's actually less complicated, more logical, and with many fewer steps than the 1.2.3 method using load balancing, in my opinion. It's not hard…set up interfaces, create gateway groups, assign gateways and gateway groups to whatever rules you want. The end. Even the gateway groups configuration is very elegantly visual while allowing complex balancing and failover to multi-interface groups extending to an arbitrary (I think) number of WANs, so it's scalable.



  • @jigglywiggly:

    Eh I have a question
    http://forum.pfsense.org/index.php?topic=28121.0

    It says The monitor IP address in the figure was taken from OpenDNS as example. Please, use your own IP addresses in your setup.

    Does this statement mean just use any ip and ping that to see if it works, or use your own WAN ip? I want to think it just means use any online host that stays up? Amirite?

    You'll need to use an IP that you can continuously ping through that interface, that will be reachable when the interface is up and will be unreachable when the interface is down. It can be the router on that interface (if the IP is static), or an IP on the Internet, assuming they won't block a very continuous ping and it's "always" up (at least when that WAN is up).



  • Thanks, thought so.

    One last question

    The Wan2failoverWan1 is blanked out, I think I should add it, but his is blanked… also source is * instead of Lan net?



  • Tried it, don't think it's working. Was torrenting, and kept checking my ip on whatismyip.com and it was always my main1. There is some traffic on opt1, but it's very little <20kbp/s.

    While my WAN1 is doing 15 mbp/s.

    Any idea?









  • Wan1failoverwan2 matches before the balance rule so all the traffic goes out the first rule. You have to be careful the order you put things in because it bypasses the rest of the rules once there is a match.



  • I believe your correct, because I was so confused when I tried pinging through the OPT interface, when I was torrenting on WAN1, my ping on OPT was 500ms, but that didn't make sense since there was no load going through it. I then tested with my laptop and it was running 15ms to google and whatnot. WIll try to fix, thanks a bunchy.

    EDIT: Could you rephrase that? I think I got what you said wrong, I mean my order is the same as the tutorial isn't it?



  • I reversed the tiers, now I am on the opt1 modem… though I don't know if load balancing is working lol... will try loading this modem and then you know. In the meantime, just image my tier numbers reversed.

    Also, when I did that, I couldn't get any net, but I could ping outside through pfsense on OPT1, so I dug around and had to add this for OPT1, I already had made one for WAN before.



  • zomg it works
    Here is the final pic to just clear some confusion



  • Firewall rules match from top to bottom. The first rule that matches applies to given traffic. Therefore if your first rule says "all traffic from anywhere, send to the Wan1FailoverWan2 gateway group," ALL traffic on that interface will use WAN1 and failover to WAN2, per that gateway rule. The rest of the rules no longer matter, as the first one matches everything. You have to limit something first, so for example your first rule could be the same except change "from anywhere" to be "from IP 192.168.1.5" and then all traffic from the machine at 192.168.1.5 will go to WAN1 and failover to WAN2, but traffic from other IP addresses would not match that rule since the source IP would be different, so it would be matched against the second rule. If it matched, that would be applied, but if not it would move on to rule 3, and so on.

    Thus you need to be careful of the order and scope of your firewall rules because once the traffic matches one of them, the rest don't matter (for that traffic).



  • @jigglywiggly:

    Thanks, thought so.

    One last question

    The Wan2failoverWan1 is blanked out, I think I should add it, but his is blanked… also source is * instead of Lan net?

    Per your image, the second firewall rule is disabled, hence blanked out. Click the little gray button to the left of the rule (that's green in other rules) to enable, or edit the rule and uncheck the "Disabled" checkbox near the top and save, then apply.

    In your case, if you only have one LAN with one IP range on that LAN in use, using * or "LAN net" as the source will mean the same thing. * means any IP, but "LAN net" will encompass all IPs in the network defined on the LAN interface, which should match the same traffic for stuff coming from the LAN network. Generally the idea is to use the least permissive rule necessary so you would pick "LAN net" as the source, but in this specific situation the effect will be the same.



  • Is it just me or are you using the 1.x way of doing MultiWAN on a 2.0 box?

    You should be able to make just one group, with your two gateways in the same tier. They will loadbalance until one fails.

    If you want to force traffic out of one interface, you can use a firewall rule and chose a Gateway.

    http://forum.pfsense.org/index.php/topic,10407.0.html



  • @SeventhSon:

    Is it just me or are you using the 1.x way of doing MultiWAN on a 2.0 box?

    You should be able to make just one group, with your two gateways in the same tier. They will loadbalance until one fails.

    If you want to force traffic out of one interface, you can use a firewall rule and chose a Gateway.

    http://forum.pfsense.org/index.php/topic,10407.0.html

    Sure, that will work for load balancing, but the additional gateway groups are still necessary if you have some traffic you would like to go primarily out one WAN but failover to the other. Assigning to a specific WAN won't failover in case it's down. I have an environment where I use all three (balanced, and one with each WAN primary and the others secondary), so public wifi uses the second WAN and the LAN uses the first WAN by default but they both fail over. Actually I'm not sure if I'm even-balancing directly there or not but I do have it set as an option should I need it.


Log in to reply