Dual WAN + LoadBalancing + Fail over + Multiply Public IPs



  • I am looking to set up Load Balancing and I had some questions on the fail over as well as other questions. Is there anyway we can use load balancing but have it use one line more then the other? We have comcast and will soon have another faster internet but we have to pay based on packets usage (don't ask I don't know the details). We also have multiply Public IPs from this ISP. So we have one from comcast and lets say 6 from this new ISP. 1 is used for load balancing and the other 5 are for internet servers. How do I set up the other 5 to go to their correct server? Do I use NAT or something like that? Also, is it possible to use DHCP with load balancing? Comcast has us in DHCP, or do I have to reconfigure each time our IP changes (about every 6 months or so)? And finally the stupid question, in a load balance, if one line gos down will the other still run if it is in the load balance list and when the other is back up will it start using it again?



  • The balancing is roundrobin, so there is no weighting between different lines. This is currently not possible. Single lines that are down get excluded from the pool for as long as they are down and will be used again if they become available again. This doesn't affect other lines in the balancingpool. Other option for pools is to use failoverpools. It will use the most top in the list available link only. DHCP for Pools works with the latest snapshots though DHCP itself has some issues atm under some special conditions. We are working hard on fixing this. For the servers you set up Virtual IPs. These can then be natted to different hosts.



  • How would I set up a DHCP load balancing? All I can find are load balancing with static and one even says they have to be static. Right now out plan is to use our Cisco 806 router and make it act like a gateway so that the pfSense server gets a static and the gateway gets the DHCP from comcast.



  • They have to be static for 1.0.1 release, but with the new snasphots we changed this. You basically just configure the interfaces with dhcp and reference the interface name instead of an gateway IP with the pool. This way the gateways inside the pool will get rewritten on IP changes.



  • When does the new snapshot come out then?  ;D



  • They are build hourly from the current code: http://snapshots.pfsense.com/FreeBSD6/RELENG_1/



  • Cool. Is it a firmware update or do I have to install that different? I was trying the firmware upload but it was saying:

    The digital signature on this image is invalid.
    This means that the image you uploaded is not an official/supported image and may lead to unexpected behavior or security compromises. Only install images that come from sources that you trust, and make sure that the image has not been tampered with.

    Do you want to install this image anyway (on your own risk)?



  • These images are not signed. just confirm that you want to apply the update. In case you have already pools set up edit them after applying the update, delete all poolmembers and readd them with the new logic.



  • Hi Hoba,
    Do we still have to edit the pools?



  • Only when going from a config that was generated with the old logic (manually entering gateway IPs) to the new snapshots with the different logic (referencing interface names).



  • A just had a thought. When setting up Dual WAN, don't you need to put both DNS IPs in to pfSense? If so, how and where? Also, is it possible to do a transparent proxy system with load balancing?



  • Transparent proxy won't work currently with loadbalancing, at least when using the squid package on pfSense itself. Only connections through the pfSense can be balanced. We are working on making the DNS setup easier currently but for the meanwhile you need the procedure with static routes that can be found numerous times here in the forum.



  • What if I am not using pfSense Squid pack? I have a Squid and Privoxy proxy server that is independent, but I would like to make it so they can't get around it. If they can bypass our proxy, they will do it and it means big trouble for us.



  • You can transparently redirect traffic back to your proxy and only allow the proxy to leave to the internet on port 80. These connections then can of course be balnced. This limitation only affects services that are run directly at the pfsense itself.



  • I am having trouble getting everything working now. My fiber line just got down so I am doing some testing. One NIC is plugged int the fiber gateway and the other is in my router for the other line (can't take the internet down). So I followed the load balancing in the documents but it doesn't seem to work right. it says both are down. The only changes are some of the names that were used. I can't figure out why it isn't working like it should.

    I have cable with DHCP and a fiber line with Static. Both with different DNS servers. I will try and get some screen shots posted, but the screen shots in that document are almost the same as mine.



  • Make sure you do not use the same monitoring IP at both interfaces. monitoring IPs have to be unique.



  • They are different. One is looking at a router at 10.10.10.1 and the other is looking at the gateway at 64.20.192.185. So they are different. Also found out that my new line has some problems so it is down right now. Will adding DNS servers to the XML config and then uploading really work? And here is a screen shot of my static routes for the DNS, was wondering if I did it right as well as my rules. Getting alerts that something is wrong with one of them, the one that says LAN > WAN + WAN2. It is set up like the help doc for load balancing with fail over.

    http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing






  • The screenshots look valid to me. Make sure your monitor IPs are pingable and mapped to the correct interface. What exactly is the error message that you get? You can copy paste it from status>systemlogs.



  • It is a filter load rule error. I didn't see it in the log. It comes up in the alert window and it says the rule with description "LAN > WAN + WAN2" can't load. This rule is the second one in the list (the one with the bad circle around it). I also have one of my internet's hooked up to the system to get it going but the load balancer shows it off line and I am not sure why. I know the monitor IP is pingable and they are mapped right. My other concern is the DNS, did I set it up right? I also have one DNS from the 2 in the General Settings and the others are in th Static Routes.








  • Here is the error I get:

    Acknowledge All    .:.    03-01-07 09:32:43 - [filter_load]There were error(s) loading the rules: /tmp/rules.debug:138: syntax errorpfctl: Syntax error in config file: pf rules not loaded The line in question reads [138]: pass in quick on $lan route-to { ( fxp0 ) , ( fxp1 64.20.192.185 ) } round-robin from 192.168.1.0/24 to keep state label USER_RULE: LAN > WAN + WAN 2    .:.



  • Try to convert this rule to 2 rules. 1 that blocks access to the alias through default gateway and another one that passes traffic to any through the pool. That's the same like the one rule with the NOT option.

    Does that solve the problem? Looks like there is something wrong with the NOT option to me.



  • What about the DNS? I just want to know if that is OK. Right now both lines are shown as down and one of them is plugged in and running.

    Nope, still getting the error message, but it is narrowed down.

    Acknowledge All    .:.    03-01-07 12:15:32 - [filter_load]There were error(s) loading the rules: /tmp/rules.debug:141: syntax errorpfctl: Syntax error in config file: pf rules not loaded The line in question reads [141]: pass in quick on $lan route-to { ( fxp0 ) , ( fxp1 64.20.192.185 ) } round-robin from 192.168.1.0/24 to any keep state label USER_RULE: LAN > WAN + WAN 2    .:.

    Status  Proto  Source    Port  Destination    Port            Gateway                      Description
    pass      TCP    LAN net    *        *            HTTPsall    Wan2FailoverWan1      LAN > WAN2|WAN1 HTTPS
    block    *        LAN net    *    Internal        *                  *                      LAN > Default (block)
    pass      *        LAN net    *      *              *            LoadBalancer              LAN > WAN + WAN 2



  • What version are you running? If this is not the latest snapshot please upgrade. Something is pretty strange with your setup.



  • Updated it this morning before a posted. it is like 2-27-07.



  • Then I'm at a loss. I recommend starting over. There must be something somewhere wrong that we don't find this way. I recommend setting up and testing step by step to see where things break.



  • This was a start over. Followed everything in that wiki for the load balancing. Bet if I followed it again, I will still get the same error and I am nit sure why I am getting the error. Everything looks good.



  • Everything is working now. It might have been hitting the error because the internet wasn't working right. I had a subnet problem in WAN and WAN2 finally got up yesterday. Plugged it all in and load balancing shows both running and did a restart and no rule errors came up. Everything seems to be OK. Do you know if I can block the DHCP range from the internet? This is for a school and the students will bypass the proxy if there is a way to, so we block the DHCP range and put a proxy into there computers so it gos to the proxy then out.



  • I was also wondering about the multiply Public IPs and how I set them up. I made virtual IPs for it and set up NAT Routing with it. I noticed the NAT 1:1 and looked it up. Do I need to put anything in that? I did to see if it would do anything and now I get errors from it.



  • Well I have everything working. Just down to one problem, FTP on the load balance. I put the work around in and it is at the top but it doesn't seem to work. Anyone have any ideas why or what I need to do to get FTP to work on our load balance?

    The work around was:

    Proto Source  Port  Destination    Port    Gateway
    TCP  LAN net  *    127.0.0.1    1-65535      *



  • Change the rule to include ports 8000-8020 instead of 65535



  • You only have set 65535 and not the whole range 1-65535. There is an even easier rule to accomplish this:
    pass, protocol any, source any, destination 127.0.0.1, gateway default.

    That should do the trick when it is at the top of your rules at LAN.



  • I have it going from 1 - 65535 hoba, so that not the problem. Sorry about that I spaced it wrong. there is an extra 1 that is for the 1 - 65535 next to the 127.0.0.1. I will try your way and see what I get.



  • Neither one seem to work. I tried to download a file of an FTP and it just times out. sullrich, I am not sure what you mean by have the rule in ports 8000-8020. If it gos to 65535 then it should already have 8000-8020 included. I tried both ways, here is a screen shot of the 2 rules. One is disabled right now so I could test. Then I remembered that only one WAN is hooked up so I switched from the default to the working WAN (WAN2) and tried it again. And yes, the FTP site I was using to test is working.

    BTW hoba, remember when I asked about weighting a Load Balance system so it gos down one line more the the other? I had a though and was wondering what your thoughts were on it, we are looking for more of a redundant system for our internet. So couldn't I use a Failover? WANfailoverWAN2 would go down the WAN and then use WAN2 when WAN gos down, but will it switch back to WAN when it s up again?




  • Never mind about the FTP, it seems to be working now. I guess it only works with the default.



  • OK, everything is working…... OK not everything. I am having trouble with one of my Internet lines now. It is Comcast and they give out a DHCP address. So I got a Linksys BEFSR41 and I put it between the Router and the Modem (see picture). I am doing load balancing with Comcast and another ISP but the Linksys router keeps going down after it runs for like 10 - 20 minutes. Tech support can't help me because of the way it is set up and the router works good. I can plug into it and just use that router to go out. I did 539 some odd pings to it's DNS server to see if it would handle the pings and it did fine. It is just when it is plugged into the pfSense. I have tried making it DMZ pfSense but that doesn't help. Anyone have any ideas that can help me? pfSense is configured right and all because it worked with a similar set up using a Cisco 806. Just need to find out if it is the Linksys or if maybe I did configure something wrong.




  • Update on the problem. I found out that I can switch ports and the internet for that ISP will start working for me for a while, after that it fails and I have to switch ports. Anyone have any idea what could be causing this and how to fix it?


Log in to reply