Round Robin Wan Group - PF2 RC3???
-
Hi everybody.
First I have been read tons of topics regarding this subject and have not found the solution I expected, yet.
I have this scenerio:
WAN1 (2mb static IP) WAN2 (2mb static IP)
| |
| |
| |
–-----------------------
|
|
|
LANthat is a very simple one, in fact; I'm using Pfsense 2.0-RC3 (amd64) built on Thu Jul 28; what I have done is configuring both wan1 and wan2 interfaces, gateways with weight 1 for both (no one are configured as default GW) and created a gateway group using both gateways and assigned tier 1 for both. I have also updated my firewall rules to use my group as GW. I know that using this configuration I should have load balancing between them using a Round Robin algorithm.
Well, what I don't understand is that it doesn't seem to work in a RR way: shouldn't it use RR to assign a different GW to every new connection independent of a link is in full use? I mean, even when my WAN1 is full I don't see new connections using WAN2, but they are trying to get some bandwith on WAN1. What I need is that both Wans could be used in a RR way, not even when one is down or before it's bandwith is full.
Have I done something wrong, or forgot something?? how can I have a new connection forwarded to the unused link if the other is full of use, or even if it's not in full use? another question: do I need a default GW? what if one are default, the new connection are fw to both using RR???
thanks!
-
@srs:
I mean, even when my WAN1 is full I don't see new connections using WAN2, but they are trying to get some bandwidth on WAN1. What I need is that both Wans could be used in a RR way, not even when one is down or before it's bandwidth is full.
When you say full do you mean with one connection or using bit torrent or what.
Torrents are a good way to test load balancing since there are many connections so they can be shared equally.
The speedtest.net bandwidth test is able to test load balanced connections.
I have to admit that I am failing to understand the Round Robin algorithm. In 1.2.3 it would send alternate connections out of each interface. Such that if you go to www.pfsense.org/ip.php it would give alternate IPs each time you refreshed the page. It no longer does that for me.
Do you have 'sticky connections' enabled?Steve
-
Also did you actually use this balancing pool in the firewall rules on the interface on which connections are created? (in your case probably LAN).
-
I thought that sticky connections is "must have" for working https browsing?
-
@stephenw10: it may be one connection, if it is using full bandwith; I tested pfsense's site ip discover and it really doesnt work for me either, only showing my WAN1 ip no matter how many times I hit F5 key.
I don't know where to enable 'stick connections', can you guys tell me?
@GruensFroeschli: yes, I have updated my firewall rules in order that lan traffic is being forwarded to group gateway.
thanks for your considerations!
-
Sticky connections can be set in the gui: System >> Advanced >> Miscellaneous.
If you try speedtest.net do you still only have traffic on one interface?
Steve
-
Can you post your fw rules? Had you set your DNS server for your WAN2 correctly?
I have 3 connections in LoadBalance and it's working fine. Although my hardware limits its efficiency sometimes.
I have also squid(lusca-cache) in transparent mode and a lot of different packages.
I thought that sticky connections is "must have" for working https browsing?
This also got me into confusion. Some https are ok with loadbalance while some are not. I found out that yahoomail and facebook are ok with loadbalancing.
It doesn't log me off when my WAN switches connections. -
I have enabled stick connections, but so far doesnt have seen any difference :-\
This is my firewall rules, where 'grupo' is my gateway group. I have set up the DNS for both gw!
hosting imagesOne important question: do I must to set up one of the GW as default?
thanks
-
Put this after your anti-lockout rule.
- * * WAN1 subnet * WAN1 GW none Allow WAN1 subnet to WAN1 Gateway
-
-
- WAN2 subnet * WAN2 GW none Allow WAN2 subnet to WAN2 Gateway
-
@srs:
One important question: do I must to set up one of the GW as default?
What's the purpose of your second rule? I think that's the reason why load balance doesn't work. Kindly disable it and check if it works.
If it still doesn't work, add this in your floating rule:
* * * * * grupo none -
Yes as jikjik101 says, the rules are processed from the top down so you have to have your load balancing rule above your 'l7' rule.
Steve
-
ok guys, I have done everything you asked to but it seems not be working yet:
- created two rules after my anti-lockout rule (wan1 subnet to wan1 gw and wan2 subnet to want2 gw)
- created the floating rule with direction IN
- all rules in the top
- no gw are defined to default
one question: in System> Routing > Routes I have this:
Network Gateway Interface Description
0.0.0.0/32 WAN1GW WANShouldn't I have a rule like this to Wan2gw, or for the group? with this rule am I telling that all the lan traffic should be routed to WAN1?
-
Ok I'm not sure what you have ended up with in your firewall section.
To get loadbalancing working you only need one rule. Once it's working then add other rules to do other things. Take a look at my rules for my LAN2 interface below.I have three rules:
1. This allows me to route to other internal subnets, e.g. Lan1 and Lan3. I need this because otherwise traffic for Lan1 would be routed to the external gateway instead of internally.2. This rule routes outgoing traffic to the loadbalancing gateway. This is the only rule you need!
3. This rule allow outgoing traffic to pass if I have disabled the loadbalancing rule. Some sites won't work with loadbalancing.
I don't know why you have that route in the static route table. If you don't have a good reason to have it there I would delete it.
I don't have sticky connections enabled.
I don't have any floating rules.
I have WAN1 set as the default gateway. This mean that traffic not routed to the Loadbalancing gateway will use WAN1.Steve
-
it's working now ;D ;D
I think the problem was with that static route, in Gateways > Route. I deleted it and now when I use pfsense's show IP page, it rotates between my gw!
Now, I supose that when one gw is down, based on latency and packat loss entered information, on every GW configuration, it will route traffic to the other, isn't?
thanks a lot for your help!
-
In the event of one gateway going down it will be removed from the group leaving only the other one.
This is dependant on what you have set the trigger level to in the group settings.
It's important that you set the system dns servers to have at least one using each gateway otherwise you could loose dns.Steve
-
for simplicity sake, to make the system do a loadbalance,
put your gw in same tier and in the fw under lan rule set your gw = loadbalance gw.
fw rules as stephenw10 said is processed from top to bottom.cheers…
-
thanks a lot for the tips!
;)
