How to split LAN into two? - Jikjik101's network

jikjik101

Sorry but I don't know the correct terminology or how to describe my problem.

Recently, I ran out of NIC and I want to use the LAN card to have two different networks. The reason for this is that all our devices are connected to our file server. For security sake, I want to separate the personal devices (smartphones and laptops) to our office devices (office PCs and printers).

My current setup is: WAN - pfSense - LAN(192.168.100.x)

What I want to do is:                       |-LAN1(192.168.100.x)
                               WAN-pfSense-|
                                                   |-LAN2(10.10.10.x)

Is this doable in 2.0? Can you please point me to the correct direction? I'm confused with VLAN, VIP and DMZ. Which one is more proper solution to my problem?

TIA.

Metu69salemi

How many interfaces you have in your pfsense machine?
only 2? then use vlans
three or more, you can use physical interfaces to separate subnets

both ways are equally easy

ericab

this is either going to require A) a switch in front pf your LAN nic, which supports VLAN tagging, or B) another physical NIC

jikjik101

I have 4 nics and 3 isps. only one for the lan left. But i need to split the lan into two networks for security purposes. As of now, i cant get additional nic because of my mobo only supports additional 3 nics. And i can only buy the nic with more than two ports by next month. So i want to have atleast a temporary solution to my problem of which i need to "privatized" my office client group from the personal clients group.

I currently have a 3-ISP loadbalance setup.

Metu69salemi

Then you should use vlan with manageable switch until you get nic with multiple interfaces

jahonix

@jikjik101:

…And i can only buy the nic with more than two ports by next month.
So i want to have atleast a temporary solution to my problem ...

If money is the limiting factor for buying another NIC then I doubt he will be able to buy a VLAN capable switch immediately.

To succeed, you need to separate the traffic. Either physically (NICs) or virtually (VLANs). Everything else does not separate the traffic and you gain nothing (except troubles).
If it is this important in a time frame before next month I probably would use one of the WAN NICs as second LAN until a dual NIC arrives.

ericab

10% off w/ promo code netswitch01, ends 8/8

http://www.newegg.com/Product/Product.aspx?Item=N82E16833122381&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Switches-_-Netgear+Inc.-_-33122381

jikjik101

@Metu69salemi:

Then you should use vlan with manageable switch until you get nic with multiple interfaces

I though that vlan is already "embedded" with pfsense. This is my fatal misconception. I was thinking that I can just split my LAN into two or more networks and use the VLAN tags as the "category" to identify each network. I thought VLAN is an easy concept to implement without acquiring additional hardware. ;D

@jahonix:

If money is the limiting factor for buying another NIC then I doubt he will be able to buy a VLAN capable switch immediately.

Actually money is not the factor, it is our office location. We are currently situated in a place of nowhere. Buying gadgets like this will require us at least a 3-hour travel or at worst, needs to wait 30-45 days for our supplier to get the hardware from their manufacturer/distributor.

@jahonix:

To succeed, you need to separate the traffic. Either physically (NICs) or virtually (VLANs). Everything else does not separate the traffic and you gain nothing (except troubles).
If it is this important in a time frame before next month I probably would use one of the WAN NICs as second LAN until a dual NIC arrives.

Since physical separation is not possible at this point of time, then the only option that I have is VLAN. But VLAN needs a switch with VLAN capability of which I don't have a possession of, or buying the said hardware will still need time to produce and of which time is not on my side. So I guess this is a losing battle for me unless the new hardware arrives. :'(

@ericab:

10% off w/ promo code netswitch01, ends 8/8

http://www.newegg.com/Product/Product.aspx?Item=N82E16833122381&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Switches-_-Netgear+Inc.-_-33122381

Thanks for the recommendation but I prefer the NIC with 4 ports. It is for easier management to control just one hardware than to have many devices in-between and it is also much easier to troubleshoot to find the one problematic hardware in a large system.

THANKS ALOT GUYS FOR SHEDDING LIGHT ON MY PROBLEM. CHEERS!

This is my system though:
2.0-RC3  (i386)
built on Sun Jul 31 05:05:32 EDT 2011
Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz 
http://www.dell.com/us/dfb/p/vostro-220/pd

Metu69salemi

Well vlan is embedded in pfsense, but it needs hardware that is capable of understanding that traffic

jikjik101

what can you suggest, additional dedicated NIC or manageable switch? Which is more better in terms of performance and management? Considering that I only want to split the current LAN.

Metu69salemi

If you think that you would have more separated lans, then manageable switch pays off via multiple vlans.
But other than that it is flavor issue, which you prefer more

stephenw10

Would it not be possible, theoretically, to use VLANs without a switch if all the LAN clients support VLAN tagging directly?
I realise it would not provide much by way of security and that it may be completely impractical if you have lots of clients. It would also rely on you trusting the client computers.
However if you need to separate the traffic for some reason other than security this might be possible.

I've never tried this but I'd be interested in your thoughts.  :)

Steve

Metu69salemi

Hmm, i've never seen this in action. so does this mean, that i don't trust people/client machines?!?

jikjik101

@metu: is the manageable switch alone is enough to create a vlan? i'm talking about hardware requirements. so from my pfsense box-manageable switch-different vlans?

@stephen: sorry but i don't understand what you are saying. If i have a vlan-capable client, i can separate this client from others in my LAN directly? And this client is the one who can control/manage the VLAN and not me? what if i have 3 vlan-capable clients, how are they going to communicate? thinking vlan alone makes my head aches. :-[

Myy current situation, I have one LAN composes of Group A(staff) and Group B(guests). My LAN has a file server of which Group B should not have access for confidentiality reason. I read that I cannot filter traffic coming in and out in the same interface. But I need to restrict Group B to access the file server. The question is how?

wallabybob

@jikjik101:

@metu: is the manageable switch alone is enough to create a vlan? i'm talking about hardware requirements. so from my pfsense box-manageable switch-different vlans?

Yes, a small VLAN capable switch is sufficient for your needs. I'm not sure that all manageable switches are VLAN capable.

@jikjik101:

@stephen: sorry but i don't understand what you are saying. If i have a vlan-capable client, i can separate this client from others in my LAN directly? And this client is the one who can control/manage the VLAN and not me? what if i have 3 vlan-capable clients, how are they going to communicate? thinking vlan alone makes my head aches. :-[
[/quote]
Notice also that Stephen said it would not provide much by way of security so I think that rules his idea out for your circumstances.

@jikjik101:

Myy current situation, I have one LAN composes of Group A(staff) and Group B(guests). My LAN has a file server of which Group B should not have access for confidentiality reason. I read that I cannot filter traffic coming in and out in the same interface. But I need to restrict Group B to access the file server. The question is how?

You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.

Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.

@jikjik101:

Actually money is not the factor, it is our office location. We are currently situated in a place of nowhere. Buying gadgets like this will require us at least a 3-hour travel or at worst, needs to wait 30-45 days for our supplier to get the hardware from their manufacturer/distributor.

If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.

On thinking through this a bit more, I notice its not clear how groups A and B currently connect to pfSense: possibly both groups connect to a single switch, maybe there is a wireless access point or two etc. What you will need will actually depend somewhat on the mix of devices in the different groups. For example, if every device in group B is WiFi capable then you could get away with configuring a USB Wireless NIC that can act as an access point in your pfSense box. Group B devices would then come in over WiFi and would have their own separate firewall rules. (I'm presuming your existing pfSense box has at least one spare USB slot.)

jikjik101

@wallabybob:

Yes, a small VLAN capable switch is sufficient for your needs. I'm not sure that all manageable switches are VLAN capable.

Nice. I will start looking for a VLAN capable switch.

@wallabybob:

Notice also that Stephen said it would not provide much by way of security so I think that rules his idea out for your circumstances.

Just for the sake of discusion, how will the three VLAN-capable computers communicate? Do not consider the security here.

@wallabybob:

You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.

Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.

What do you mean by this?

@wallabybob:

If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.

Which do you suggest, VLAN switch or additional port?

@wallabybob:

On thinking through this a bit more, I notice its not clear how groups A and B currently connect to pfSense: possibly both groups connect to a single switch, maybe there is a wireless access point or two etc. What you will need will actually depend somewhat on the mix of devices in the different groups. For example, if every device in group B is WiFi capable then you could get away with configuring a USB Wireless NIC that can act as an access point in your pfSense box. Group B devices would then come in over WiFi and would have their own separate firewall rules. (I'm presuming your existing pfSense box has at least one spare USB slot.)

Sorry, I was not clear on this.

switches - wired clients
pfsense box ->switch-|
                             |-wireless router - WiFi clients

Group A - wired clients and WiFi clients
Group B - WiFi clients only

I will give you more details network diagram on my next reply(hopefully I can make one).

There is another post that looks like my problem. http://forum.pfsense.org/index.php/topic,39654.0.html
@Nachtfalke:

Hi,

not sure how this works in pfsense but I think there is an option "Virtual IP". I think this could help you (if you do not have/like tuj use VLANs)

wallabybob

@jikjik101:

@wallabybob:

Notice also that Stephen said it would not provide much by way of security so I think that rules his idea out for your circumstances.

Just for the sake of discusion, how will the three VLAN-capable computers communicate? Do not consider the security here.

There aren't three VLAN capable computers, only a VLAN capable switch and VLANs configured on pfSense. One switch port connects to your LAN switch (group A), one switch port connects to your wireless router. These switch ports are configured in distinct VLANs, add VLAN tags on input to the switch, strip VLAN tags on output. A third switch port connects to pfSense and is configured to belong to both VLANs and passes through VLAN tags on both input and output. On pfSense you configure two VLANs on its port connected to the switch and use VLAN IDs the same as you configured in the switch.

@jikjik101:

@wallabybob:

You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.

Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.

What do you mean by this?

Sorry, it should have read … you should NOT see any significant …

@jikjik101:

@wallabybob:

If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.

Which do you suggest, VLAN switch or additional port?

Whatever best suits you. Extra port means you don't have a extra switch to manage. VLAN switch give you a bit more expansion capability than an extra port.

@jikjik101:

There is another post that looks like my problem. http://forum.pfsense.org/index.php/topic,39654.0.html
@Nachtfalke:

Hi,

not sure how this works in pfsense but I think there is an option "Virtual IP". I think this could help you (if you do not have/like tuj use VLANs)

A variant of Stephen's suggestion that was rejected earlier because it provided inadequate security.

jikjik101

@wallabybob:

A variant of Stephen's suggestion that was rejected earlier because it provided inadequate security.

Please expound this one.
What difference will it make?

stephenw10

The very low security option would be something like this:
Assign a second virtual interface to the LAN interface. This interface will have different subnet.
Then you assign your 'lan B' group to use this subnet.
However any seperation betwen the two subnets relies on your clients not manually changing their IP. I guess you could lock down the client computers using windows security policy or equivalent.

The VLANs with no switch would be similar. You would have to set the VLAN number on each client such that they would only see packets tagged with that number.

Steve

jikjik101

I see. The effect is now clearer on me using stephenw10's method.

Sorry for being so ignorant, but what I don't get is the how-to or the step-by-step process to make this one. ??? ???
@stephenw10:

Assign a second virtual interface to the LAN interface. This interface will have different subnet.
Then you assign your 'lan B' group to use this subnet.

Correct me if I am wrong (I know I'm wrong  ;D), are these the steps to do stephenw10's suggestion?
1. In my pfSense box, go to Interface>(assign)>VLANs>add.
2. Create a VLAN with LAN as the parent interface.VLAN tag as 2.
3. I don't know what's the next step.

stephenw10

You shouldn't be doing this!  :P
I've never done it even read about doing it with VLANs. I was just speculating if it might be theoretically possible.

However after you have setup the additional VLAN interface and configured it's IP address and subnet then you should go to a client computer and try to set the VLAN tagging to match. I don't know how you would do that though.

You are then in the situation where you have both tagged and untagged traffic on the same interface which can result in problems.

It's an interesting exercise but you probably won't end up with a working configuration.

Steve

jikjik101

hahaha… that is what I'm thinking. hahaha

I thought you're going to give me a HOW-TO. ::) hahaha

Anyway, I'll try to experiment with this and maybe (maybe), I can solve my problem.(cross-fingers on both hands and feet).hahaha

THANKS A LOT FOR SHARING YOUR THOUGHTS/IDEAS. I've learned a lot from this.

Metu69salemi

Well.. I would continue with vlan capable switch and put this to side for waiting period. What kind of client devices you're having over there?
should you need also vlan capable wireless also?!?

For a good practice you could draw couple of images: "What do I have now" and "What I want to achieve with changes"

Send those drawings us to view and the we might be able to give you precise enough answers for your investments

stephenw10

In case you're crazy enough to try this! Here's some instructions for WinXP:
http://www.formortals.com/implementing-vlan-trunking/
I think you need the right network card and probably Win XP Pro. It doesn't work on my one remaining Win XP Home machine. Here's something for Ubuntu if your using that:
http://ubuntuforums.org/showthread.php?t=703387

If you added a VLAN interface on your LAN and then setup all your Group A clients to use it it would be very unlikely that any machine in group B would every connect to it. There would be nothing to stop a group B user from connecting (unless you have the machines locked down) it's just not something any normal person would look for. It's such an unusual network setup. However security through obscurity is not any real sort of security!  ;)

It would still require all of your group A machines to be VLAN compatible.

Steve

jahonix

Another idea that could be done without additional hardware:
Why not connect ALL users to the guest network and install an OpenVPN or IPSec client on the production machines.
…ok, if you have infrastructure they need to access (like servers...) then it's not the best idea. That has to be connected to a physical segment. Unless you're using VMs everywhere.

stephenw10

I like that idea. Why could the server not be connected to pfSense via internal VPN also?
Perhaps you could run a VPN server on your LAN server machine instead and simply restrict access to it that way. Come to think of it there must be any number of ways you could restrict access to the server via authorisation.

Steve

jikjik101

Now your making my brain bleed. ???

I will post tomorrow my setup for everyone's better understanding. Sorry if my posts were a little bit ambiguous.

The only reason that I want to separate Group B from A is to restrict B in accessing the file server in A.
All devices in B are wireless while in A are both wired and wireless.

jahonix

@jikjik101:

to restrict B in accessing the file server in A.

Access policy on the server? Pretty much standard in every server software I can think of.

VPN Clients:

• Make everyone a guest.
• Allowed users/PCs tunnel into your restricted network via an IPSec or OpenVPN tunnel.
    That's how road warriors typically access resources back in the company. In your case just without the road.  :D

Metu69salemi

Okay now we're going to make different kind of decision.
Do we manage acl in

1. firewall/router
2. switches (vlan dividing)
3. servers(ntfs kind of restrictions or fileshare restrictions)
4. antivirus softwares

jikjik101

Sorry for the late reply. Here's my network diagram.
I want to separate Groups E and G from the rest of the network.  I thought it was a simple job.  ;D


wallabybob

@jikjik101:

I thought it was a simple job.  ;D

It can be. If you have lots of time you can spend instead of cash a number of other possible solutions could be explored.

Its a nice diagram but I find the text difficult to read even when magnified.

Based on the diagram I would recommend you consider only the following two options:

1. Replace one of the existing pfSense NIC by a multiport card, connect one card port to the existing switch (this becomes the pfSense LAN port) and connect another to a suitable sized (number of ports) switch (new switch to the configuration) and move groups E and G to that new switch.

2. Purchase a suitable sized VLAN capable switch, configure two VLANs on existing pfSense LAN interface, one VLAN for your existing LAN, one for the combined group E and G. On your VLAN capable switch configure the two VLANs, configure one switch port for connection to your existing LAN interface, one port for connection to the existing switch and other ports for connection to groups E and G.

If you want future flexibility go with 2) (for example, its easy to add a another VLAN so group E could have different firewall rules from group G). You might be able to save a little bit (unlikely to be much) by going with option 1

This might be a good time to recall the proverb "the devil is in the detail". The costs will be significantly affected by the number of computers in group E. If its two then a cheap 5 port VLAN capable switch will be sufficient. If its 24 then you will need a rather more expensive VLAN capable switch. The way you have drawn the diagram suggests there might be more switches than you have shown in which case implementing either solution might require new cabling which might be a non trivial installation task.

Its simple in concept.

jikjik101

Sorry for the diagram. You can check it here: http://i49.photobucket.com/albums/f297/jikjik101/NewNetworkDiagram-pfsense3.jpg

I want to use this one: Intel Pro/1000 MT Quad Port Server Adapter PWLA8494MT1000 (Intel 82546EB processor) http://www.ebay.co.uk/itm/NEW-Intel-PRO-1000-Quad-Port-Server-Adp-PWLA8494MT-/170262023800 of which my pfsense box is : Dell Vostro 220 Mini Tower http://www.dell.com/us/dfb/p/vostro-220/pd#TechSpec @wallabybob:

1. Replace one of the existing pfSense NIC by a multiport card, connect one card port to the existing switch (this becomes the pfSense LAN port) and connect another to a suitable sized (number of ports) switch (new switch to the configuration) and move groups E and G to that new switch.

I'm confused with Number 2. Please see attached picture if I understand correctly your suggestion sir.

.jpg)
.jpg_thumb)

Metu69salemi

You got it right.

wallabybob

@jikjik101:

I'm confused with Number 2. Please see attached picture if I understand correctly your suggestion sir.

You understand.

You diagram suggests group G has an access restriction schedule while group E doesn't. It could be convenient to put group E and group G on separate interfaces so you can use firewall rule schedules on group G.

jikjik101

@wallabybob:

This might be a good time to recall the proverb "the devil is in the detail". The costs will be significantly affected by the number of computers in group E. If its two then a cheap 5 port VLAN capable switch will be sufficient. If its 24 then you will need a rather more expensive VLAN capable switch. The way you have drawn the diagram suggests there might be more switches than you have shown in which case implementing either solution might require new cabling which might be a non trivial installation task.

Just some clarifications sirs. If for example I have 20 computers in group E and another 20 computers in group G, does it mean I need atleast a 40-port VLAN switch? Can't I use a normal switch to connect all my clients behind Group G and E?

Thanks for all your input. Maybe I am going to change the title of this thread to jikjik101's network, because I think I need more of your expertise to help me build my network in a sound technique and more appropriate methods.

Every now and then, some problems arise in my network and I am going to post it here so that I can access it easily. I hope the moderators don't mind if I am going to "own" this thread. ;D

.jpg)
.jpg_thumb)

jikjik101

This is ONE of the concerns of my network.  ;D

As you can see, I have three ISPs and they are in load balance mode. But I cannot "stabilize" my ISP1 and ISP3. The connections are so erratic that it becomes so hard to connect to the internet. Unlike my ISP2, the connection is so stable and so I just use the failover mode with ISP2 in tier 1 and both ISP1 and ISP3 in tier2.

If I assign my whole network in using just one ISP, it is stable.

I already tried the following:
1. Assign an ISP as default gw
2. Not assigning a default gw
3. Check the "allow default gw switching"
4. Uncheck the "allow default gw switching"
5. Set each GW with maximum and minumum latency % base on its RRD.

I have squid, squidguard, lightsquid, lusca-cache, havp, vnstat2 and bandwidthd.

I cannot fully utilize all my ISPS, it seems ISP2 is doing the hardwork. >:( and the rest are just easy-go-lucky ISPs. :-X


stephenw10

With those rules and gateways I would expect almost all traffic to using be using ISP2, and it is.
This is because most of your traffic is caught by the first rule as it's web traffic. Only non-webtraffic is reaching the second rule where it is shared between ISP1 and 3 as they are both in the same tier.
You need to change the gateway to loadbalance on the first rule if you want to see the traffic more evenly distributed.

There is no need (or harm) to use tier5 in your load balancing rule. The importance of each connection is relative within the gateway and not related to the other gateways. If you had all three at tier1 it would be the same. The same applies to your failover3 gateway.

You can use a normal switch behind your VLAN switch to connect your clients.

Steve

wallabybob

@jikjik101:

Maybe I am going to change the title of this thread to jikjik101's network, because I think I need more of your expertise to help me build my network in a sound technique and more appropriate methods.

Every now and then, some problems arise in my network and I am going to post it here so that I can access it easily. I hope the moderators don't mind if I am going to "own" this thread. ;D

You might find it more workable to have as few topics as possible per thread: that is make a new thread for a new issue.

@jikjik101:

If for example I have 20 computers in group E and another 20 computers in group G, does it mean I need atleast a 40-port VLAN switch? Can't I use a normal switch to connect all my clients behind Group G and E?

Maybe I've missed something. The 40 is from 20 in group E + 20 in group G? But your diagram shows group G as WiFi clients connecting to an Access Point. The AP would use one port on a switch (VLAN or non-VLAN). The 20 computers in group E would use 20 ports in a switch (because they are shown as using wired connections) unless they are connected to another switch.

jikjik101

@stephenw10: sorry for not being clear. The fw and gw pictures that I posted are my current setup as a solution to my erratic loadbalance on ISP1 and ISP3. That is only to utilize my my ISP1 and ISP3 because they are not stable if I use the LoadBalance gw.

You are correct that my webbrowsing enters ISP2 and the rest to my Failover GWs. That is my current setup. i forgot to disable the first two rules when I took the screenshots.

But the erratic connection that I am talking about is when I use the LoadBalance gw and disabling the first two fw rules leaving this one alone active:

• • • • • LoadBalance none

I only use the default LAN rule with LoadBalance as gw, disable/remove other rules except the Anti-lockout but same results.

@wallybob:

The way you have drawn the diagram suggests there might be more switches than you have shown in which case implementing either solution might require new cabling which might be a non trivial installation task.

I remove some switches in the diagram because I don't find it essential for the network diagram. sorry, my bad.

The 40 is from 20 in group E + 20 in group G? But your diagram shows group G as WiFi clients connecting to an Access Point. The AP would use one port on a switch (VLAN or non-VLAN). The 20 computers in group E would use 20 ports in a switch (because they are shown as using wired connections) unless they are connected to another switch.

Actually I have more than 200 computers behind Group E and Group G. Group G atleast 100 WiFi clients and Group E another 100 both Wired And WiFi clients.

You can use a normal switch behind your VLAN switch to connect your clients.

I think stephenw10 already answered my clarification regarding a LAN switch behind a VLAN switch.

I'll go back to my concern, I use the default LAN fw rule with LoadBalance as my gw, leaving my LAN rule as follows:
*  *  *  LAN Address  22 * * Anti-Lockout Rule
                                                80
  *  *  *  *  *  LoadBalance  none    Default allow LAN to any rule

But I cannot utilize my ISP1 and ISP3 because they just suddenly drop my connection, or worse they cannot get the maximum bandwidth even if I bombarded my system with lots of video streaming.

stephenw10

Your ISPs 1 and 3 both use a wireless connection. They are likely to have high latency. When you are trying to loadbalance all three what you see in the logs?
It's very possible that they are being removed from the loadbalancing gateway due to the latency becoming too high or packet loss.

Steve