Help with Load Blanancing WAN connections

crzykidd · Aug 21, 2011, 4:36 AM

Bill,
Thanks for the response. I went through the guide you posted when I first went through this install.

Currently both Sticky and Gateway switching are unchecked.

Here is my lan rules. Very simple and everything is using the GW Group. I have attached a screen shot of the LAN settings.

I think the key is in another rule somewhere. The reason I think that is that if I make an outbound connectiong from behind the firewall it hops between the interfaces. However web requests coming in to the firewall and heading to the web server, all the returned data from that goes out one Interface, and it doesn't seem to matter what interface it came in on.

While there is no default GW set, the route table does show a default route and that is the Interface all that traffic goes to.

Thanks,

Bill48105 · Aug 21, 2011, 4:51 AM

crzykidd: Might try sticky & see if it acts more like you are expecting but wondering if you are expecting too much of the balancing..

Generally responses to inbound should go back out same wan they came into. Imagine if you called your buddy Bob & your buddy Gary answered.. ;) The remote end can get just as confused if it sends packets to one IP & another IP is sending data back. So IOW if you have a remote user browse your site & grab a 100MB file to download expect that 100MB to go down 1 pipe not both. You don't really have much control over that if they are the one making the request other that trying to spread out requests in hopes that it is balanced.
Bill

crzykidd · Aug 21, 2011, 5:09 AM

Exactly that is why I am confused. Both WAN interfaces are using RRobin balancing for DNS. In bound traffic is about 2.4mbit/sec on both circuits, however outbound is 80-140mbits on whatever circuit has the default route. I have tried with and without sticky connections same results.

I would expect that when a http request comes in on WAN1 that the response would go out WAN1 and vica versa. I wouldn't think that a request to WAN2 would have the response packets go out WAN1.

So do I need to do something different with my inbound rules? Currently port 80 Rule is set on the WANInterfaces. Screen shot attached.

And thank you for all the responses.

Bill48105 · Aug 21, 2011, 3:37 PM

Well RR is just going to help decide which connection they come in on and yeah logical for traffic to go back out on the same connection. Are you sure the traffic you are seeing go out is http traffic responding to the incoming requests & not something else? Outbound originated traffic (such as an email being delivered to remote servers) won't be controlled by RR records, the router decides that based on your settings including the routes.
Bill

crzykidd · Aug 21, 2011, 6:47 PM

Positive. There is only one website running behind this. It averages around 90mbit/sec. The site is www.thetvdb.com.

The pfsense box really just passes port 80 through the server. The only exception to that is some very limited SSH managment traffic.

I have confirmed RR is working correctly. Not sure where to go with this now. My thought was a connection is established on WAN1 the response would go out WAN1. If that is not the case I will need to look at a 2 WAN and 2 LAN setup, adding another NIC to the web server, and using some advanced routing rules there to controll the load. However this should be able to be done at the pfSense level I would think.

Thanks,

Bill48105 · Aug 21, 2011, 9:47 PM

Yeah thinkin you are overlooking something.. maybe post up what you've set for your load balancing that you haven't already just in case something someone else might pick up on. You setup the Services-Load Balancing or traffic shaper setup? In your 1st post you said you have no default gateway but then you said traffic goes out whatever was last default gateway.. Maybe I'm reading that wrong. :D Also, are your wan's thru the same ISP with the same gateway IP?
Bill

crzykidd · Aug 21, 2011, 10:00 PM

Even though I have neither GW set as the "Default" when pfSense boots up, it grabs one of them and sets one of them as the default route. Is there some custome route I need to add to have this work?

ISP1 –------

------pfSense ----- Web Server
/
ISP2 --------/

Both are two seperate ISPs, 2 completly different IPs and gateways. Half the inbound requests come in on ISP1 and half on ISP2

The rules are extremely simple

I have 2 gateways. 1 for ISP1 and the other ISP2

I have 1 Gateway Group. with both Gateways listed at Tier1, and trigger level at Packet Loss (I have tried setting it to Member Down as well)

Under Firewall Rules:
Floating:
I have a couple IP based rules to allow SSH from certain IPs.

WANInterfaces:
TCP * * 192.168.20.100 (Web server) Port=80 Gateway=* (I have tried using the Gateway Group, but then I get no traffic) Queue=none Schedule=blank

LAN:

LAN Net * * * GW=LoadBalancedWAN Queue=none Schedule=blank

I have NAT Firewall rules built for each WAN to the web server as well as the few SSH ports I outlined above.

For NAT: Outbound I have it set to automatic.

I have the box unchecked for allowing dynamic change of default GW (have tried both ways)
I have sticky connections unchecked (have tried both ways)

Thanks,

Bill48105 · Aug 21, 2011, 10:58 PM

I got essentially same here & works fine EXCEPT I have WAN set as default gateway not sure if that matters.
Bill

crzykidd · Aug 22, 2011, 2:06 AM

Hmm really? Maybe I should install a second FW from scratch and get it set the same and swap it in.

This box has been upgraded from 1.2 to RC1 to RC3. Could be something isn't correct between upgrades.

Thanks for the help and ideas.. I will try a rebuild and see if it behaves differently, unless anyone else has some ideas :)

Bill48105 · Aug 22, 2011, 2:25 AM

Sounds like a plan if you have the hardware & time to try. :) And yeah hard to say if some stray setting is in there from previous versions.
Bill