Multi WAN, load balancing and secure connections



  • Running pfSense for a small network in a hotel in Brazil. 2 WAN and 2 LAN - 1 LAN is for the wireless network for the guests, the other LAN is for the administration. The guest LAN has been set up with load balancing and the admin LAN has been set up with failover as the traffic is minimal and they need to access some secure sites now and then.

    But we are also getting requests from guests that are not able to connect to their secure extranets at work when they are staying in the hotel.

    I have been searching the forum and found this thread (among others):

    http://forum.pfsense.org/index.php/topic,1294.msg7690.html#msg7690

    But as it is a very old thread, I do not want to add to it and instead create this new thread.

    I would appreciate if someone would take the time to explain how to set up a rule that allows a specific address to only use on of the WAN's, bypassing the load balancing.


  • Rebel Alliance



  • Policy Routing

    http://doc.pfsense.org/index.php/Multi-WAN_2.0

    Thank you for pointing me to a v. 2 doc. BUT - it does not explain anything at all. What is explained here is just some basics and some reasoning behind load balancing. There is nothing in there in terms of practical, down to earth explanations on how to actually set up the rules.

    @Oceanwatcher:

    I would appreciate if someone would take the time to explain how to set up a rule that allows a specific address to only use on of the WAN's, bypassing the load balancing.



  • You can just create a rule in lan/lan2 for de client And set a specific gateway for this.

    This rule must be before any rule with balance gateway.

    Are you brazilian? If so…Também repondemos em português busque no forum a parte específica para português.



  • @marcelloc:

    You can just create a rule in lan/lan2 for de client And set a specific gateway for this.

    Yes, I have tried this part. And it works. BUT - this means that ALL traffic from this guest goes to that WAN and this is neither elegant or a good long term policy. I can not stay at the hotel and add a policy for any guest that want to reach an online bank or extranet.

    A better way would be to add a rule that determined that any guest that want to reach a specific site/address will be directed to a specific WAN. Then, any other address accessed by this guest should get load balanced.

    And no, I am not Brazileiro. I do speak and read a bit of Portuguese, but not enough to carry a technical conversation. :-) But thank you for asking!



  • Just ask( or monitor ) client destination and set a rule based on destination ip/network.

    You can Also apply a failover gateway for it.

    You can Also try To set stick connections on system advanced options.



  • Unfortunately it's not just https that needs to be excluded from load-balancing. There are several popular websites which have issues (e.g. require re-login) even when a visitor's http requests come from different IP addresses, perhaps only excluding some big ISPs like AOL as mentioned in the 2006 thread in this forum.

    Since doing real routing via BGP involves the ISP and isn't easy for smaller installations, and since pf's sticky option won't do (and some are still reporting  issues with it), another idea to try to utilize both WAN links might be to route certain IPs via specific gateway groups, e.g. LAN net IPs with an odd number in last octet to gw1, whereas LAN net IPs with even number in last octet to gw2 ? Has anyone tried anything similar?

    PS: To clarify, I was thinking of gateway-group1 to be a failover of WAN1+WAN2, whereas gateway-group2 to be WAN2+WAN1



  • Its nor elegant vut will work.

    Instead of balance based on destination, create two aliases one for odd and other for even clients.
    Then create two Failover wan1-> wan2 and wan2-> wan1.
    Apply rules for these aliases and failovers.

    Other way is To use wpad script + two squid boxes. But I think it will be more complex and hard to maintain.


Log in to reply