Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi WAN, load balancing and secure connections

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • OceanwatcherO
      Oceanwatcher
      last edited by

      Running pfSense for a small network in a hotel in Brazil. 2 WAN and 2 LAN - 1 LAN is for the wireless network for the guests, the other LAN is for the administration. The guest LAN has been set up with load balancing and the admin LAN has been set up with failover as the traffic is minimal and they need to access some secure sites now and then.

      But we are also getting requests from guests that are not able to connect to their secure extranets at work when they are staying in the hotel.

      I have been searching the forum and found this thread (among others):

      http://forum.pfsense.org/index.php/topic,1294.msg7690.html#msg7690

      But as it is a very old thread, I do not want to add to it and instead create this new thread.

      I would appreciate if someone would take the time to explain how to set up a rule that allows a specific address to only use on of the WAN's, bypassing the load balancing.

      Regards,

      Oceanwatcher
      2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        Policy Routing

        http://doc.pfsense.org/index.php/Multi-WAN_2.0

        1 Reply Last reply Reply Quote 0
        • OceanwatcherO
          Oceanwatcher
          last edited by

          Policy Routing

          http://doc.pfsense.org/index.php/Multi-WAN_2.0

          Thank you for pointing me to a v. 2 doc. BUT - it does not explain anything at all. What is explained here is just some basics and some reasoning behind load balancing. There is nothing in there in terms of practical, down to earth explanations on how to actually set up the rules.

          @Oceanwatcher:

          I would appreciate if someone would take the time to explain how to set up a rule that allows a specific address to only use on of the WAN's, bypassing the load balancing.

          Regards,

          Oceanwatcher
          2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            You can just create a rule in lan/lan2 for de client And set a specific gateway for this.

            This rule must be before any rule with balance gateway.

            Are you brazilian? If so…Também repondemos em português busque no forum a parte específica para português.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • OceanwatcherO
              Oceanwatcher
              last edited by

              @marcelloc:

              You can just create a rule in lan/lan2 for de client And set a specific gateway for this.

              Yes, I have tried this part. And it works. BUT - this means that ALL traffic from this guest goes to that WAN and this is neither elegant or a good long term policy. I can not stay at the hotel and add a policy for any guest that want to reach an online bank or extranet.

              A better way would be to add a rule that determined that any guest that want to reach a specific site/address will be directed to a specific WAN. Then, any other address accessed by this guest should get load balanced.

              And no, I am not Brazileiro. I do speak and read a bit of Portuguese, but not enough to carry a technical conversation. :-) But thank you for asking!

              Regards,

              Oceanwatcher
              2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                Just ask( or monitor ) client destination and set a rule based on destination ip/network.

                You can Also apply a failover gateway for it.

                You can Also try To set stick connections on system advanced options.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by

                  Unfortunately it's not just https that needs to be excluded from load-balancing. There are several popular websites which have issues (e.g. require re-login) even when a visitor's http requests come from different IP addresses, perhaps only excluding some big ISPs like AOL as mentioned in the 2006 thread in this forum.

                  Since doing real routing via BGP involves the ISP and isn't easy for smaller installations, and since pf's sticky option won't do (and some are still reporting  issues with it), another idea to try to utilize both WAN links might be to route certain IPs via specific gateway groups, e.g. LAN net IPs with an odd number in last octet to gw1, whereas LAN net IPs with even number in last octet to gw2 ? Has anyone tried anything similar?

                  PS: To clarify, I was thinking of gateway-group1 to be a failover of WAN1+WAN2, whereas gateway-group2 to be WAN2+WAN1

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    Its nor elegant vut will work.

                    Instead of balance based on destination, create two aliases one for odd and other for even clients.
                    Then create two Failover wan1-> wan2 and wan2-> wan1.
                    Apply rules for these aliases and failovers.

                    Other way is To use wpad script + two squid boxes. But I think it will be more complex and hard to maintain.

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.