Bonded DSL router and OpenVPN
-
No guides out there yet. I have it on my radar to write one up. There are ways to make it either do connection-based load balancing or failover (I have all mine at home failover from one WAN to the other) but it isn't exactly intuitive.
-
Hi Jim,
I set up multi wan on a box last night (OPenVPN client box) and this seems to be working ok just for Internet access but im a little confused as to how i can implement connection based load balancing for an OpenVPN client I want VPN traffic split across the two WAN's. The OpenVPN server that this connects to only has a single, fast WAN.
Searching through the forum suggests i need to setup two clients on the box that is running multiwan, one per ISP. These should them be assigned to an OPT interface, those OPT interfaces then added to a gateway group (tier 1) and then using that gateway group on a firewall rule. Is this the correct way of going about it as ive also read about using floating rules and another solution using OSPF.
Any advice would be appreciated…
James
-
It doesn't really work that way, at least not that I've tried it. You can load balance the OpenVPN connection itself, not the connections inside it. It is only balanced in the sense that when the tunnel is established, it would be established on whatever WAN it happened to fall upon.
That said, in theory may be possible to do that with two concurrent OpenVPN connections, one on each WAN, each assigned as an interface, using them in a gateway group of their own. (When you have a client assigned as an interface, it gets a dynamic gateway entry)
-
I currently run a loadbalanced site-to-site opevpn. I've had pretty good results. Heres what I do: 2 server, 2 clients (all 4 are assigned interfaces). A gateway group on the client and a gateway group on the server. Rules to use the group for traffic destined to the other site.
The only issue i've had thus far is that for some reason failover doesnt always work. It seems like the return traffic that hits a rule doesnt follow the rules 'gateway' but rather just uses the routing table. That fails if the route in the table is the vpn connection that is down.
I've posted this issue a few times but never had any luck sorting it out.
http://forum.pfsense.org/index.php/topic,40672.msg210062.html#msg210062
http://forum.pfsense.org/index.php/topic,36147.msg210515.html#msg210515Let me know how it goes for you.
-E -
I've got two individual client tunnels up to our OVPN server (ovpnc1 and ovpnc2) on two seperate WAN connections.
Each tunnel runs on a unique port (1195 and 1196). My problem is that the routes for the destination subnets do not associate with both 'ovpnc's'.
If I down the WAN associated with ovpnc1, I have to restart the OpenVPN services on both the client and server so the interface for the destination subnets can update to ovpnc2 in the routing table. Â Then my pings start replying fine.
I know this is more of a failover issue but surely I need active routes to the target subnets for load balancing to work?
Eytanes, did you come across this problem? Â Does your routing table show active routes to the same destination subnets on both ovpnc's?
-
Ok, after a little more tweaking tonight, I now have traffic (pings with a large packet size) successfully load balacing across both WAN's  :)
Thanks to Eytanes for all the advice, i'm using the gateway group on LAN side rules.
Unfortunately, I have the same problem as you now  :(  If I down the WAN that is currently associated with the active OVPN route (in the routing table) then failover doesn't work.  I think OSPF, combined with the gateway group may get around this though?  I'll wait for one of the experts to chime in with their opinion  :-\
-
The issue is that you can't have duplicate routes. I'm pretty sure the route is only used for the return traffic (ACKs…) and the gateway group is used for everything else. I'm still not 100%.
OSPF might solve the failover issue but it would be better to bypass the routeing table altogether and just send the return traffic back the way it came or via the gateway group/firewall rule.Let me know if OSPF works well for this issue.
-E -
From the Peplink webpage this bullet
"Â Number of peer Peplink devices you can connect using Peplink proprietary Site-to-Site VPN Bonding. "
would seem to indicate they have a way to bond a single VPN over multiple connections. You would need one of their devices on each end though Im sure and if I read that correctly…
Would be a neat feature to have...
Companies such as http://us.sharedband.com/ offer bonded connections over multiple connection types so we know they are probably using this or a like method.
-
As I've mentioned before we've looked into this but haven't nailed down a good method yet. The most likely way is to nail up one tunnel per WAN and then run a PPP protocol on top bonded with MLPPP.
It might be possible on FreeBSD 9.x with ECMP also but bonded ppp links would would regardless. At one point we had a company interested in funding it, not sure if that's still going to happen or not.
-
1. The portabella boxes from Mushroom networks make a bonded VPN across multiple WANs back to their own network and use that, so your connections use bandwidth from all WANs but appear as a single IP address due to the way the bonding operates. But you run all of your traffic through their network, it doesn't use your WANs directly.
I missed that part of your first post here Jim, (thought it was part of your sig)..
Perhaps a bounty would be in order, if not just to gauge interest…
At least the OP has some things to help him get going and hopefully can make it work. I always tell anyone to never discount that a local ISP somewhere will get into supporting MLPPP if they only know a little more about it... You may have to call several but can't hurt to try.
:)