Bonded DSL router and OpenVPN
-
Hi all,
Ive been looking into a seperate hardware load balancer (Peplink)with the objective of bonding 3 DSL lines and presenting these to a pfsense (OpenVPN client) WAN interface. This pfsense box will be at a remote site and connect to an OpenVPN server at our datacentre.
The OpenVPN server will therefore see incoming UDP traffic from 3 seperate dynamic IP's.
How would I go about adjusting my configuration to cater for this scenario. I'm thinking I would need to setup 3 OpenVPN servers at the datacentre all running on different UDP ports but on the same WAN IP? Would the client also need to run 3 separate instances for each port that the server is listening on?
-
Actual bonding of DSL lines or load balancing? Actual bonding usually gives you one IP address…
-
Well i guess it's more load balancing as the 3 DSL lines are supplied by different ISP's and therefore 3 WAN IPs.
-
Looking at this page.. http://www.peplink.com/balance/tech-spec/ These are routers. That means your pfsense box would have a lan address on its wan port. So my guess is that your 3 vpn streams would all be on the same address as it enters the pfsense router…
My guess is that unless you have 3 vpn clients on the remote end that you will have but one vpn stream showing up at your data center...
If your after true dsl bonding, have you asked the ISP's in the area about mlppp?
In any case I believe you could do it all with your pfsense box without any extra router in the mix...
Just trying to understand...
-
If it's connection-based load balancing, which it almost certainly is, you would not be using all three links for an OpenVPN connection. It would only be using one DSL line for each connection, it can't bond them together from other ISPs without some extra fun going on in the box1 that would result in the appearing as one IP anyhow.
That box isn't doing anything that the pfSense box itself couldn't do in that case. They do offer some more load balancing algorithms than pfSense has, but they still can't make one connection use multiple WANs in that way.
1. The portabella boxes from Mushroom networks make a bonded VPN across multiple WANs back to their own network and use that, so your connections use bandwidth from all WANs but appear as a single IP address due to the way the bonding operates. But you run all of your traffic through their network, it doesn't use your WANs directly.
-
Thank you Jim, very helpful as always :)
Are there any guides that outline setting up OpenVPN in a multi-wan setup. I have found the below but this relates more to multiiple WAN's on a server, not a client.
http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN
Our server will run from a single WAN IP, only the client side will be running multi-wan.
-
No guides out there yet. I have it on my radar to write one up. There are ways to make it either do connection-based load balancing or failover (I have all mine at home failover from one WAN to the other) but it isn't exactly intuitive.
-
Hi Jim,
I set up multi wan on a box last night (OPenVPN client box) and this seems to be working ok just for Internet access but im a little confused as to how i can implement connection based load balancing for an OpenVPN client I want VPN traffic split across the two WAN's. The OpenVPN server that this connects to only has a single, fast WAN.
Searching through the forum suggests i need to setup two clients on the box that is running multiwan, one per ISP. These should them be assigned to an OPT interface, those OPT interfaces then added to a gateway group (tier 1) and then using that gateway group on a firewall rule. Is this the correct way of going about it as ive also read about using floating rules and another solution using OSPF.
Any advice would be appreciated…
James
-
It doesn't really work that way, at least not that I've tried it. You can load balance the OpenVPN connection itself, not the connections inside it. It is only balanced in the sense that when the tunnel is established, it would be established on whatever WAN it happened to fall upon.
That said, in theory may be possible to do that with two concurrent OpenVPN connections, one on each WAN, each assigned as an interface, using them in a gateway group of their own. (When you have a client assigned as an interface, it gets a dynamic gateway entry)
-
I currently run a loadbalanced site-to-site opevpn. I've had pretty good results. Heres what I do: 2 server, 2 clients (all 4 are assigned interfaces). A gateway group on the client and a gateway group on the server. Rules to use the group for traffic destined to the other site.
The only issue i've had thus far is that for some reason failover doesnt always work. It seems like the return traffic that hits a rule doesnt follow the rules 'gateway' but rather just uses the routing table. That fails if the route in the table is the vpn connection that is down.
I've posted this issue a few times but never had any luck sorting it out.
http://forum.pfsense.org/index.php/topic,40672.msg210062.html#msg210062
http://forum.pfsense.org/index.php/topic,36147.msg210515.html#msg210515Let me know how it goes for you.
-E -
I've got two individual client tunnels up to our OVPN server (ovpnc1 and ovpnc2) on two seperate WAN connections.
Each tunnel runs on a unique port (1195 and 1196). My problem is that the routes for the destination subnets do not associate with both 'ovpnc's'.
If I down the WAN associated with ovpnc1, I have to restart the OpenVPN services on both the client and server so the interface for the destination subnets can update to ovpnc2 in the routing table. Then my pings start replying fine.
I know this is more of a failover issue but surely I need active routes to the target subnets for load balancing to work?
Eytanes, did you come across this problem? Does your routing table show active routes to the same destination subnets on both ovpnc's?
-
Ok, after a little more tweaking tonight, I now have traffic (pings with a large packet size) successfully load balacing across both WAN's :)
Thanks to Eytanes for all the advice, i'm using the gateway group on LAN side rules.
Unfortunately, I have the same problem as you now :( If I down the WAN that is currently associated with the active OVPN route (in the routing table) then failover doesn't work. I think OSPF, combined with the gateway group may get around this though? I'll wait for one of the experts to chime in with their opinion :-\
-
The issue is that you can't have duplicate routes. I'm pretty sure the route is only used for the return traffic (ACKs…) and the gateway group is used for everything else. I'm still not 100%.
OSPF might solve the failover issue but it would be better to bypass the routeing table altogether and just send the return traffic back the way it came or via the gateway group/firewall rule.Let me know if OSPF works well for this issue.
-E -
From the Peplink webpage this bullet
" Number of peer Peplink devices you can connect using Peplink proprietary Site-to-Site VPN Bonding. "
would seem to indicate they have a way to bond a single VPN over multiple connections. You would need one of their devices on each end though Im sure and if I read that correctly…
Would be a neat feature to have...
Companies such as http://us.sharedband.com/ offer bonded connections over multiple connection types so we know they are probably using this or a like method.
-
As I've mentioned before we've looked into this but haven't nailed down a good method yet. The most likely way is to nail up one tunnel per WAN and then run a PPP protocol on top bonded with MLPPP.
It might be possible on FreeBSD 9.x with ECMP also but bonded ppp links would would regardless. At one point we had a company interested in funding it, not sure if that's still going to happen or not.
-
1. The portabella boxes from Mushroom networks make a bonded VPN across multiple WANs back to their own network and use that, so your connections use bandwidth from all WANs but appear as a single IP address due to the way the bonding operates. But you run all of your traffic through their network, it doesn't use your WANs directly.
I missed that part of your first post here Jim, (thought it was part of your sig)..
Perhaps a bounty would be in order, if not just to gauge interest…
At least the OP has some things to help him get going and hopefully can make it work. I always tell anyone to never discount that a local ISP somewhere will get into supporting MLPPP if they only know a little more about it... You may have to call several but can't hurt to try.
:)