Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?



  • One of the great new features of pfSense v2 is supposed to be support for local services to take advantage of Multi WAN.
    Thus allowing Round Robin balancing and failover for outbound connections initiated by such services as squid.

    Having read http://doc.pfsense.org/index.php/Multi-WAN_2.0
    there is the only mention of local services and that says to look in the forums.

    I have found information relating specifically to squid but I was looking for a more generalised document that would explain
    how local services can be used or should be configured to take advantage of Multi WAN v2. I would also like some general
    explanation of the process used to offer policy based routing to any given traffic in terms of how the NAT and Firewall rules
    work (and in which order!) to bend the default routing used by the network stack.

    I have seen many posts from users who have struggled with implementing Multi-WAN for Local Services, which in general end
    up with comments like "I have tried all the suggestions but still all my traffic goes via the default gateway".

    This suggests to me that some hard facts on how it works would help us all see though the cloud of smoke and mirrors that surrounds this feature.

    I hope some kind soul can point me in the correct direction?
    Thanks, in advance, Richard



  • No replies, so it looks like its all still a mystery!

    In the meantime, I've pulled together all the testing and reading I've done and put it here;

    http://www.communig8.com/articles/64-open-source/137-pfsense-multi-wan-how-to-really-make-it-work

    If you are interested, please have a read and let me know what I got wrong!

    Thanks, Richard



  • The article is very nice ! :)

    I am somehow a bit lost regarding the floating rule, some guides use the first WAN Addresses as the source however I saw that you use "ANY" in the source. Could you please explain this ?

    Many thanks !



  • Kyushu

    I've updated the article on my site with some additional explanation on the floating rule.
    Could you have a look and see if it answers your question?

    Thanks, Richard



  • It did answer my question. Your article is really very good and will definitely help a lot of PFsense+Squid+Multiwan users.

    Thanks so much !


    Although somehow, I still can't figure out why our Pfsense is acting weird on its failover, traffic redirection and sometimes browsing freeze while the squid is running in it. For the meantime, we put squid on a different machine for PFsense to work properly.



  • it didn't work for me.  ???



  • @jikjik101:

    it didn't work for me.  ???

    What didn't? Any details? What have you tried?



  • I am using 2.0.3 PreRelease and I think you can load balance directly with transparent squid even without adding the first 6 LAN rules.
    All you have to do is add the floating rule and the last LAN rule in your HowTo.
    Of course you need to setup squid as stated by your procedures.

    But my network requirement is that I need to use three gateway groups. LoadBalance, FailOver1 and FailOver2. LoadBalance is a fail over already but there are some LAN clients that I want to use FailOver ONLY and use ISP1 as their primary WAN and same with FailOver2.

    LoadBalance = ISP1 (tier1) and ISP2 (tier1)
    FailOver1 = ISP1 (tier1) and ISP2 (tier2)
    FailOver2 = ISP1 (tier2) and ISP2 (tier1)

    Inside my LAN, i have three groups like LAN1, LAN2 and LAN3. LAN1 will use LoadBalance as GW, LAN2 for FailOver1 and LAN3 for FailOver2.

    I created three floating rules for each gateway group.
    Under LAN tab, i assigned the specific gateway group.

    The problem is, whatever the last rule in the Floating tab, it will be followed by the other gateway groups. For example, if the last rule is the LoadBalance, all my LAN groups will use LoadBalance even if I specify them to use FailOver1 or FailOver2.



  • @jikjik101:

    I am using 2.0.3 PreRelease and I think you can load balance directly with transparent squid even without adding the first 6 LAN rules.
    All you have to do is add the floating rule and the last LAN rule in your HowTo.
    Of course you need to setup squid as stated by your procedures.

    But my network requirement is that I need to use three gateway groups. LoadBalance, FailOver1 and FailOver2. LoadBalance is a fail over already but there are some LAN clients that I want to use FailOver ONLY and use ISP1 as their primary WAN and same with FailOver2.

    LoadBalance = ISP1 (tier1) and ISP2 (tier1)
    FailOver1 = ISP1 (tier1) and ISP2 (tier2)
    FailOver2 = ISP1 (tier2) and ISP2 (tier1)

    Inside my LAN, i have three groups like LAN1, LAN2 and LAN3. LAN1 will use LoadBalance as GW, LAN2 for FailOver1 and LAN3 for FailOver2.

    I created three floating rules for each gateway group.
    Under LAN tab, i assigned the specific gateway group.

    The problem is, whatever the last rule in the Floating tab, it will be followed by the other gateway groups. For example, if the last rule is the LoadBalance, all my LAN groups will use LoadBalance even if I specify them to use FailOver1 or FailOver2.

    jikjik101

    The rules I used in the article were required to support the environment that I described, which was more than just outboard WAN Load Balancing.
    The first 6 rules provide the environment for PINGs for testing, DNS forwarder, NTP, direct (not transparent) squid usage and access to the pfSense GUI.
    All the sort of stuff you need to do in a real implementation.

    It's important to understand that the floating rule is there to balance requests that go via squid.
    The source IP of HTTP requests, when using the configuration I documented, will be 127.0.0.1
    regardless of the LAN interface they originated from. Because of this you cannot build rules that handle
    traffic from different LAN interfaces in different ways with squid intercepting the requests.

    If, however, you do not use squid and allow the LAN requests to flow directly through pfSense, you can
    add rules for each LAN interface that balance or failover as required.

    Richard



  • Hi Richard,

    I understand you put the 6 rules because that is the requirement of your network, but unlike mine, I am more "flexible": http://forum.pfsense.org/index.php/topic,57606.msg316361.html#msg316361

    Can we skip for the first 6 rules because I am more interested with the Multiwan Squid?

    If you can see in my floating rule, HTTP for LoadBalance is at the bottom. No matter what gateway group I assign in my LAN, they will still use the LoadBalance gateway and this puzzles me.

    If you want more details, I can give it to you. You don't know how desperate I am to run MultiWan Squid. ;D



  • It looks like you may not have fully read my last post.



  • @communig8:

    It looks like you may not have fully read my last post.

    i read but i don't quite understand  ;D

    @communig8:

    It's important to understand that the floating rule is there to balance requests that go via squid.
    The source IP of HTTP requests, when using the configuration I documented, will be 127.0.0.1
    regardless of the LAN interface they originated from. Because of this you cannot build rules that handle
    traffic from different LAN interfaces in different ways with squid intercepting the requests.

    As I said, i need three different gateway groups for my network, not just LoadBalance or FailOver but LoadBalance, FailOver1 and FailOver2.
    I tried your HowTo and it works for one gateway group only. Have you tried adding only the floating rule and the tcp_outgoing_address on squid? I believe it will yield to same results as your HowTo.

    @jikjik101:

    it didn't work for me.  ???

    I will change this to: even if there is no special setup, all you have to do is add a floating rule, assign it to a gateway group, add the tcp_outgoing_address on squid then squid will use that floating rule. this is for http traffic only.



  • As I said "You cannot build rules that handle traffic from different LAN interfaces in different ways with squid intercepting the requests."



  • how about from single LAN interface? still cannot?



  • Any traffic handled by squid is handled by squid wherever it comes from.
    So you cannot build rules that handle different parts of the address range on the LAN
    for the same reason as you cannot do it for different interfaces.



  • that quite explain it. thanks and cheers  ;)

    i wish i have a simple setup as yours.

    How about this sir?
    @jikjik101:

    Have you tried adding only the floating rule and the tcp_outgoing_address 127.0.0.1 on squid? I believe it will yield to same results as your HowTo.

    If on your LAN is allow all with multiwan gateway, i think the result is the same, right?



  • @jikjik101:

    If on your LAN is allow all with multiwan gateway, i think the result is the same, right?

    I'm sorry I don't understand what you mean??



  • I mean in your LAN rule, instead of having 7 rules, you can just add a single rule of allowing from any to any using the multiwan gateway.
    Or do you specifically assign the dns, ping and etc to use your default gateway?



  • I suggest you read the aricle.



  • i read your article and it is quite amusing to read and congratulations to that.
    but no offense sir, i can't understand why you need the first 6 rules in your LAN?

    i am not here to argue, but i just want to learn from you.  ;D
    you are familiar with this stuff, and i am just starting to learn.
    so i just want to know why you did this, why you didn't do that?
    moving forward, thanks for your time and patience sir.  ;)
    i will ask no more.



  • I really cant explain it better than I already have done in the article.
    Unless you have any specific questions.



  • congratulations on the documentation, Ill try it my self will see if it works :)



  • @communig8

    I read your article just because I was interested in and you faced some problems with NTP and RADIUS.

    Perhaps this is something which could help you in your situation:
    http://forum.pfsense.org/index.php/topic,60925.0.html



  • @Nachtfalke:

    @communig8

    I read your article just because I was interested in and you faced some problems with NTP and RADIUS.

    Perhaps this is something which could help you in your situation:
    http://forum.pfsense.org/index.php/topic,60925.0.html

    @Nachtfalke what was it about that thread that you thought would help?
    Richard



  • @communig8:

    @Nachtfalke:

    @communig8

    I read your article just because I was interested in and you faced some problems with NTP and RADIUS.

    Perhaps this is something which could help you in your situation:
    http://forum.pfsense.org/index.php/topic,60925.0.html

    @Nachtfalke what was it about that thread that you thought would help?
    Richard

    You wrote something about that RADIUS accoutning is only going through the default Gateway.
    When you intercept RADIUS accounting port with NAT rules and then define an Outbound NAT rule which uses different Outgoing addresses - could this solve your issue ?



  • No, they are different things really.



  • I've added a small update to my original article concering squid/squidguard.

    http://www.communig8.com/articles/64-open-source/146-pfsense-multi-wan-update


Log in to reply