Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-WAN: Load Balancing and Fail-over Setup

    Scheduled Pinned Locked Moved Routing and Multi WAN
    21 Posts 6 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joms18
      last edited by

      Hi there guys,

      I am new here and wanted to explore more about the greatness of pfSense.  I have setup a 2.1amd64 and already configured 2 ISP for load balancing and failover.  Already configured gateway groups and add it on the firewall rules.  If both lines are up, i have no problem with the internet connection but when my primary fails and switch to over WAN2 that starts my problem because i cannot browse any website anymore.  But when i go to Diagnostics > ping and select WAN2 as source, i get a ping response.

      What could be the problem?  Hope you can give recommendations.

      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Possible problem 1) System->General Setup - make sure you have specified a DNS server for each WAN. Otherwise all the DNS is going out the default gateway, and when WAN1 fails you lose DNS

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • J
          joms18
          last edited by

          Hi phil.davis, thanks for your response.  Yes, i have setup a DNS for each WAN.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            The policy-routing rules (that feed to the gateway group/s) need to be matched by your traffic.
            e.g. if you have a "pass source all destination all gateway not specified" rule above the gateway group rule/s then traffic will never get to match the policy-routing rule/s.
            Post your gateway, group and rule details.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • H
              hyrol
              last edited by

              Try this "Allow default gateway switching" option in Advanced configure.
              Hope this helps.

              1 Reply Last reply Reply Quote 0
              • A
                acc4all
                last edited by

                I had same the problem, when I setup on a new PC but the problem was not happened from the upgrade method. I had two WAN (WAN01 and WAN02), I created two groups:
                -GW_FailOver01: WAN01 in tier 1, WAN02 in tier 2
                -GW_FailOver02: Wan01 in tier 2, WAN02 in tier 1

                If the two WAN was up, I could see "GW_FailOver01, GW_FailOver02" in Firewall Rules, but it was disappeared when one is down. Did I miss the something  on PfSense 2.1?

                1 Reply Last reply Reply Quote 0
                • H
                  hyrol
                  last edited by

                  Why did you make 2 Failover when the rules are the same, you have made ​​a mistake in the firewall rules.
                  "Allow default gateway switching" option in Advanced configure.

                  1 Reply Last reply Reply Quote 0
                  • J
                    joms18
                    last edited by

                    hi hyrol, thanks for the tip.  my pfsense failover is now working….. :)

                    1 Reply Last reply Reply Quote 0
                    • A
                      acc4all
                      last edited by

                      @hyrol:

                      Why did you make 2 Failover when the rules are the same, you have made ​​a mistake in the firewall rules.
                      "Allow default gateway switching" option in Advanced configure.

                      Hi Hyrol,
                          I know "Allow default gateway switching" option, it let default gateway change to available WAN. But my case using policy routing for load-sharing between 2 WANs (using PPPoE).
                          I see some logs:
                            +"php: rc.filter_configure_sync: MONITOR: WAN01_PPPOE is down, removing from routing group GW_FailOver02"
                            +"php: rc.filter_configure_sync: MONITOR: WAN02_PPPOE is down, removing from routing group GW_FailOver01"
                          when a WAN is disconnected, maybe php codes remove all PPPoEs gateway from groups, although I checked one PPPoE is still available.

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil.davis
                        last edited by

                        I see some logs:
                              +"php: rc.filter_configure_sync: MONITOR: WAN01_PPPOE is down, removing from routing group GW_FailOver02"
                              +"php: rc.filter_configure_sync: MONITOR: WAN02_PPPOE is down, removing from routing group GW_FailOver01"

                        I hope those log entries happen at different times. pfSense will remove WANs that are down from any gateway (routing) groups. This all works for me on 2.1, but I don't have PPPOE.
                        Post more details of your configuration if you need help.

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • H
                          hyrol
                          last edited by

                          From my experience Load Balancing and Failover easiest, I do not quite understand what your problem is, maybe someone else can help you.

                          1 Reply Last reply Reply Quote 0
                          • S
                            streetsfinest
                            last edited by

                            hi guys,

                            i´ve got a problem with failover,too.
                            There are two WAN connections on my pfsense. i create a gateway group, named "MultiWAN":

                            Then i select the "Allow default gateway switching" button.
                            Next i edit the default LAN-Firewall-ACL, and choose "MultiWAN" as my gateway.
                            At least i create dns server entries on both WAN connections at the "general setup" tab.

                            When i disconnect the "ADSL" WAN (Tier1) than i can´t get access to the internet, over "Telekom_ISP" (Tier2) as shown on the picture above.
                            Anybody have a idea?

                            Greetings

                            1 Reply Last reply Reply Quote 0
                            • H
                              hyrol
                              last edited by

                              Try set Trigger Level: Member Down

                              1 Reply Last reply Reply Quote 0
                              • S
                                streetsfinest
                                last edited by

                                thanks for your answer!
                                I choose option "member down", disconnect WAN "ADSL" and tested the internet connection –> don´t work for me.
                                Any other idea? More settings of my pfsense:

                                firewall acl:

                                gateway switching:

                                dns server for my gateways:

                                greetings

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hyrol
                                  last edited by

                                  Under General Setup=> DNS Servers=> use gateway try set none

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    streetsfinest
                                    last edited by

                                    i do that! But this is not the solution…
                                    More informations:

                                    Disconnect ADSL WAN:

                                    Check the log:

                                    successfully ping from pfsense directly over WAN Telekom_ISP (in example named as company connect, but means telekom_isp):

                                    So pfsense reach "www.google.de" about the fallback line… when i try to go online with several clients i get a timeout.
                                    When i try to ping "www.google.de" from a client i get a timeout, and when i ping a ip address (e.g. a dns server ip) that do not work,too.

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      timthetortoise
                                      last edited by

                                      That would indicate your firewall gateway rules are incorrect, or that your client DNS is not making it past.

                                      What happens when you try to ping 173.194.35.183 directly from a client?

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        phil.davis
                                        last edited by

                                        Looks reasonable. What other LAN rules do you have?
                                        Maybe your traffic is matching an earlier rule, which is not pushing the traffic into the gateway group?

                                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          streetsfinest
                                          last edited by

                                          @timthetortoise:

                                          That would indicate your firewall gateway rules are incorrect, or that your client DNS is not making it past.

                                          What happens when you try to ping 173.194.35.183 directly from a client?

                                          My clients first dns server is pfsense. when both gateways are connected every dns request works great.
                                          When i try a ip as ping command i get a timeout, too.
                                          i do that in the last step. i choosed a dns server ip to test that.

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            streetsfinest
                                            last edited by

                                            @phil.davis:

                                            Looks reasonable. What other LAN rules do you have?
                                            Maybe your traffic is matching an earlier rule, which is not pushing the traffic into the gateway group?

                                            i´ve got the "anti-lockout rule" before the gateway group acl. And i´ve got a acl rule before the gateway group rule, that give full access in another subnet.
                                            On the last acl for the other subnet the default gateway is not my gateway group so thats maybe the problem as you written.

                                            i try that and give feedback, thank you guys!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.