Multi-WAN: Load Balancing and Fail-over Setup



  • Hi there guys,

    I am new here and wanted to explore more about the greatness of pfSense.  I have setup a 2.1amd64 and already configured 2 ISP for load balancing and failover.  Already configured gateway groups and add it on the firewall rules.  If both lines are up, i have no problem with the internet connection but when my primary fails and switch to over WAN2 that starts my problem because i cannot browse any website anymore.  But when i go to Diagnostics > ping and select WAN2 as source, i get a ping response.

    What could be the problem?  Hope you can give recommendations.

    Thank you in advance.



  • Possible problem 1) System->General Setup - make sure you have specified a DNS server for each WAN. Otherwise all the DNS is going out the default gateway, and when WAN1 fails you lose DNS



  • Hi phil.davis, thanks for your response.  Yes, i have setup a DNS for each WAN.



  • The policy-routing rules (that feed to the gateway group/s) need to be matched by your traffic.
    e.g. if you have a "pass source all destination all gateway not specified" rule above the gateway group rule/s then traffic will never get to match the policy-routing rule/s.
    Post your gateway, group and rule details.



  • Try this "Allow default gateway switching" option in Advanced configure.
    Hope this helps.



  • I had same the problem, when I setup on a new PC but the problem was not happened from the upgrade method. I had two WAN (WAN01 and WAN02), I created two groups:
    -GW_FailOver01: WAN01 in tier 1, WAN02 in tier 2
    -GW_FailOver02: Wan01 in tier 2, WAN02 in tier 1

    If the two WAN was up, I could see "GW_FailOver01, GW_FailOver02" in Firewall Rules, but it was disappeared when one is down. Did I miss the something  on PfSense 2.1?



  • Why did you make 2 Failover when the rules are the same, you have made ​​a mistake in the firewall rules.
    "Allow default gateway switching" option in Advanced configure.



  • hi hyrol, thanks for the tip.  my pfsense failover is now working….. :)



  • @hyrol:

    Why did you make 2 Failover when the rules are the same, you have made ​​a mistake in the firewall rules.
    "Allow default gateway switching" option in Advanced configure.

    Hi Hyrol,
        I know "Allow default gateway switching" option, it let default gateway change to available WAN. But my case using policy routing for load-sharing between 2 WANs (using PPPoE).
        I see some logs:
          +"php: rc.filter_configure_sync: MONITOR: WAN01_PPPOE is down, removing from routing group GW_FailOver02"
          +"php: rc.filter_configure_sync: MONITOR: WAN02_PPPOE is down, removing from routing group GW_FailOver01"
        when a WAN is disconnected, maybe php codes remove all PPPoEs gateway from groups, although I checked one PPPoE is still available.



  • I see some logs:
          +"php: rc.filter_configure_sync: MONITOR: WAN01_PPPOE is down, removing from routing group GW_FailOver02"
          +"php: rc.filter_configure_sync: MONITOR: WAN02_PPPOE is down, removing from routing group GW_FailOver01"

    I hope those log entries happen at different times. pfSense will remove WANs that are down from any gateway (routing) groups. This all works for me on 2.1, but I don't have PPPOE.
    Post more details of your configuration if you need help.



  • From my experience Load Balancing and Failover easiest, I do not quite understand what your problem is, maybe someone else can help you.



  • hi guys,

    i´ve got a problem with failover,too.
    There are two WAN connections on my pfsense. i create a gateway group, named "MultiWAN":

    Then i select the "Allow default gateway switching" button.
    Next i edit the default LAN-Firewall-ACL, and choose "MultiWAN" as my gateway.
    At least i create dns server entries on both WAN connections at the "general setup" tab.

    When i disconnect the "ADSL" WAN (Tier1) than i can´t get access to the internet, over "Telekom_ISP" (Tier2) as shown on the picture above.
    Anybody have a idea?

    Greetings



  • Try set Trigger Level: Member Down



  • thanks for your answer!
    I choose option "member down", disconnect WAN "ADSL" and tested the internet connection –> don´t work for me.
    Any other idea? More settings of my pfsense:

    firewall acl:

    gateway switching:

    dns server for my gateways:

    greetings



  • Under General Setup=> DNS Servers=> use gateway try set none



  • i do that! But this is not the solution…
    More informations:

    Disconnect ADSL WAN:

    Check the log:

    successfully ping from pfsense directly over WAN Telekom_ISP (in example named as company connect, but means telekom_isp):

    So pfsense reach "www.google.de" about the fallback line… when i try to go online with several clients i get a timeout.
    When i try to ping "www.google.de" from a client i get a timeout, and when i ping a ip address (e.g. a dns server ip) that do not work,too.



  • That would indicate your firewall gateway rules are incorrect, or that your client DNS is not making it past.

    What happens when you try to ping 173.194.35.183 directly from a client?



  • Looks reasonable. What other LAN rules do you have?
    Maybe your traffic is matching an earlier rule, which is not pushing the traffic into the gateway group?



  • @timthetortoise:

    That would indicate your firewall gateway rules are incorrect, or that your client DNS is not making it past.

    What happens when you try to ping 173.194.35.183 directly from a client?

    My clients first dns server is pfsense. when both gateways are connected every dns request works great.
    When i try a ip as ping command i get a timeout, too.
    i do that in the last step. i choosed a dns server ip to test that.



  • @phil.davis:

    Looks reasonable. What other LAN rules do you have?
    Maybe your traffic is matching an earlier rule, which is not pushing the traffic into the gateway group?

    i´ve got the "anti-lockout rule" before the gateway group acl. And i´ve got a acl rule before the gateway group rule, that give full access in another subnet.
    On the last acl for the other subnet the default gateway is not my gateway group so thats maybe the problem as you written.

    i try that and give feedback, thank you guys!



  • the change of acl firewall priority doesn´t solve the problem. I do a update of version 2.1.1 (before 2.1) but this do not solve the problem, too. Anybody have a idea?


Log in to reply