Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Conflicting info on fail over and load balancing

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      elementalwindx
      last edited by

      Source 1: https://thegeekninja.wordpress.com/2013/06/10/the-pfsense-walkthrough-part-4-multi-wan-fail-over-with-pfsense/

      Source 2: http://virtualitsupport.0fees.net/?p=158

      Source 1 says to create 2 groups and doesn't specify which order to put the firewall rules.

      Source 2 says to create 3 groups and doesn't specify which order to put the firewall rules.

      Can someone please clarify this for me?

      I'm using the newest 2.1 pfsense.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        You need to decide what you want to achieve.
        a) Load Balancing - if you just wants general traffic to be spread over both links and still work when 1 link is down, then make a LoadBalance gateway group with both links Tier 1. Edit your "allow all on LAN" rule to use gateway LoadBalance.
        b) Failover1 - if you want all your traffic to use link1 and only fail over to link 2 if link 1 is down, then make a Failover1 gateway group, link 1 = tier 1, link2 - tier 2. Edit your "allow all on LAN" rule to use gateway Failover1.

        You can obviously make a 3rd gateway group to failover the opposite way - link1 = tier 2, link2 = tier 1 name "Failover2". Make rule/s on LAN to feed traffic into that and it goes out link 2, and fails over to link 1 if link 2 is down.

        Depending what you want, you can put various pass rules to send different traffic to different gateway groups. You have to think of what you want to happen. e.g.

        Pass source any destination any port SMTP gateway Failover2 (SMTP mail goes on link2 first)
        Pass source 192.168.1.42 destination any gateway Failover2 (the LAN client with IP 192.168.1.42 goes on link2 first)
        Pass source 192.168.1.66 destination any gateway Failover1 (the LAN client with IP 192.168.1.66 goes on link1 first)
        Pass source any destination any gateway LoadBalance (the rest of the traffic is spread across all links)

        You dream up what you want it to do.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • E Offline
          elementalwindx
          last edited by

          Ok that was what I was thinking. Thanks for the clarification.

          Last question.

          I'm trying to log into some websites that have 2fa (2 factor authentication) and it will act like I'm using both my WAN ips while logging in and of course deny me the ability to log in because it thinks I'm loging in from ip A when it switches to ip B during the 2nd part of the login. How can I fix this?

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            Put those sites into an alias using their FQDNs (e.g. call it TwoFAsites). Then add a rule to put the traffic for them into a Failover group, so that the traffic to them stays on a single WAN while that WAN is up:
            Pass source LANnet destination TwoFAsites gateway Failover1

            Put the rule up the top of the LAN rule list, before general rule/s that feed other traffic into LoadBalance.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • E Offline
              elementalwindx
              last edited by

              @phil.davis:

              Put those sites into an alias using their FQDNs (e.g. call it TwoFAsites). Then add a rule to put the traffic for them into a Failover group, so that the traffic to them stays on a single WAN while that WAN is up:
              Pass source LANnet destination TwoFAsites gateway Failover1

              Put the rule up the top of the LAN rule list, before general rule/s that feed other traffic into LoadBalance.

              Dang was hoping there was a more general method. There are millions of 2fa sites out there.

              1 Reply Last reply Reply Quote 0
              • P Offline
                phil.davis
                last edited by

                I think you can also turn on System: Advanced: Miscellaneous "Use sticky connections".
                The downside is that then a particular client on LAN will get locked to a particular outgoing WAN. If you have fast WANs and lots of clients then it is not a big issue. If you are on our own in the evening and are trying to do lots of stuff, use a download manager to suck down big files… then you do not want the 1 client to be tied to 1 WAN.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • E Offline
                  elementalwindx
                  last edited by

                  @phil.davis:

                  I think you can also turn on System: Advanced: Miscellaneous "Use sticky connections".
                  The downside is that then a particular client on LAN will get locked to a particular outgoing WAN. If you have fast WANs and lots of clients then it is not a big issue. If you are on our own in the evening and are trying to do lots of stuff, use a download manager to suck down big files… then you do not want the 1 client to be tied to 1 WAN.

                  I just noticed these options. I don't think I've ever seen them before either. Strange haha. I saw this "Allow default gateway switching" option that nobody ever spoke about in either sources linked above too. Sounds reasonable to have that turned on for this type of scenario.

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    phil.davis
                    last edited by

                    Default gateway switching allows pfSense-originated traffic to find its way out if WAN1 is down. Mostly this is just the dashboard firmware update check, and installing packages. (when you already have gateway groups and policy-routing rules for your client traffic)
                    If you have multiple DNS servers defined in System:General and pick a WAN gateway for each then you will still get DNS when 1 WAN is down, without needing default gateway switching.
                    In a 2-WAN system where you just want everything to fail over from the main WAN1 to a (usually much slower) backup WAN2, then you could just use default gateway switching and not bother with gateway groups and rules.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.