Conflicting info on fail over and load balancing



  • Source 1: https://thegeekninja.wordpress.com/2013/06/10/the-pfsense-walkthrough-part-4-multi-wan-fail-over-with-pfsense/

    Source 2: http://virtualitsupport.0fees.net/?p=158

    Source 1 says to create 2 groups and doesn't specify which order to put the firewall rules.

    Source 2 says to create 3 groups and doesn't specify which order to put the firewall rules.

    Can someone please clarify this for me?

    I'm using the newest 2.1 pfsense.

    Thanks.



  • You need to decide what you want to achieve.
    a) Load Balancing - if you just wants general traffic to be spread over both links and still work when 1 link is down, then make a LoadBalance gateway group with both links Tier 1. Edit your "allow all on LAN" rule to use gateway LoadBalance.
    b) Failover1 - if you want all your traffic to use link1 and only fail over to link 2 if link 1 is down, then make a Failover1 gateway group, link 1 = tier 1, link2 - tier 2. Edit your "allow all on LAN" rule to use gateway Failover1.

    You can obviously make a 3rd gateway group to failover the opposite way - link1 = tier 2, link2 = tier 1 name "Failover2". Make rule/s on LAN to feed traffic into that and it goes out link 2, and fails over to link 1 if link 2 is down.

    Depending what you want, you can put various pass rules to send different traffic to different gateway groups. You have to think of what you want to happen. e.g.

    Pass source any destination any port SMTP gateway Failover2 (SMTP mail goes on link2 first)
    Pass source 192.168.1.42 destination any gateway Failover2 (the LAN client with IP 192.168.1.42 goes on link2 first)
    Pass source 192.168.1.66 destination any gateway Failover1 (the LAN client with IP 192.168.1.66 goes on link1 first)
    Pass source any destination any gateway LoadBalance (the rest of the traffic is spread across all links)

    You dream up what you want it to do.



  • Ok that was what I was thinking. Thanks for the clarification.

    Last question.

    I'm trying to log into some websites that have 2fa (2 factor authentication) and it will act like I'm using both my WAN ips while logging in and of course deny me the ability to log in because it thinks I'm loging in from ip A when it switches to ip B during the 2nd part of the login. How can I fix this?



  • Put those sites into an alias using their FQDNs (e.g. call it TwoFAsites). Then add a rule to put the traffic for them into a Failover group, so that the traffic to them stays on a single WAN while that WAN is up:
    Pass source LANnet destination TwoFAsites gateway Failover1

    Put the rule up the top of the LAN rule list, before general rule/s that feed other traffic into LoadBalance.



  • @phil.davis:

    Put those sites into an alias using their FQDNs (e.g. call it TwoFAsites). Then add a rule to put the traffic for them into a Failover group, so that the traffic to them stays on a single WAN while that WAN is up:
    Pass source LANnet destination TwoFAsites gateway Failover1

    Put the rule up the top of the LAN rule list, before general rule/s that feed other traffic into LoadBalance.

    Dang was hoping there was a more general method. There are millions of 2fa sites out there.



  • I think you can also turn on System: Advanced: Miscellaneous "Use sticky connections".
    The downside is that then a particular client on LAN will get locked to a particular outgoing WAN. If you have fast WANs and lots of clients then it is not a big issue. If you are on our own in the evening and are trying to do lots of stuff, use a download manager to suck down big files… then you do not want the 1 client to be tied to 1 WAN.



  • @phil.davis:

    I think you can also turn on System: Advanced: Miscellaneous "Use sticky connections".
    The downside is that then a particular client on LAN will get locked to a particular outgoing WAN. If you have fast WANs and lots of clients then it is not a big issue. If you are on our own in the evening and are trying to do lots of stuff, use a download manager to suck down big files… then you do not want the 1 client to be tied to 1 WAN.

    I just noticed these options. I don't think I've ever seen them before either. Strange haha. I saw this "Allow default gateway switching" option that nobody ever spoke about in either sources linked above too. Sounds reasonable to have that turned on for this type of scenario.



  • Default gateway switching allows pfSense-originated traffic to find its way out if WAN1 is down. Mostly this is just the dashboard firmware update check, and installing packages. (when you already have gateway groups and policy-routing rules for your client traffic)
    If you have multiple DNS servers defined in System:General and pick a WAN gateway for each then you will still get DNS when 1 WAN is down, without needing default gateway switching.
    In a 2-WAN system where you just want everything to fail over from the main WAN1 to a (usually much slower) backup WAN2, then you could just use default gateway switching and not bother with gateway groups and rules.