Need help, 2 WAN, 1 LAN, Load Balancer
-
Hi, and thanks for helping me with this, the idea is to create a load balancing pool with 2 WANs to feed the users. Here's the scenario:
I have 1 LAN, 2 WAN links, and 1 ADSL (512/256), OPT1 renamed "SAT" Satellital (1024/256).
WAN (ADSL) –- static 192.168.1.1 /24
OPT1 (SAT) ---- DHCP with static gateway 192.168.152.1
LAN --------------- DHCP for clients 169.254.1.0/24In general options I configured DNS servers list. Primary DNS being from ADSL provider and secondary DNS from SAT provider.
Load Balancer POOLS
I created 1 pools called "balancer pool" and I added both static gateways from WAN and SAT with a monitor IP address from yahoo.com, same for both:
192.168.1.1 / (yahoo public ip)
192.168.152.1 / (yahoo public ip)NAT
I create 2 mappings from advanced NAT configuration, one for WAN and other for SAT:- | Interface:WAN | Source:192.168.1.0/24 (LAN Subnet) | Destinatio:any | Destination port:any | Nat addr:any|NAT port: any|
- | Interface:SAT | Source:192.168.1.0/24 (LAN Subnet) | Destinatio:any | Destination port:any | Nat addr:any|NAT port: any|
Firewall Rules
I added 1 rules just to be sure balancing works
Action: pass
Interface: LAN
Protocol: any
Source: LAN Subnet
Destination: any
Gateway: "balancer pool" <------ here's where I choose to be routed to both gateways I believe in a round robin fashionat this point everything seems ok but.....
Then when I open the browser the routing surpases the captive portal and navigates ok but only in port 80, If I try to enter a HTTPS page or an ftp site it doesn´t get thru, even if I reboot the pfsense machine, sam story.
I check the firewall logs and there isn´t any blocked connection.
If I delete all the rules I created, still doesn´t work, until I restore the firewall config.Any Ideas, please help, thanks
-
youre lan network and youre wan network are the same so pfsense don't now wat to do
if you type 192.168.1.1
that can be lan but it can also be wan
chance youre lan network to 192.168.2.0/24
so that pfsense nows where to send data -
Aparently, the problem is that PFSense doesn´t support full load balancing and DNS Failover, unless both links are from the same provider. In my case I have 2 links from diferent providers, one Satellital and one ADSL, but the concepts of fail-over and load balancing are misunderstood:
For me load balancing with 2 links from two different ISP woul mean also a fail-over scenario from the connection point of view, it means that if one of the providers is down the traffic goes out to the other one and vice-versa. But in the case the power supply or a hard drive crashes, then everything is down. This is what I want to achieve, but when I try to set this up following the wiki tutorial, and the support .pdf files, all traffic different from port 80 is blocked silently without logs from the firewall messenger, https, ftp, p2p, etc…)
I've checked that the problem arises whe I choose the pool from the load balancing feature.
Does anyone knos if putting an internal DNS server would solve this issue?
Thanks for your replies.
-
I think internal DNS would fix the problem, because when the DNS server forwards, it'll just be NAT'd out via pfSense like normal packets are.
I could be wrong, try it. We run an internal DNS Server. it seems to work….
-
I also have Dual Wan ADSL but is from same ISP same download limit and same speed, but the DNS also does not fail over and DNS forwarder fails when WAN drops out and OPT is operational. An Internal DNS server is required. I have not yet fully understood how to configure this option in using the Dynamic DNS Client.
I have looked into a few options though and found that http://www.dyndns.com/services/ offer the option that supports "Round Robin" DNS services. I am not sure how this would work seeing that I have static IP address on both connections and if I am unable to have the DNS failover from WAN to OPT, then I am not sure that this is going to work either. I may be wrong as I want this option to work as well for our office setup.
DyDNS do support some dns for free but I am not sure if this option for a "Round Robin" DNS is free or FEE based. I am going to find out if my ISP offers the option for "Round Robin DNS" as it would make more sense to me, as they would be the first hop into the Inet. As if they go down then I have no connection anyway.
My ISP had some documentation for manually configuring the resolv.conf file to find their DNS, but that made no difference to finding their DNS when I simulated a failed router on WAN. I have just kept a couple of spare routers on hand, already configured in case this event happens.
I would like some advice from someone who has already successfully configured an Internal DNS "Round Robin" and how to go about configuring it.
BTW, on DyDNS, to find out about the "Round Robin DNS" just do a search in their site for Round Robin as they dont have it listed for easey selection.
Kindest Regards,
Craig Roy
Horizon IT Consultants. -
This could be a very dumb suggestion.
Let's say for your WAN link you've DNS servers 199.199.1.101 and 199.199.1.102.
Let's say for your OPT link you've DNS servers 200.200.1.101 and 200.200.1.102.Can you just specify DNS servers in your DHCP server???
Like specify primary DNS to be 199.199.1.101 and secondary to be 200.200.1.102.==============================
If "DNS failover" doesn't work because pfSense keeps looking at WAN for 200.200.1.102 when WAN goes down:Will specifying static route to 200.200.1.102 work?
-
This is now fixed in CVS. If you are running a full version then issue this command from a shell:
cvs_sync.sh releng_1
Next go to System -> Static Routes and create a "Interface Gateway checked" route through the correct WAN interface with the destination being the DNS server/32. Repeat this for any other DNS servers.
This will force traffic for the DNS server out the correct interface and will solve this problem during WAN port down times.
-
Hi Scott,
Just had a look at the static route form and I dont have this option to select the Interface as a gateway there. Is this option been included in the latest snapshot. I am using a full Beta2 version less snapshot.
Craig Roy
-
@CraigRoy:
Hi Scott,
Just had a look at the static route form and I dont have this option to select the Interface as a gateway there. Is this option been included in the latest snapshot. I am using a full Beta2 version less snapshot.
Craig Roy
This is now fixed in CVS. If you are running a full version then issue this command from a shell:
cvs_sync.sh releng_1
-
Thanks Scott,
I give this a go later tonight after work finishes and I have time to play with it a bit.
Thanks for all your help.
Craig Roy
-
I just realized that this was breaking the routing in certain situations so I have removed it.
The way to force the gateway correctly for DNS is to put in the next hop router to force the traffic out the correct pipe.
Sorry about that!
-
The way to force the gateway correctly for DNS is to put in the next hop router to force the traffic out the correct pipe.
May you explain in more detail?
What's "next hop router" in your situatioin?
e.g. if WAN-1 ISP gateway is 111.111.111.1, will that be your next hop router?
What about WAN #2's gateway? What should we do about it?After one figured out what's their "next hop router", where should they put "next hop router" info in pfsense? e.g. on which configuration page, under what options? Thank you.
-
Whatever the gateway is of that interface.
For example if your wan is fxp0 do:
route get default fxp0
Then use the gateway listed as the next hop gateway.
-
:(
why your lan is 168.254.1.0/24,your nat is configured for 192.168.1.0/24
can somebody explain the reason,is is right? ::) -
:(
why your lan is 168.254.1.0/24,your nat is configured for 192.168.1.0/24
can somebody explain the reason,is is right? ::)Actually it's a copy/paste error it should be LAN (source) (169.254.1.0/24)
Sorry about that
-
I have the ultimate live-cd version (1.0-RC1) but in this version don't are the new option "USE INTERFACE AS GATEWAY".
I Don't HD and need this option for solve DNS PROBLEM and other bug fixed.That I can do?
Can't compile new live-cd without this bug?
Tks friends