Load balance 2 Open VPN Site to Site



  • Hi to everyone. I'm having a problem in a very simple scenario (attach diagram from pfsense book 2.1 with simil scenario).

    My objetive is LOAD BALANCE 2 SITE TO SITE OPEN VPN.

    I've been almost 3 months trying differents configurations, asigning interfaces to the diferents site to site on each WAN and OPT if, using routing protocols RIPv2 and Quagga OSPF, using gw groups and policy routing and nothing work. Pfsense always directs traffic to the default gateway (usually the last Open VPN up) and never switch it working only (with some luck) as FailOver.

    In the past week I suscribe the gold membership and read almost the whole draft and the only reference I found was using OSPF (page 366), simil configuration I tried months before, and 1 hour ago I chat with Jim Pingle co-autor of the book, and he wrote me that he think that the solution isnt using routing protocols. I really don know what I'm  doing wrong.

    HOW can I have two routes in kernel to the same destination network? Quagga can see the both networks but in the kernel routing tables only appears the last one created.

    QUAGGA

    ============ OSPF network routing table ============
    N    172.21.1.2/32        [10] area: 0.0.0.0
                              directly attached to ovpns1
    N    172.21.2.2/32        [10] area: 0.0.0.0
                              directly attached to ovpns2
    N    192.168.0.0/24        [10] area: 0.0.0.0
                              directly attached to em0
    N    192.168.1.0/24        [20] area: 0.0.0.0
                              via 172.21.1.2, ovpns1
                              via 172.21.2.2, ovpns2

    KERNEL  ROUTING TABLE

    192.168.1.0/24 172.21.1.2 UG1 0 34510 1500 ovpns1

    Thank you,  Maximiliano.
    ![example pfbook.jpg](/public/imported_attachments/1/example pfbook.jpg)
    ![example pfbook.jpg_thumb](/public/imported_attachments/1/example pfbook.jpg_thumb)


  • Rebel Alliance Developer Netgate

    First, just a reminder: This is NOT a simple issue. It may be simple to state, but it is far from simple in terms of actually getting it to work and dealing with the routing.

    I can't provide you with a full how-to, but here's the short version. These need to happen on both sides.

    1. Remove/deactivate all routing protocols on the VPN (OSPF, etc)
    2. Assign the VPN interfaces under Interfaces > (assign), enable the interfaces, rename them, set the IP type to 'none'
    3. Remove the firewall rules from the OpenVPN tab and place rules on the individual VPN interface tabs named in step #2. There should be NO rules on the OpenVPN tab, or at least change the rules so they cannot match the traffic for this site-to-site VPN.
    4. Create a gateway group using the dynamic gateways you now have for the VPN, use the same tier for both
    5. In the LAN rules, at the top, match traffic to send to the other side of the VPN and use the gateway group from #4

    #5 directs the traffic to the far side, #3 makes sure it returns back the same interface it entered.

    This is still only connection-based load balancing and NOT aggregation which is not currently possible. No single connection will get the bandwidth of both WANs.



  • Hi jimp, thanks in advance for your reply. I only post the word "simple" because i think you 've worked with more complex scenarios, we are talking about two internal connections with all external traffic closed and all internal traffic allowed. I m not using now virtually nothing more than routing tables and open vpn, simple like that.

    The kind of configuration that you provide me, I ve probed several times making one small changes each time, and always pfsense direct all traffic to the last vpn connection, never switch to the other vpn or dont route at all.

    I probe differents configurations of VPN, at first defining routes, forcing MAC address to preserve the OVPN interface, etc etc. Remember I start this issue in New shyny v2.0.

    Now the configuration it's with dynamic routing, nevertheless i will try again and repost the result for proper evaluation.

    Thanks again, and again Good job! It's a great product and I know its difficult include everything.


  • Rebel Alliance Developer Netgate

    Make sure to use OpenVPN site-to-site tunnel in tun mode using shared key.

    I know that setup works because we have a couple customers using it in production, one of them balancing across 8 VPNs and it works well.



  • hi everybody…

    i guess you have to set the openvpn server to listen on the balanced_gw_group you set up in step 4?

    following this quick tutorial results in "An IPv4 protocol was selected, but the selected interface has no IPv4 address" when i'm trying to...

    anyone got an idea?  ::)

    thank you



  • @badger:

    hi everybody…

    i guess you have to set the openvpn server to listen on the balanced_gw_group you set up in step 4?

    following this quick tutorial results in "An IPv4 protocol was selected, but the selected interface has no IPv4 address" when i'm trying to...

    anyone got an idea?  ::)

    thank you

    no you actually setup 2 (or more) seperate openvpn-servers in this scenario


Log in to reply