Manual assignment of WAN route / load balancing in bufferbloat scenario



  • Hello!

    I would like to start by describing my current setup I am trying to replace. I've started with a single DSL connection, which was experiencing severe bufferbloat - speeds were fine but after saturation, the ping times rose to around 3000ms. I thought that having a high-end consumer router (Asus RT-N66U) would allow me to mitigate the problem. I've tried enabling QoS and traffic shaping. This worked to some extent, allowing me to use internet without much trouble when backups were running, however, still not usable at all for VOIP.

    I've ended up adding another DSL connection+router to the mix (same network, disabled DHCP and manual address set), reserving it for the bandwidth-intesive applications.

    To summarise:

    • Main network - 192.168.2.1 is Asus RT-N66U router with WAN port connected to the DSL router and DMZ set up to its address. This is also a DHCP server.

    • Secondary router - static IP 192.168.2.248.

    All of the devices that are bandwidth-intense have static IP addresses with the router set up with the 192.168.2.248 address.

    As you can see, this is quite a band-aid solution and I am looking into re-building my network (also with multiple VLANs etc) to make it more secure - do not like the OEM router just sitting on the main network among other things.

    What am I looking to do:

    • pfSense with 2xWAN connected to each WAN router

    • managed switch on the LAN end segmenting the network into parts for home automation, media, guest network, etc.

    What I am trying to get my head around is following - would pfSense still give me 2 "router" addresses, allowing me to manually specify which device goes out through which WAN? The situation is slightly complicated also because I would like a mix of routers within a single VLAN.

    Or, is pfSense superior when it comes to QoS and traffic management and I should just be able to bond the connections together and let it do its work? Would there be any way of marking IPs/devices based on priority other than application-specific QoS? For example, I do not want a torrent box (now going through the secondary router) to be spreading all of its traffic through both connections, competing with normal users.

    Last point (I promise!), would it be also possible to create tertiary virtual "router", which would be always-on VPN? Some of the hosts on the network need to go through the VPN and it would greatly simplify the setup if there was away to just point them to another router which holds the connection.

    Sorry if I am missing something obvious - I am doing my research while the pfSense box is on the way.



  • I currently run two cable modems into two WAN interfaces and then the traffic is sent through a single LAN connection. I have a gateway group enabled so that when one connection's traffic is more or less used up it will tell the next set of traffic to run through the second internet connection. This way everything stays on the same internal network but the traffic will get prioritized based on latency and/or packet loss.

    In the past I ran a similar setup but I had two WAN interfaces and two LAN interfaces. The two LAN interfaces where in the same IP subnet, but DHCP was disabled on LAN2. Then LAN1's DHCP server was set to give static IPs to certain devices and to assign the gateway of preference.

    Pfsense handles QoS very well. I run Vonage VOIP service behind my Pfsense box and have not had any issues yet. The only thing I would mention is if you have anyone that does a lot of online gaming, PS3/PS4/XBOX/etc… then you may want to do some research on the options you may need to customize to get certain games to play nice with the firewall. I play a decent amount on PS3 and PS4, both state that I have "Strict NAT" for multi-player online servers. I experience the occasional hickup with getting booted from a game session, but it happens so little that I don't worry about it.



  • Thank you for the advice!

    I've progressed further in replicating my old setup to enable plug-and-play migration.

    In order to enable the second gateway the same way as before, I've created virtual IP for .248.

    At this moment, I've got following setup:

    • main IP 192.168.2.1
    • IP alias of the main IP 192.168.2.248 (this was previously another modem with static IP on the network).

    My question now is - how do I set up outgoing firewall rule for any device that has the router set as .248? My idea is to have all traffic hitting .1 to go through the main WAN1, and all traffic trying to reach .248 to go though WAN2.

    I would pipe all non-important backups etc. though the WAN2 and then play a bit more with QoS on the WAN1 to make skype and any other VOIP work well.


Log in to reply