Same public IP adresse with Multi Wan & load balancing + Squid



  • Hi at all  :)

    Firstly, sorry for my poor english ^^

    I'm in internship and I'm configuring a "new" Pfsense server.
    I would like to use the two internet connection to have a better traffic distribution.

    Here is my settings :

    Interface :

    • WAN1 - Static IP : 192.168.0.190/24 gateway : 192.168.0.254
    • WAN2 - Static IP : 192.168.1.190/24 gateway : 192.168.1.254
    • LAN : IP : 192.168.2.1 - DHCP 2.100 to 2.200.
      OK -

    My two gateways in system > routing

    • WAN1 - 192.168.0.254
    • WAN2 - 192.168.1.254

    Tab Groups

    • LoadBalancing : tier1 WAN1 + tier2 WAN2
    • WAN1FailOverWAN2 : tier2 WAN1 + tier1 WAN2
    • WAN2FailOverWAN1 : tier1 WAN1 + tier2 WAN2

    System / General
    DNS :
    8.8.8.8 - WAN1
    8.8.4.4 - WAN2
    FAI WAN1 DNS - WAN1
    FAI WAN2 DNS - WAN2

    The two gateways are online
    OK -

    Firewall Rules
    LAN:

    • Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing
    • Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : WAN1FailOverWAN2
    • Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : WAN2FailOverWAN1

    Internet connexion is OK
    BUT the load balancing didn't work ?

    I take my PC (ip 2.100) : internet access ok
    VM1 : ip 2.101 : internet access ok
    VM2 : ip 2.102 : internet access ok

    Problem :
    / SAME PUBLIC IP ADDRESS ??? ?
    If load balancing worked the result would be different no ?
    Where I failed ?

    Best regards
    Nicolas



  • LoadBalancing : tier1 WAN1 + tier2 WAN2

    For Load Balancing you have to put both WAN on the same tier (use tier 1).

    Also, when you want to use failover, the names of your failover gateway groups look swapped to me - tier 1 is the highest priority, so "tier1 WAN1 + tier2 WAN2" I would call WAN1-failover-to-WAN2.

    And then of course you need to make rules that do something useful - having a Load Balancing rule that matches all traffic means that those other rules for failover never match any traffic. If you want some traffic to load balance and some to failover in different ways you need to make your ruleset match the needed traffic for each requirement and send to the appropriate gateway group.



  • Hi,

    To begin thks for your reply  :)

    At the moment I think forget the failover protocole, and firstly work only on the load balancing. (I will disable failover).
    For load balancing I have already put both WAN one the tier 1.

    So what do I have to do for that it works ?
    Even if I have only this firewall rule :
    Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing

    I always have the public IP of my "default" gateway ..?


    An another think :
    I must configure external access with this configuration : INTERNET > Modem > Pfsense > Host (RDP for exemple).

    • When I set :
      Modem : In : any - 9898 | out Pfsence_WAN_IP 9899
      Pfsense : In : any - 9899 | out Host_IP 3389
      Doesn't work !
    • When I set :
      Modem : In : any - 9898 | out Pfsence_WAN_IP 3389
      Pfsense : In : any - ANY | out Host_IP 3389
      It's work !

    Why I can't set a source port ?
    Example, if I have 2 hosts on my LAN interface which work on the same port, how can I do to that :
    When I come on the port 1098 > I want go on THIS host with port 3389
    and
    When I come on the port 1099 > I want go on THIS SECOND host with port 3389

    Thanks



  • So what do I have to do for that it works ?
    Even if I have only this firewall rule :
    Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing

    I always have the public IP of my "default" gateway ..?

    What you describe should work. So post screen shots of the Gateway Group settings, LAN rules.

    Are you running a proxy server (like Squid)? That will grab the client traffic and then effectively bypass the policy-routing rules.



  • Thks for replying

    I have a proxy server install on Pfsense, but I think it's turned off. I will check this.
    But I will use squid for cache usage ..


    Anyone for my second problem ?
    What am I missing?
    As I said, if I give the port source I'm enable to establish the connection..
    In that case how make the difference between two hosts with the same port range ?



  • @phil.davis:

    So what do I have to do for that it works ?
    Even if I have only this firewall rule :
    Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing

    I always have the public IP of my "default" gateway ..?

    What you describe should work. So post screen shots of the Gateway Group settings, LAN rules.

    Are you running a proxy server (like Squid)? That will grab the client traffic and then effectively bypass the policy-routing rules.

    YEAH MAN ! It's work Thanks !!!!
    I effectively disable squid and it's work fine …
    I will see on internet how to make them work together.



  • @goodspeed_11:


    An another think :
    I must configure external access with this configuration : INTERNET > Modem > Pfsense > Host (RDP for exemple).

    • When I set :
      Modem : In : any - 9898 | out Pfsence_WAN_IP 9899
      Pfsense : In : any - 9899 | out Host_IP 3389
      Doesn't work !
    • When I set :
      Modem : In : any - 9898 | out Pfsence_WAN_IP 3389
      Pfsense : In : any - ANY | out Host_IP 3389
      It's work !

    Why I can't set a source port ?
    Example, if I have 2 hosts on my LAN interface which work on the same port, how can I do to that :
    When I come on the port 1098 > I want go on THIS host with port 3389
    and
    When I come on the port 1099 > I want go on THIS SECOND host with port 3389

    Thanks

    If anyone can help me on this problem ?
    Thanks


  • Banned

    Help with what? You told us right above that it works fine now without Squid just minute ago…



  • ***First problem : Same public IP with multi WAN

    I was a bug with squid.
    So I disable it and it works fine, but I must use Squid … So I make some search and I found that :

    • System / advanced / Miscellaneous / Enable : default gateway switching
    • on the proxy server (Squid3 (squid 2.X not work for me ... no internet access with transparent mode)) :
      Tabs : General  / Custom settings, I added :
      acl loadbalance random 0.5;
      tcp_outgoing_address WAN1 load balance;
      tcp_outgoing_address WAN2;

    After that Squid3 (transparent mode) + Load balancing works great BUT, because there is a but  :P , I can't contact the GUI of my modem ..
    (Without squid3, I can contact the GUI).

    If anyone can help ??  :)

    ***Second problem : I can set a source port for a NAT rules

    I juste see a new release of pfsense this morning : 2.2.1
    Among corrections, there are :
    Bug #4238: Firewall rule: source port display issue

    So, I will see if this work now (after my meeting) ^^


  • Banned

    @goodspeed_11:

    So I disable it and it works fine, but I must use Squid

    Yeah, you must use Squid to make your life miserable. Good luck. (Perhaps edit the subject of this thread to include Squid in it.)



  • What do you know about that uh ?!
    Nothing, so shut your mouth – We will use squid for the cache, thanks for your contribution  ;)

    Good luck for just have a life  ::)


  • Banned

    @goodspeed_11:

    What do you know about that uh ?!

    Looking at this forum, I know enough about it to conclude that installing pointless "caching" proxies that will get some 3-5% hitrate if you are really lucky and break things left and right on the way makes absolutely no sense unless you are on a slooooooooow WAN.



  • @doktornotor:

    @goodspeed_11:

    What do you know about that uh ?!

    Looking at this forum, I know enough about it to conclude that installing pointless "caching" proxies that will get some 3-5% hitrate if you are really lucky and break things left and right on the way makes absolutely no sense unless you are on a slooooooooow WAN.

    As I said before, I work for a little company. So we have maybe 30 computers. When there are some Windows Update, the bandwidth is saturated …
    It's not ESSENTIAL, but IT'S can be PROFITABLE ...

    Here is a screenshot of the problem
    WAN1 : 192.168.0.91 -> Gateway 192.168.0.254 <-- This is where I have the GUI that I want to go
    WAN2 : 192.168.1.91 -> Gateway 192.168.1.254

    ![Screen Shot 2015-03-18 at 16.01.52.png](/public/imported_attachments/1/Screen Shot 2015-03-18 at 16.01.52.png)
    ![Screen Shot 2015-03-18 at 16.01.52.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-18 at 16.01.52.png_thumb)


  • Banned

    @goodspeed_11:

    before, I work for a little company. So we have maybe 30 computers. When there are some Windows Update, the bandwidth is saturated …

    You should run WSUS server on your LAN. Not Squid. Managing hotfixes manually on 30 computers? WTF. (Beyond that, last time I checked here, proxying Windows Update did not even work for the people who were trying it, just search the forum.)



  • I don't know between

    2 modems > load balancer Duolinks SW24 | Pfsense | LAN
    or
    2 modems > 1 Pfsense for load balancing | 2nd Pfsense for Squid + others | LAN

    Little bit tired by that  :(


Log in to reply