Same public IP adresse with Multi Wan & load balancing + Squid

goodspeed_11

Hi at all  :)

Firstly, sorry for my poor english ^^

I'm in internship and I'm configuring a "new" Pfsense server.
I would like to use the two internet connection to have a better traffic distribution.

Here is my settings :

Interface :

• WAN1 - Static IP : 192.168.0.190/24 gateway : 192.168.0.254
• WAN2 - Static IP : 192.168.1.190/24 gateway : 192.168.1.254
• LAN : IP : 192.168.2.1 - DHCP 2.100 to 2.200.
  OK -

My two gateways in system > routing

• WAN1 - 192.168.0.254
• WAN2 - 192.168.1.254

Tab Groups

• LoadBalancing : tier1 WAN1 + tier2 WAN2
• WAN1FailOverWAN2 : tier2 WAN1 + tier1 WAN2
• WAN2FailOverWAN1 : tier1 WAN1 + tier2 WAN2

System / General
DNS :
8.8.8.8 - WAN1
8.8.4.4 - WAN2
FAI WAN1 DNS - WAN1
FAI WAN2 DNS - WAN2

The two gateways are online
OK -

Firewall Rules
LAN:

• Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing
• Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : WAN1FailOverWAN2
• Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : WAN2FailOverWAN1

Internet connexion is OK
BUT the load balancing didn't work ?

I take my PC (ip 2.100) : internet access ok
VM1 : ip 2.101 : internet access ok
VM2 : ip 2.102 : internet access ok

Problem :
/ SAME PUBLIC IP ADDRESS ??? ?
If load balancing worked the result would be different no ?
Where I failed ?

Best regards
Nicolas

phil.davis

LoadBalancing : tier1 WAN1 + tier2 WAN2

For Load Balancing you have to put both WAN on the same tier (use tier 1).

Also, when you want to use failover, the names of your failover gateway groups look swapped to me - tier 1 is the highest priority, so "tier1 WAN1 + tier2 WAN2" I would call WAN1-failover-to-WAN2.

And then of course you need to make rules that do something useful - having a Load Balancing rule that matches all traffic means that those other rules for failover never match any traffic. If you want some traffic to load balance and some to failover in different ways you need to make your ruleset match the needed traffic for each requirement and send to the appropriate gateway group.

goodspeed_11

Hi,

To begin thks for your reply  :)

At the moment I think forget the failover protocole, and firstly work only on the load balancing. (I will disable failover).
For load balancing I have already put both WAN one the tier 1.

So what do I have to do for that it works ?
Even if I have only this firewall rule :
Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing

I always have the public IP of my "default" gateway ..?

---

An another think :
I must configure external access with this configuration : INTERNET > Modem > Pfsense > Host (RDP for exemple).

• When I set :
  Modem : In : any - 9898 | out Pfsence_WAN_IP 9899
  Pfsense : In : any - 9899 | out Host_IP 3389
  Doesn't work !
• When I set :
  Modem : In : any - 9898 | out Pfsence_WAN_IP 3389
  Pfsense : In : any - ANY | out Host_IP 3389
  It's work !

Why I can't set a source port ?
Example, if I have 2 hosts on my LAN interface which work on the same port, how can I do to that :
When I come on the port 1098 > I want go on THIS host with port 3389
and
When I come on the port 1099 > I want go on THIS SECOND host with port 3389

Thanks

phil.davis

So what do I have to do for that it works ?
Even if I have only this firewall rule :
Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing

I always have the public IP of my "default" gateway ..?

What you describe should work. So post screen shots of the Gateway Group settings, LAN rules.

Are you running a proxy server (like Squid)? That will grab the client traffic and then effectively bypass the policy-routing rules.

goodspeed_11

Thks for replying

I have a proxy server install on Pfsense, but I think it's turned off. I will check this.
But I will use squid for cache usage ..

---

Anyone for my second problem ?
What am I missing?
As I said, if I give the port source I'm enable to establish the connection..
In that case how make the difference between two hosts with the same port range ?

goodspeed_11

@phil.davis:

So what do I have to do for that it works ?
Even if I have only this firewall rule :
Proto : any / Source : LAN net / Port : any / Dest. : any / Port : any / Gateway : LoadBalancing

I always have the public IP of my "default" gateway ..?

What you describe should work. So post screen shots of the Gateway Group settings, LAN rules.

Are you running a proxy server (like Squid)? That will grab the client traffic and then effectively bypass the policy-routing rules.

YEAH MAN ! It's work Thanks !!!!
I effectively disable squid and it's work fine …
I will see on internet how to make them work together.

goodspeed_11

@goodspeed_11:

---

An another think :
I must configure external access with this configuration : INTERNET > Modem > Pfsense > Host (RDP for exemple).

• When I set :
  Modem : In : any - 9898 | out Pfsence_WAN_IP 9899
  Pfsense : In : any - 9899 | out Host_IP 3389
  Doesn't work !
• When I set :
  Modem : In : any - 9898 | out Pfsence_WAN_IP 3389
  Pfsense : In : any - ANY | out Host_IP 3389
  It's work !

Why I can't set a source port ?
Example, if I have 2 hosts on my LAN interface which work on the same port, how can I do to that :
When I come on the port 1098 > I want go on THIS host with port 3389
and
When I come on the port 1099 > I want go on THIS SECOND host with port 3389

Thanks

If anyone can help me on this problem ?
Thanks

doktornotor

Help with what? You told us right above that it works fine now without Squid just minute ago…

goodspeed_11

***First problem : Same public IP with multi WAN

I was a bug with squid.
So I disable it and it works fine, but I must use Squid … So I make some search and I found that :

• System / advanced / Miscellaneous / Enable : default gateway switching
• on the proxy server (Squid3 (squid 2.X not work for me ... no internet access with transparent mode)) :
  Tabs : General  / Custom settings, I added :
  acl loadbalance random 0.5;
  tcp_outgoing_address WAN1 load balance;
  tcp_outgoing_address WAN2;

After that Squid3 (transparent mode) + Load balancing works great BUT, because there is a but  :P , I can't contact the GUI of my modem ..
(Without squid3, I can contact the GUI).

If anyone can help ??  :)

***Second problem : I can set a source port for a NAT rules

I juste see a new release of pfsense this morning : 2.2.1
Among corrections, there are :
Bug #4238: Firewall rule: source port display issue

So, I will see if this work now (after my meeting) ^^

doktornotor

@goodspeed_11:

So I disable it and it works fine, but I must use Squid

Yeah, you must use Squid to make your life miserable. Good luck. (Perhaps edit the subject of this thread to include Squid in it.)

goodspeed_11

What do you know about that uh ?!
Nothing, so shut your mouth – We will use squid for the cache, thanks for your contribution  ;)

Good luck for just have a life  ::)

doktornotor

@goodspeed_11:

What do you know about that uh ?!

Looking at this forum, I know enough about it to conclude that installing pointless "caching" proxies that will get some 3-5% hitrate if you are really lucky and break things left and right on the way makes absolutely no sense unless you are on a slooooooooow WAN.

goodspeed_11

@doktornotor:

@goodspeed_11:

What do you know about that uh ?!

Looking at this forum, I know enough about it to conclude that installing pointless "caching" proxies that will get some 3-5% hitrate if you are really lucky and break things left and right on the way makes absolutely no sense unless you are on a slooooooooow WAN.

As I said before, I work for a little company. So we have maybe 30 computers. When there are some Windows Update, the bandwidth is saturated …
It's not ESSENTIAL, but IT'S can be PROFITABLE ...

Here is a screenshot of the problem
WAN1 : 192.168.0.91 -> Gateway 192.168.0.254 <-- This is where I have the GUI that I want to go
WAN2 : 192.168.1.91 -> Gateway 192.168.1.254


doktornotor

@goodspeed_11:

before, I work for a little company. So we have maybe 30 computers. When there are some Windows Update, the bandwidth is saturated …

You should run WSUS server on your LAN. Not Squid. Managing hotfixes manually on 30 computers? WTF. (Beyond that, last time I checked here, proxying Windows Update did not even work for the people who were trying it, just search the forum.)

goodspeed_11

I don't know between

2 modems > load balancer Duolinks SW24 | Pfsense | LAN
or
2 modems > 1 Pfsense for load balancing | 2nd Pfsense for Squid + others | LAN

Little bit tired by that  :(