Mod from single to dual Wan, what about DNS, NTP, DNAT rules?



  • I have successfully modified a full install of PfSense 2.2.4-RELEASE (amd64) from one Wan to dual Wan on a common tier for load-balancing. Traffic is balancing fairly well but it doesn't seem complete. As an overview here are my unanswered questions;

    Wan1 is still the default gateway. Should I not assign a default gateway or does Wan1 or Wan2 always have to be the default?

    DNAT is Interface specific, as are the manual rules they create. Does this mean DNAT"s will not load-balance? Or are duplicate DNAT's needed for Wan2 along with a rule for each add'l DNAT?

    I can assign the floating rules to both Wan interfaces so I think I'm covered here.

    The DNS resolver has Wan2 added to "Outgoing Interfaces" yet it continues to only use Wan1. Fine until Wan1 quits and Wan2 carries all traffic.  The resolver goes through a Lan rule "UDP,,,PfSense,53 (DNS),WANGROUP,none" so all DNS requests hit the resolver, regardless of destination DNS address. WANGROUP was formerly "*" so the default GW handled it.

    I'm using a parent/child limiter to balance the uplink/downlink load on a "per-each IP" basis. The traffic shaper rule is on the Lan tab. I doubled the limiter bandwidth and changed the shaper rule from GW = Wan1 to WanGroup (Wan1+Wan2). But I would expect this is not ideal because load balance is not always even. So should the Lan rule be removed and a new limter rule be added to each Wan adapter with a separate dynamic limiter per adapter?

    Ntp service has interface assigned to LAN. Fine until Wan1 quits and Wan2 carries all traffic. I don't see adding Wan1 & Wan2 interfaces would be appropriate here, am I wrong?

    Siproxd is Wan specific, WanGroup is not an interface choice, so no balancing here either?  Again, fine until Wan1 quits and Wan2 carries all traffic.

    Thanks for the help…


Log in to reply