Multi-WAN support with same gateway on multiple interfaces ***{NOW $650}***



  • I know this can be done already by natting all the interfaces to make it appear as multiple gateways but if commercial routers can do this, why not pfsense?

    I think pfsense is great but the whole system needs to be more multi-wan aware. I know lots of kernel hacking is required so please post your interest and bounty!

    I'm a home user but i'm gonna put $100 down to see this get done. I can very well go buy a dual wan commercial router but I want to see pfsense kick some serious ass!

    Thanks for looking!



  • You want load balancing between connection going over the same interface with the same gateway or between multiple connection that share the gateway?



  • I talked to GoldServe in IRC last night - what he wants is multiple interfaces and connections with the same gateway Ermal. Like you'll usually end up with if you have multiple cable modems. Since we have to use IPs with route-to there isn't anything we can do as is, but I was hoping you'd see this.  :)  Thought you might know of a way to hack pf to accommodate this, if more people were willing to chip in on the bounty.



  • @cmb:

    Thought you might know of a way to hack pf to accommodate this, if more people were willing to chip in on the bounty.

    Well there is a way adding to pf(4) the ability to directly send arp packets in the wire :).
    But if i add that then it will open up the ability to do arp level(layer2) balancing wouldn't it :P

    I might consider it if more chips in on the bounty since kernel hacking is involved.

    Ermal



  • I really hope more people can add to this bounty. It would be much simpler to do multi-wan.



  • @ermal:

    Well there is a way adding to pf(4) the ability to directly send arp packets in the wire :).
    But if i add that then it will open up the ability to do arp level(layer2) balancing wouldn't it :P

    I don't think that would solve it though - we're talking about the same MAC address on both interfaces as well generally, so L2 load balancing wouldn't fix this. It has to have a way to leave a particular physical interface, without using anything L2-L7.



  • @cmb:

    @ermal:

    Well there is a way adding to pf(4) the ability to directly send arp packets in the wire :).
    But if i add that then it will open up the ability to do arp level(layer2) balancing wouldn't it :P

    I don't think that would solve it though - we're talking about the same MAC address on both interfaces as well generally, so L2 load balancing wouldn't fix this. It has to have a way to leave a particular physical interface, without using anything L2-L7.

    I thought it was the same ip for the gateway ;)

    For the same mac address not much can be done with different enviroments ;-{



  • I really have no idea how pfSense works, because I am just in the thinking stages of whether I should move to a pfSense/IPCop router or should keep my perfectly fine cisco multi-wan VPN router.  Nevertheless, I'd like to throw this idea out there (please don't flame if its a stupid idea).

    It seems that multi-wan support is merely an appendage feature that's thrown in at the end of the project without much thought behind it.  But, wouldn't it be better if IpTables was redesigned to simply address which ethernet port the packets should be forwarded to?

    –-------------------
    Something like this would be the setup for someone who wants to have one group of PCs use one modem, and another group of PCs use another modem:

    | IP Range | Default Ethernet Adapter | Backup Ethernet Adapter | Load Balance Switch Threshold (kbps) (Note1) | Applicable Ports (Note2) |
    | 192.168.0.* | 0 | 1 | 2000 | * |
    | 192.168.1.* | 1 | 0 | 2000 | * |
    | 192.168.1.0-192.168.1.10,192.168.1.15,192.168.1.34 | 0 | 1 | 2000 | * |

    –-------------------
    And using the same table, but going with a different need, something like this would be the setup for someone who wants, for all PCs, to direct certain types of traffic to one modem, and other types of traffic to go to another modem:

    | IP Range | Default Ethernet Adapter | Backup Ethernet Adapter | Load Balance Switch Threshold (kbps) (Note1) | Applicable Ports (Note2) |
    | * | 0 | 1 | 2000 | * |
    | * | 1 | 0 | 2000 | 80-81,500 |

    –-------------------
    (Note1) Set "Load Balance Switch Threshold" to 0-kbps to never load balance, meaning the backup ethernet adapter would only be used if the first one failed.

    (Note2) If you leave out a port, the router will not forward packets on that port to any ethernet adapter, meaning the packet on that port would be dropped (blocked) like an outgoing firewall.



  • Well,  ;D, you remind me of why so many people talk as they please and few of them do the real work.



  • That is a really cool idea and would put pfsense above all others! Unfortunately, it is going to take some massive rewrite and someone's commitment to accomplish that. I will put down $200 out of my own pockets to see work being down in that direction.



  • @ermal:

    Well,  ;D, you remind me of why so many people talk as they please and few of them do the real work.

    I'm sorry..

    @GoldServe:

    That is a really cool idea and would put pfsense above all others! Unfortunately, it is going to take some massive rewrite and someone's commitment to accomplish that. I will put down $200 out of my own pockets to see work being down in that direction.

    Thank you

    I would be inclined to support a project with this functionality as well, but I only learned about pfsense and feature bounties today.  I am wondering what the trackrecord is and/or likelihood that something would actually be developed.



  • The bounty system proved successful for the traffic shaper. Now it is vastly improved and functional.



  • @hhh3h:

    I would be inclined to support a project with this functionality as well, but I only learned about pfsense and feature bounties today.  I am wondering what the trackrecord is and/or likelihood that something would actually be developed.

    For this feature, I don't know how likely it is to be completed. This is a more difficult one to implement than ones that have been completed in the past.

    The only problem to date with bounties is people pledging support and never paying. The last one I did was even worse - I bought the hardware the company was using so I could implement the desired functionality with the promise it would be reimbursed, did the work as agreed upon and it was successfully completed. They refuse to pay, so I'm out $450 USD out of my pocket plus all the time spent. Losing time is one thing, losing that much money out of my pocket is another entirely… Lesson learned, I'll never buy any hardware under the promise of reimbursement again.

    The bounty system has proven to be a great way to get functionality implemented for the end users. The developers have gotten screwed on multiple occasions, to varying degrees, but no end user has ever gotten less than promised.



  • @cmb:

    @hhh3h:

    I would be inclined to support a project with this functionality as well, but I only learned about pfsense and feature bounties today.  I am wondering what the trackrecord is and/or likelihood that something would actually be developed.

    For this feature, I don't know how likely it is to be completed. This is a more difficult one to implement than ones that have been completed in the past.

    Thank you for replying.  It seems that there are many many of threads on I see on the internet about "why doesn't IPCop support multi-WANs", and "why is it so hard to get multi-WANs working in pfSense".  Therefore, I would assume that well-designed, intrinsic functionality to support a multi-WAN environment should be a high priority.

    But nevertheless, are you saying that I should not pledge any money on this project because it is not likely to be completed?  I would really appreciate a realistic projection.

    Thank you



  • Well nobody stops you from pledging!
    The problem is that the offer should be serious and so should be your commitment when the bounty is finished.

    I do not think that multi-WAN in pfSense is difficult, though in 1.3 the configuration has changed somewhat.

    The first thing before pledging moeny is stating what are your needs and after that what is your pledge.

    Ermal



  • @ermal:

    Well nobody stops you from pledging!
    The problem is that the offer should be serious and so should be your commitment when the bounty is finished.

    I'm serious about getting something done.  I'm not going to pledge money for this idea if cmb is saying it's not going to be doable…....



  • Actually it is quite doable and i am one of the possible implementers of it. Just need to be convinced to do it…..



  • That's good news. I'm very serious about committing $200 of my personal money for this. I use pfsense for home use only as I am a geek =D I paid a little for the traffic shapper changes even though I do not use it but I hear it was well worth it.

    Cheers!



  • @ermal:

    Actually it is quite doable and i am one of the possible implementers of it. Just need to be convinced to do it…..

    Great.. How much total pledge money will convince you?



  • How much total pledge money will convince you?

    You make your offer and i will give my answer.



  • At this point, I am considering pledging an additional 200 USD on top of GoldServe's 200.

    However, I would feel more comfortable with a bit more convincing that a feature such as this is even feasible to do in the first place.  On page 1, you and cmb were discussing possibilities on how to tackle this initiative, and it didn't appear to have much resolution.

    I appreciate your response.



  • Sorry not interested with this pledge since it is a major undertaking, really.

    For the matter this is doable with some hacks directly to the kernel not fancy ones but it is doable.



  • Thanks anyway ermal.

    Any other developers out there?

    Any other pledges?



  • There hasn't been much activity on this thread for a while, but I would be willing to pledge $100 to have this sort of support added to pfSense.



  • I'll pledge whatever I can sell my 3 linksys wired routers for, probably $50.



  • I mean this would a great thing to add to pfsense considering commercial or SOHO routers that do multi-wan don't have this limitation. I'm willing to add more ontop of my pledge if someone is capable of adding this!



  • Can someone change the thread title to be $550? (its more, since goldserve said he would add more to his pledge)



  • Would it satisfy you to have a MultiWAN wizard that did the NATing for you?  Might be easier to convince someone to do that.



  • I think you are mistaken. Right now, if I have 3 cable modems with the same provider, I will be given three IPs that are probably going to have the same gateway IP address assigned to each interface. The only way to overcome that right now is to put a NAT router infront of each pfsense interface so that it sees three internal ip addresses with different gateways. The bounty is to remove that limitation and modify the inner workings of the kernel to route traffic out of different interfaces with different mac address as opposed to routing by GW only.

    I think i'm correct in my understanding. Please correct me if i'm wrong.

    Thanks.



  • Probably not, I was trying to wrap my head around why this was difficult…ignore me...



  • My two cents - Why I think this is important.

    Many people will say "why go on about multi wan all the time some of us can just about afford 1 ISP link" but some people will have been drawn (myself included) and tried pfsense purley for its multi wan capability when other firewall distributions don't or won't even entertain the idea.
    It is one of its biggest draws and the stronger a feature it is the bigger the draw. The bigger the draw the larger the client base and hopefully more revenue for the developers.



  • I am definately willing to see $100 towards this project, I've used clark connect forever but am tired of paying 79.99 a year for multiwan capability with crappy everything else. Its DHCP fails every 4 days… as it is now i use pfsens as a dhcp server and only the cc box for multiwan. Please someone persue this bounty, i might even go 150 if its extremely easy to implementand money can sway your decision....



  • What I would like to see is the option to make multi WAN idiot proof. I know some people might not think this is a good idea but usability is important.

    It would be nice to see a GUI that enables you to:
    1. select the two interfaces you would like to do multi WAN on
              a. Load Balancing or Failover
    2. Enter speed and transfer per month

    Then Multi WAN is working. Obviously it may be a little more indepth than this, but I am sure you understand where I am going with this.



  • @xerovis:

    It would be nice to see a GUI that enables you to:
    1. select the two interfaces you would like to do multi WAN on
               a. Load Balancing or Failover
    2. Enter speed and transfer per month

    1: You can already do.
    2: Has nothing to do with the loadbalancer. This is something for the trafficshaper. But afaik this is already done in 2.0.



  • I was hoping for some more implementation on this bounty.  Its been quite a while since the last post.  I have $50 that I could contribute to make this happen.  Is this just not a high priority for anyone?    Just curios if others are still interested?  Even if you only can give $20,  if we have enough people giving $10 or $20, someone will take it…..  I hope.

    MOD:  Please change the thread to be $600



  • I'll throw in another 50, but what everybody needs to understand is that implementing this completely takes more than just a gui. Its a royal pain in the ass of kernel programmimg…......



  • This original bounty is extremely old and is a candidate for removal.  If the original bounty posters are still interested, then this bounty can stay active, but it will require someone willing to take this bounty up.  If you want this bounty to stay active, contact the original bounty posters and ask them to say so in this thread.



  • The reason this is still sitting here is because it's very difficult and requires heavy kernel modifications to software that we don't develop or maintain. At the typical rates that kernel developers command, this is a several thousand dollar project at a minimum, possibly into 5 figures, if we could even find someone willing and able to take it on. Of our existing developers, they either don't have the expertise, or don't have the time even if the money was there.

    I'd love to see this happen, but the reality is we'd need at least 10 times what has been offered here to interest anyone capable of doing this kind of work.


Log in to reply