multi wan _ load balancing - pfsensedocs

Multi WAN / Load Balancing

From PFSenseDocs

Contents

1 Caveats

2 Overview

3 Intro

4 Installation

5 Setting up your modems / routers

6 Finishing installation

7 Basic pfSense settings

8 Interfacing with modems / routers

9 Setting up load balancing and failover

9.1 Selecting a Monitor IP address

9.2 Setting up the pools

9.3 Set up useful aliases

9.4 Set up the basic firewall rules for outgoing access

9.5 Setting up DNS for Load Balancing

10 Port Forwarding and Applications

10.1 example port Forwarding follows

10.2 Supporting bittorrents

10.2.1 Summary of setup

10.2.2 bittorrent setup

10.2.3 Setup outgoing rule

10.2.4 Setup port forwarding on your modem / router

10.2.5 Setup port forwarding on pfSense

10.2.6 Turn on logging on the auto setup rule

10.2.7 Testing your configuration

10.2.8 turn off logging

Caveats

This page describes the setup using pfSense 1.1, updated to January 2007 (or later).

Important: if you are using pfSense 1.2 then use the updated documentation: MultiWanVersion1.2

For your own good, you may want to ignore most of the tutorials available, as they are either completely confusing, or

highly contradictory. The following is an attempt to very simply get you started.

Note that currently most pfSense add-on packages do NOT support multi WAN and all their traffic will use the WAN

connection.

Overview

This setup enables pfSense to load balance traffic from your LAN to multiple internet connections (WANs). Traffic from the

LAN is shared out on a round robin basis across the available WANs. pfSense monitors each WAN connection, using an IP

address you provide, and if the monitor fails, a failover configuration is used, this typically just feeds all traffic down the other

connection(s). This example sets up 2 WANs, but 3 or more can be used.

Intro

Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

1 de 13 20/05/2012 08:51 p.m.

You will probably find you have three types of traffic you need to allow for:

Traffic that can be load balanced with no problems (e.g. general web browsing)1.

Traffic where one connection is preferred, but it's alright to failover to the other if the first one fails (e.g. some bank

websites, games like counterstrike, other apps - like Microsoft's new web conferencing)

2.

Traffic that has to go to one specific connection; if the connection is down, it will just have to wait (e.g. SMTP mail to

your ISP, which typically has to come from inside their own network)

3.

Installation

This is a quick / simple installation guide, you can find more detailed instructions in the full Installing_pfSense part of the

Wiki.

First step, install a Video card, Keyboard, a CD-ROM drive, an IDE hard Disk drive, 128MB of ram or more and at least three

Network interfaces in your target machine. Do not install any unnecessary hardware like a modem because Pfsense cannot

use it.

The hardware setup for the installation tested was Pentium Pro 200, 128MB EDO ram, Floppy 1.4MB, Trident VGA, 4

Realtek 8139D PCI cards, ATAPI CD_ROM 24X, 2 IDE 1GB drives. As you can see it was quite an old system but it all still

worked quite well. Pfsense was also installed on a DELL Dimension 4100 800MHz without any problems.

Next, download the current Snapshot ISO from http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/iso/pfSense.iso.gz

Once the download is complete uncompress the file and burn the CD.

Set up your BIOS to boot from the CD and then insert the CD into the drive. Reboot the machine and watch the FreeBSD 6.2

operating system boot up your machine. Do not worry if you cannot catch everything that is scrolling by because you can see

all of it when the boot is complete by pressing the Scroll LOCK on your keyboard and using the Page UP/DN keys. The boot

process should stop and ask you to configure the network interfaces. If you managed to make that far the rest of the

installation, most likely, will be successful.

Answer no to the first prompt asking to setup Virtual Interface/Lan by typing n.

Now it will ask you to select the LAN interface. This is the interface that you will attach to an Ethernet switch if more than

one computer will be accessing the pfsense to get to the internet. To select this interface use the automatic procedure by

disconnecting all interface cables from all the network interfaces of the pfsense. Follow the instructions on the screen and

then attach the computer via an Ethernet cable to the LAN port. Mark this interface as the LAN interface.

Next it will ask you to select the WAN port. In a Dual Wan configuration the Wan port is the primary wan. If you have not set

up your DSL/CABLE modem/routers yet select an interface by specifying the name of the interface as shown on the display.

This interface can be changed later on.

Then select the OPT1 port specifying the name of the next interface as shown on the display. The OPT1 port will become

your secondary Wan port. Even if you have more interfaces to configure press enter at the next interface request to end the

configuration.

Pfsense will start to load and configure itself. With a little luck, you will pass the point where pfsense configures the WAN

interface. This is where the interrupts are tested and if your hardware is set up properly, or if you have a newer computer, it

will breeze through and arrive at the Pfsense Console Setup page. Here you will install pfsense to your hard disk by entering

99. If you do not make it to this page you have a hardware compatibility problem with the FreeBSD operating system.

Installation is pretty painless, tell it to format and make a new partition if you want everything cleaned off, and once complete

you'll see FreeBSD loading. The loading will take some time . This time can be used to determine how you will connect the

pfsense wan ports to the internet.

Setting up your modems / routers

If you have CABLE/DSL modems that are bridge routers you can use them in bridge or router mode. The client ID (PPPoE)


2 de 13 20/05/2012 08:51 p.m.

If you have CABLE/DSL modems that are bridge routers you can use them in bridge or router mode. The client ID (PPPoE)

is installed on the modem/router and the modem/router maps the Public IP it receives to a Private IP on the modem/router

LAN interface. How to do this is specific to each modem/router.

WAN (Wan1) modem/router LAN IP (192.168.0.254)

LAN Gateway (192.168.0.254)

DNS relay (192.168.0.254)

DHCP Server (192.168.0.2 -> 192.168.0.253)

OPT1 (Wan2) modem/router LAN IP (192.168.2.254)

LAN Gateway (192.168.2.254)

DNS relay (192.168.2.254)

DHCP Server (192.168.2.2 -> 192.168.2.253)

Once you have set up the modem/routers test their connectivity by accessing the internet and obtaining the Public IP either

by the modem/router web interface or using http://whatismyip.org

Finishing installation

The software installation to the hard disk should be complete by now so attach the modem/routers to the WAN and OPT port

and a computer running Internet Explorer or Firefox on the LAN port that you marked previously. It does not matter if you do

not have the modem/router in the right ports because you can tell which one is in which port by looking at the DHCP address

received by the pfsense WAN and OPT1 interfaces.

Reboot the pfsense by a three key reset. Once FreeBSD loads, it will tell you as it does so if there were any errors. Once the

reboot is complete make sure you’re your attached computer has a valid IP address in the 192.168.1.x subnet. If it does not,

force a repair on the LAN connection of your computer.

Time to start the pfsense WebConfigurator, the GUI ,which lets you do many things besides setting up pfsense! Enter

http://192.168.1.1/ into your web browser.

Basic pfSense settings

You will be prompted to login. Use Admin as user name, and pfsense as your password. The Setup Wizard will start and guide

you through the initial configuration of pfSense. Set the italicized parameters as below and leave the others as they are set.

On this screen you will set the General pfSense parameters.

Hostname:pfsense

Domain:private.lan

Primary DNS Server:

Secondary DNS Server:

Please enter the time, date and time zone.

Time server dns name:pool.ntp.org


3 de 13 20/05/2012 08:51 p.m.

Time server dns name:pool.ntp.org

Timezone:Etc/UTC

On this screen we will configure the Wide Area Network information.

Type:DHCP

Hostname:pfWan1

FTP Helper:checked

Block private networks:unchecked

On this screen we will configure the Local Area Network information.

LAN IP Address:192.168.1.1

Subnet Mask:24

On this screen we will set the Admin password which is used to access the WebGUI and SSH services.

Admin Password:admin

Admin Password AGAIN:????????

Click 'Reload' to reload pfSense with new changes. If you changed the password, pfSense will ask you to log in again.

You need to make sure that DNS queries are being handled by the modem/routers. This is handled by Services: DNS

forwarder page. Check the appropriate boxes.


4 de 13 20/05/2012 08:51 p.m.

Alright, if you've gotten this far, you can probably already surf the internet. If so, this is an excellent sign. If not, you may find

that you experience trouble that is NOT pfsense based. Make sure your cables are good, and your internet is working on both

incoming internet connections.

Interfacing with modems / routers

Before continuing to configure the pfsense Web GUI make sure that the modem/routers are on the correct network interfaces.

The interfaces are shown on the boot up display attached to the pfsense. Make sure that your primary Wan1 modem/router

(192.168.0.x) is attached to WAN and that your secondary Wan2 modem/router (192.168.2.x) is attached to OPT1. If they

are not, you can correct them by selecting the right interface using the drop down boxes under

Interfaces:Assign

LAN rl0 (00:xx:xx:xx:xx:bc)

WAN rl1 (00:xx:xx:xx:xx::a1)

OPT1wan2 rl2 (00:xx:xx:xx:xx:96)

Once the pfsense interface selection is complete the MAC (00:xx:xx:xx:xx:a1) address of WAN interface rl1 needs to be

made static to 192.168.0.2 in the Wan1 modem/router’s DHCP server. The Wan1 modem/router’s web interface should be

accessible through the pfsense at 192.168.0.254. In addition set the port addresses of the Wan1 modem/router interfaces to

HTTP:8080 FTP:8021 TelNet:8023.

The MAC (00:xx:xx:xx:xx:96) address of OPT1 interface rl2 also needs to be made static to 192.168.2.2 in the Wan2

modem/router’s DHCP server. The Wan2 modem/router’s web interface should be accessible through the pfsense at

192.168.2.254. In addition set the port addresses of the Wan2 modem/router interfaces to HTTP:8080 FTP:8021 TelNet:8023.

A reboot of both modem/routers and the pfsense is required after these changes.

The new URLs are http://192.168.0.254:8080/ for the Wan1 and http://192.168.2.254:8080/ for the Wan2 modem/router.

Now finish setting up the pfsense interfaces as follows

Interfaces: LAN IP configuration

Bridge with:none

IP address:192.168.1.1/24

FTP Helper:checked

Interfaces: Optional 1 (OPT1wan2)


5 de 13 20/05/2012 08:51 p.m.

how the various Pools and

gateways are related, and how

they can be used}

Enable Optional 1 interface:checked

Description:OPT1wan2

Type:DHCP

FTP Helper:checked

Hostname:pfWan2

Setting up load balancing and failover

It is time to set up Outgoing Load Balancing and Failover. You will not have any pools. You

will create 3 pools.

Wan1BalanceWan2 - used to share out all access on a round robin basis as long as

both connections are available

Wan1FailoverWan2 - used when Wan1 is down - all traffic will use Wan2

Wan2FailoverWan1 - used when Wan 2 is down - all traffic will use Wan1

Selecting a Monitor IP address

pfSense monitor's each WAN connection by pinging the monitor address you specify. If the

ping fails, the link is marked down and the appropriate filover configuration is used (actually

if the ping fails it retries a few times to be sure, this avoids false indications of the

connection going down).

Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it is monitoring, so don't use a

popular web site as this will force all its traffic down 1 link. Better to use a router or server in your ISP's network.

Good addresses to use are the default gateway your modem has assigned (if it responds to ping!), your ISP's DNS server,

webmail server, or a router within your ISP's network - you can find one of these by using traceroute to a public service, be

careful though, larger ISPs will have networks that dynamically adapt so a router you see now may not be there an hour later!

Setting up the pools

Select Services:Load Balancer. You can create the pools by clicking the button then filling out the Edit Pool page


6 de 13 20/05/2012 08:51 p.m.

with the following

Load Balancer:Pool:Edit

Name:Wan1BalanceWan2

Behavior:Load Balancing

Monitor IP:WAN’s Gateway

Interface Name:WAN

click add to pool

Monitor IP:OPT1wan2’s Gateway

Interface Name:OPT1wan2

click add to pool

Save

Create new pool

Name:Wan1FailoverWan2

Behavior:Failover


Interface Name:WAN

click add to pool



click add to pool

Save


7 de 13 20/05/2012 08:51 p.m.

Create new pool

Name:Wan2FailoverWan1

Behavior:Failover



click add to pool


Interface Name:WAN

click add to pool

Save

You have successfully created 3 Gateways.

The results should look as follows

Set up useful aliases

These pools can be used as gateways in the Outgoing Firewall Rules. To make it easier, define at least 4 aliases under

Firewall:Aliases.


8 de 13 20/05/2012 08:51 p.m.

HTTPsAll Ports 22, 443, 444, 3389, 8443 Secure Protocols

SS6520s IPs 192.168.0.254, 192.168.2.254 Internet Routers

SS6520a1 IP 192.168.0.254 Speedstream 6520 ADSL2 Wan1 Router

SS6520a2 IP 192.168.2.254 Speedstream 6520 ADSL2 Wan2 Router

Set up the basic firewall rules for outgoing access

Add the following to Firewall:Rules on the LAN tab by cliking

Using this page to set the rules Firewall: Rules: Edit


9 de 13 20/05/2012 08:51 p.m.

Create the 5 Rules defined below


10 de 13 20/05/2012 08:51 p.m.

Once all of the active rules have been added and Applied the Dual Wan setup is complete!

Setting up DNS for Load Balancing

Make sure that you have a DNS server from each ISP in the General Settings. This will ensure that you have DNS service in

case one ISP goes down. You will also need to setup Static Routes for each DNS server. In this example if the DNS is on the

WAN link then the static route for that DNS server will have 192.168.0.254 as the gateway. If the DNS server is on the other

ISP (ie OPT1) then the static route will have have 192.168.2.254 as the gateway.

Port Forwarding and Applications

If you need to support servers on the LAN use the NAT port Forward tab to open the ports you require for both the WAN and

OPT1wan2 interfaces. NAT port forwarding automatically creates Firewall rules for those ports.

example port Forwarding follows


11 de 13 20/05/2012 08:51 p.m.

Supporting bittorrents

bittorrents are best coped with by restricting the traffic to only use 1 WAN connection. This description locks bittorrent to one

WAN connection. With a bit more setup it would be possible to make this failover, but when it failedover I'm not sure how

long the bittorrent application would take to sort out both itself and the peers it was connected to, so it may not be worth it

anyway!


12 de 13 20/05/2012 08:51 p.m.

connection settings in

uTorrent

If you want to understand more about port usage and other things then use Brian's FAQ here...[1]

Summary of setup

bittorrent uses both outgoing and incoming connections, so a number of things need to happen:

make sure that your bittorrent application is configured to use only a single port (does not change each time you run

bittorrent).

1.

set up a rule on LAN to make sure that outgoing connections from the machine running bittorrent always go the same

way.

2.

set up port forwarding on the modem router on the appropriate WAN connection to forward to pfSense.3.

set up port forwarding in pfSense to forward to the machine running bittorrent.4.

turn on logging on the auto setup rule on WAN or WAN2 to alow traffic to the bittorrent machine.5.

test your config using the bittorrent application's port forward checker.6.

turn off logging on your new rules7.

sit back and watch the data flow.8.

bittorrent setup

This varies depending on the bittorrent application you use. I use uTorrent.

You can use a randomly generated port on first set up, but don't change the port on each

run(unless you want to change pfSense and your modem every time as well!

You don't need to use UPnP port mapping, and you only check the firewall exceptions box if you

are using Windows Firewall.

Setup outgoing rule

This LAN rule makes sure that the connection to the tracker goes down the right pipe. Change the address 192.168.1.250 to

the LAN address of your bittorrent machine.

Turn on logging when you first put the rule in, and once you know it is all working you can turn it off.

Note that I have logged uTorrent and it also outward connects to torrent peers using source ports from around 2000 upwards

(each new connection increments the port number). For this reason I think the best answer is to set up for all traffic from the

bittorrent machine to be mapped to the one connection, rather than specific ports. Maybe someone who knows can refine

this.

Change the address 192.168.1.250 to the LAN address of your bittorrent machine.

Setup port forwarding on your modem / router

If your mode / router is NATing, then you need to set it up to forward the port setup in step 1 to pfSense - 25017 in this

example. You'll need to look in your modem / router documentation for this, or consult Brian's FAq as linked at the top of this

section.

Alternatively your router may allow you to forward everything to pfSense - my Linksys ADSL modem has this facility, which

makes life easy.


13 de 13 20/05/2012 08:51 p.m.

multi wan _ load balancing - pfsensedocs

Documents

round robin

opt1wan2 click

wan click

opt1wan2s

basic firewall

machine running

pool monitor

modemrouter