Pfsense_Multi WAN _ Load Balancing

Search

Personal tools

Log in

Multi WAN / Load Balancing

From PFSenseDocs

Contents

1 Caveats

2 Overview

3 Intro

4 Installation

5 Setting up your modems / routers

6 Finishing installation

7 Basic pfSense settings

8 Interfacing with modems / routers

9 Setting up load balancing and failover

9.1 Selecting a Monitor IP address

9.2 Setting up the pools

9.3 Set up useful aliases

9.4 Set up the basic firewall rules for outgoing access

9.5 Setting up DNS for Load Balancing

10 Port Forwarding and Applications

10.1 example port Forwarding follows

10.2 Supporting bittorrents

10.2.1 Summary of setup

10.2.2 bittorrent setup

10.2.3 Setup outgoing rule

10.2.4 Setup port forwarding on your modem / router

10.2.5 Setup port forwarding on pfSense

10.2.6 Turn on logging on the auto setup rule

10.2.7 Testing your configuration

10.2.8 turn off logging

Caveats

Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

1 of 18 12/30/2009 3:44 PM

This page describes the setup using pfSense 1.1, updated to January 2007 (or later).

Important: if you are using pfSense 1.2 then use the updated documentation: MultiWanVersion1.2

For your own good, you may want to ignore most of the tutorials available, as they are either completely

confusing, or highly contradictory. The following is an attempt to very simply get you started.

Note that currently most pfSense add-on packages do NOT support multi WAN and all their traffic will use

the WAN connection.

Overview

This setup enables pfSense to load balance traffic from your LAN to multiple internet connections (WANs).

Traffic from the LAN is shared out on a round robin basis across the available WANs. pfSense monitors each

WAN connection, using an IP address you provide, and if the monitor fails, a failover configuration is used, this

typically just feeds all traffic down the other connection(s). This example sets up 2 WANs, but 3 or more can be

used.

Intro

You will probably find you have three types of traffic you need to allow for:

Traffic that can be load balanced with no problems (e.g. general web browsing)1.

Traffic where one connection is preferred, but it's alright to failover to the other if the first one fails (e.g.

some bank websites, games like counterstrike, other apps - like Microsoft's new web conferencing)

2.

Traffic that has to go to one specific connection; if the connection is down, it will just have to wait (e.g.

SMTP mail to your ISP, which typically has to come from inside their own network)

3.

Installation

This is a quick / simple installation guide, you can find more detailed instructions in the full Installing_pfSense

part of the Wiki.

First step, install a Video card, Keyboard, a CD-ROM drive, an IDE hard Disk drive, 128MB of ram or more and

at least three Network interfaces in your target machine. Do not install any unnecessary hardware like a modem

because Pfsense cannot use it.

The hardware setup for the installation tested was Pentium Pro 200, 128MB EDO ram, Floppy 1.4MB, Trident

VGA, 4 Realtek 8139D PCI cards, ATAPI CD_ROM 24X, 2 IDE 1GB drives. As you can see it was quite an old

system but it all still worked quite well. Pfsense was also installed on a DELL Dimension 4100 800MHz without

any problems.

Next, download the current Snapshot ISO from http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2

/iso/pfSense.iso.gz Once the download is complete uncompress the file and burn the CD.

Set up your BIOS to boot from the CD and then insert the CD into the drive. Reboot the machine and watch the

FreeBSD 6.2 operating system boot up your machine. Do not worry if you cannot catch everything that is

scrolling by because you can see all of it when the boot is complete by pressing the Scroll LOCK on your

keyboard and using the Page UP/DN keys. The boot process should stop and ask you to configure the network

interfaces. If you managed to make that far the rest of the installation, most likely, will be successful.

Answer no to the first prompt asking to setup Virtual Interface/Lan by typing n.


2 of 18 12/30/2009 3:44 PM

Now it will ask you to select the LAN interface. This is the interface that you will attach to an Ethernet switch if

more than one computer will be accessing the pfsense to get to the internet. To select this interface use the

automatic procedure by disconnecting all interface cables from all the network interfaces of the pfsense. Follow

the instructions on the screen and then attach the computer via an Ethernet cable to the LAN port. Mark this

interface as the LAN interface.

Next it will ask you to select the WAN port. In a Dual Wan configuration the Wan port is the primary wan. If you

have not set up your DSL/CABLE modem/routers yet select an interface by specifying the name of the interface

as shown on the display. This interface can be changed later on.

Then select the OPT1 port specifying the name of the next interface as shown on the display. The OPT1 port will

become your secondary Wan port. Even if you have more interfaces to configure press enter at the next interface

request to end the configuration.

Pfsense will start to load and configure itself. With a little luck, you will pass the point where pfsense configures

the WAN interface. This is where the interrupts are tested and if your hardware is set up properly, or if you have a

newer computer, it will breeze through and arrive at the Pfsense Console Setup page. Here you will install pfsense

to your hard disk by entering 99. If you do not make it to this page you have a hardware compatibility problem

with the FreeBSD operating system.

Installation is pretty painless, tell it to format and make a new partition if you want everything cleaned off, and

once complete you'll see FreeBSD loading. The loading will take some time . This time can be used to determine

how you will connect the pfsense wan ports to the internet.

Setting up your modems / routers

If you have CABLE/DSL modems that are bridge routers you can use them in bridge or router mode. The client

ID (PPPoE) is installed on the modem/router and the modem/router maps the Public IP it receives to a Private IP

on the modem/router LAN interface. How to do this is specific to each modem/router.

WAN (Wan1) modem/router LAN IP (192.168.0.254)

LAN Gateway (192.168.0.254)

DNS relay (192.168.0.254)

DHCP Server (192.168.0.2 -> 192.168.0.253)

OPT1 (Wan2) modem/router LAN IP (192.168.2.254)

LAN Gateway (192.168.2.254)

DNS relay (192.168.2.254)

DHCP Server (192.168.2.2 -> 192.168.2.253)

Once you have set up the modem/routers test their connectivity by accessing the internet and obtaining the Public

IP either by the modem/router web interface or using http://whatismyip.org

Finishing installation


3 of 18 12/30/2009 3:44 PM

The software installation to the hard disk should be complete by now so attach the modem/routers to the WAN

and OPT port and a computer running Internet Explorer or Firefox on the LAN port that you marked previously.

It does not matter if you do not have the modem/router in the right ports because you can tell which one is in

which port by looking at the DHCP address received by the pfsense WAN and OPT1 interfaces.

Reboot the pfsense by a three key reset. Once FreeBSD loads, it will tell you as it does so if there were any

errors. Once the reboot is complete make sure you’re your attached computer has a valid IP address in the

192.168.1.x subnet. If it does not, force a repair on the LAN connection of your computer.

Time to start the pfsense WebConfigurator, the GUI ,which lets you do many things besides setting up pfsense!

Enter http://192.168.1.1/ into your web browser.

Basic pfSense settings

You will be prompted to login. Use Admin as user name, and pfsense as your password. The Setup Wizard will

start and guide you through the initial configuration of pfSense. Set the italicized parameters as below and leave

the others as they are set.

On this screen you will set the General pfSense parameters.

Hostname:pfsense

Domain:private.lan

Primary DNS Server:

Secondary DNS Server:

Please enter the time, date and time zone.

Time server dns name:pool.ntp.org

Timezone:Etc/UTC

On this screen we will configure the Wide Area Network information.

Type:DHCP

Hostname:pfWan1

FTP Helper:checked

Block private networks:unchecked

On this screen we will configure the Local Area Network information.

LAN IP Address:192.168.1.1


4 of 18 12/30/2009 3:44 PM

Subnet Mask:24

On this screen we will set the Admin password which is used to access the WebGUI and SSH services.

Admin Password:admin

Admin Password AGAIN:????????

Click 'Reload' to reload pfSense with new changes. If you changed the password, pfSense will ask you to log

in again.

You need to make sure that DNS queries are being handled by the modem/routers. This is handled by Services:

DNS forwarder page. Check the appropriate boxes.


5 of 18 12/30/2009 3:44 PM

Alright, if you've gotten this far, you can probably already surf the internet. If so, this is an excellent sign. If not,

you may find that you experience trouble that is NOT pfsense based. Make sure your cables are good, and your

internet is working on both incoming internet connections.

Interfacing with modems / routers

Before continuing to configure the pfsense Web GUI make sure that the modem/routers are on the correct

network interfaces. The interfaces are shown on the boot up display attached to the pfsense. Make sure that your

primary Wan1 modem/router (192.168.0.x) is attached to WAN and that your secondary Wan2 modem/router

(192.168.2.x) is attached to OPT1. If they are not, you can correct them by selecting the right interface using the

drop down boxes under

Interfaces:Assign

LAN rl0 (00:xx:xx:xx:xx:bc)

WAN rl1 (00:xx:xx:xx:xx::a1)

OPT1wan2 rl2 (00:xx:xx:xx:xx:96)

Once the pfsense interface selection is complete the MAC (00:xx:xx:xx:xx:a1) address of WAN interface rl1

needs to be made static to 192.168.0.2 in the Wan1 modem/router’s DHCP server. The Wan1 modem/router’s

web interface should be accessible through the pfsense at 192.168.0.254. In addition set the port addresses of the

Wan1 modem/router interfaces to HTTP:8080 FTP:8021 TelNet:8023.

The MAC (00:xx:xx:xx:xx:96) address of OPT1 interface rl2 also needs to be made static to 192.168.2.2 in the

Wan2 modem/router’s DHCP server. The Wan2 modem/router’s web interface should be accessible through the

pfsense at 192.168.2.254. In addition set the port addresses of the Wan2 modem/router interfaces to HTTP:8080

FTP:8021 TelNet:8023.

A reboot of both modem/routers and the pfsense is required after these changes.

The new URLs are http://192.168.0.254:8080/ for the Wan1 and http://192.168.2.254:8080/ for the Wan2

modem/router.

Now finish setting up the pfsense interfaces as follows

Interfaces: LAN IP configuration

Bridge with:none

IP address:192.168.1.1/24

FTP Helper:checked

Interfaces: Optional 1 (OPT1wan2)

Enable Optional 1 interface:checked

Description:OPT1wan2


6 of 18 12/30/2009 3:44 PM

how the various Pools and

gateways are related, and how

they can be used}

Type:DHCP

FTP Helper:checked

Hostname:pfWan2

Setting up load balancing and failover

It is time to set up Outgoing Load Balancing and Failover. You will not have any

pools. You will create 3 pools.

Wan1BalanceWan2 - used to share out all access on a round robin basis as

long as both connections are available

Wan1FailoverWan2 - used when Wan1 is down - all traffic will use Wan2

Wan2FailoverWan1 - used when Wan 2 is down - all traffic will use Wan1

Selecting a Monitor IP address

pfSense monitor's each WAN connection by pinging the monitor address you

specify. If the ping fails, the link is marked down and the appropriate filover

configuration is used (actually if the ping fails it retries a few times to be sure,

this avoids false indications of the connection going down).

Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it is monitoring, so

don't use a popular web site as this will force all its traffic down 1 link. Better to use a router or server in your

ISP's network.

Good addresses to use are the default gateway your modem has assigned (if it responds to ping!), your ISP's DNS

server, webmail server, or a router within your ISP's network - you can find one of these by using traceroute to a

public service, be careful though, larger ISPs will have networks that dynamically adapt so a router you see now

may not be there an hour later!

Setting up the pools

Select Services:Load Balancer. You can create the pools by clicking the button then filling out the Edit Pool

page


7 of 18 12/30/2009 3:44 PM

with the following

Load Balancer:Pool:Edit

Name:Wan1BalanceWan2

Behavior:Load Balancing

Monitor IP:WAN’s Gateway

Interface Name:WAN

click add to pool

Monitor IP:OPT1wan2’s Gateway


8 of 18 12/30/2009 3:44 PM

Interface Name:OPT1wan2

click add to pool

Save

Create new pool

Name:Wan1FailoverWan2

Behavior:Failover


Interface Name:WAN

click add to pool



click add to pool

Save

Create new pool

Name:Wan2FailoverWan1

Behavior:Failover



click add to pool


Interface Name:WAN

click add to pool

Save

You have successfully created 3 Gateways.

The results should look as follows


9 of 18 12/30/2009 3:44 PM

Set up useful aliases

These pools can be used as gateways in the Outgoing Firewall Rules. To make it easier, define at least 4 aliases

under Firewall:Aliases.

HTTPsAll Ports 22, 443, 444, 3389, 8443 Secure Protocols

SS6520s IPs 192.168.0.254, 192.168.2.254 Internet Routers

SS6520a1 IP 192.168.0.254 Speedstream 6520 ADSL2 Wan1 Router

SS6520a2 IP 192.168.2.254 Speedstream 6520 ADSL2 Wan2 Router


10 of 18 12/30/2009 3:44 PM

Set up the basic firewall rules for outgoing access

Add the following to Firewall:Rules on the LAN tab by cliking

Using this page to set the rules Firewall: Rules: Edit


11 of 18 12/30/2009 3:44 PM


12 of 18 12/30/2009 3:44 PM

Create the 5 Rules defined below

Once all of the active rules have been added and Applied the Dual Wan setup is complete!

Setting up DNS for Load Balancing

Make sure that you have a DNS server from each ISP in the General Settings. This will ensure that you have DNS

service in case one ISP goes down. You will also need to setup Static Routes for each DNS server. In this example

if the DNS is on the WAN link then the static route for that DNS server will have 192.168.0.254 as the gateway.

If the DNS server is on the other ISP (ie OPT1) then the static route will have have 192.168.2.254 as the gateway.


13 of 18 12/30/2009 3:44 PM

Port Forwarding and Applications

If you need to support servers on the LAN use the NAT port Forward tab to open the ports you require for both

the WAN and OPT1wan2 interfaces. NAT port forwarding automatically creates Firewall rules for those ports.

example port Forwarding follows


14 of 18 12/30/2009 3:44 PM


15 of 18 12/30/2009 3:44 PM

connection settings in

uTorrent

Supporting bittorrents

bittorrents are best coped with by restricting the traffic to only use 1 WAN connection. This description locks

bittorrent to one WAN connection. With a bit more setup it would be possible to make this failover, but when it

failedover I'm not sure how long the bittorrent application would take to sort out both itself and the peers it was

connected to, so it may not be worth it anyway!

If you want to understand more about port usage and other things then use Brian's FAQ here...[1]

(http://btfaq.com/serve/cache/25.html)

Summary of setup

bittorrent uses both outgoing and incoming connections, so a number of things need to happen:

make sure that your bittorrent application is configured to use only a single port (does not change each time

you run bittorrent).

1.

set up a rule on LAN to make sure that outgoing connections from the machine running bittorrent always

go the same way.

2.

set up port forwarding on the modem router on the appropriate WAN connection to forward to pfSense.3.

set up port forwarding in pfSense to forward to the machine running bittorrent.4.

turn on logging on the auto setup rule on WAN or WAN2 to alow traffic to the bittorrent machine.5.

test your config using the bittorrent application's port forward checker.6.

turn off logging on your new rules7.

sit back and watch the data flow.8.

bittorrent setup

This varies depending on the bittorrent application you use. I use uTorrent.

You can use a randomly generated port on first set up, but don't change the port on

each run(unless you want to change pfSense and your modem every time as well!

You don't need to use UPnP port mapping, and you only check the firewall

exceptions box if you are using Windows Firewall.

Setup outgoing rule

This LAN rule makes sure that the connection to the tracker goes down the right pipe. Change the address

192.168.1.250 to the LAN address of your bittorrent machine.

Turn on logging when you first put the rule in, and once you know it is all working you can turn it off.

Note that I have logged uTorrent and it also outward connects to torrent peers using source ports from around

2000 upwards (each new connection increments the port number). For this reason I think the best answer is to set

up for all traffic from the bittorrent machine to be mapped to the one connection, rather than specific ports.

Maybe someone who knows can refine this.

Change the address 192.168.1.250 to the LAN address of your bittorrent machine.


16 of 18 12/30/2009 3:44 PM

Setup port forwarding on your modem / router

If your mode / router is NATing, then you need to set it up to forward the port setup in step 1 to pfSense - 25017

in this example. You'll need to look in your modem / router documentation for this, or consult Brian's FAq as

linked at the top of this section.

Alternatively your router may allow you to forward everything to pfSense - my Linksys ADSL modem has this

facility, which makes life easy.

Setup port forwarding on pfSense

Now set up a matching port forward on the WAN interface to forward the port to your bittorrent machine.

Make sure you leave the box Auto add a firewall rule... at the bottom of the page checked.

Turn on logging on the auto setup rule

Now go into Firewall - Rules and selct the tab for the interface you are using, there should be a new rule to handle

the traffic for the port forward you just set up. Turn on logging on this rule and apply the changes.

Testing your configuration

Now its time to see if it all works. Run up your torrent client and if it has a port forward. In uTorrent, there is a

button on the form Options - Speed Guide. called Test if port is forwarded properly. This launches a web

browser that will report if the port is properly configured.

Now start up a torrent, and after a few seconds go and check the Status - system logs and select the firewall tab.

You should see traffic to port 6969 from your bittorrent machine as it connects to the tracker.

Then you should see outgoing connections from your machine to many different addresses and ports as your

torrent client contacts peers.

Then you should start to see incoming connections (WAN / WAN2 interface) from some of those peers to your

machine. These should all be using the port you are configured to use in step 1.

Your torrent client should by now show lots of activity, with multiple peers connected and plenty of incoming

traffic. After a few minutes outgoing traffic should start to grow.

turn off logging

Assuming all is well, turn off all the logging that you set up before you sit back and enjoy the data flow

Retrieved from "http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing"

Categories: Documentation | Load balancing | Multi-WAN | High Availability


17 of 18 12/30/2009 3:44 PM

Privacy policy About PFSenseDocs Disclaimers

This page was last modified on 19 November 2009, at 22:52. This page has been accessed 72,787 times.


18 of 18 12/30/2009 3:44 PM

Date post:	28-Mar-2015
Category:	Documents
Upload:	farrukhndm
View:	670 times
Download:	4 times

Pfsense_Multi WAN _ Load Balancing

Documents