Shulou(Shulou.com)06/03 Report--

Overview

The settings described in this guide enable pfSense to balance or fail over traffic from LAN to multiple Internet connections (WAN). With load balancing, traffic from LAN can be looped and shared on a connection-based basis through the normal use of WAN. With failover, traffic exceeds the highest priority WAN until it goes offline and then uses the next one. PfSense monitors each WAN connection using the gateway IP or alternate monitoring IP address, and if the monitoring IP fails, it removes that WAN use from the gateway group.

Abstract

In most settings, you only need to complete three parts.

Add Gateway Group (system > Route Management, Gateway Group tab)

Using gateway groups on LAN firewall rules

Ensure that at least one DNS server is set up for each WAN gateway (system > General Settings)

This guide uses the Chinese version of pfsense2.34 for examples.

I. Interface setting

Before you begin, make sure that all WAN type interfaces are enabled. For static IP WAN, make sure they all have gateway sets. And ensure that the gateway / monitoring IP can respond to the ping to confirm that each WAN is actually online. If a gateway has been defined, it is visible in system status > Gateway status. If they are green, then the connection to the gateway is connected.

II. Gateway setting

Ensure that each WAN interface has a gateway (set on the system > routing > Gateway tab)

Static IP WAN has normal gateway entries and DHCP / PPPoE has dynamic gateway entries.

For each gateway, there are some settings that can slightly change their behavior. Most settings should be left at their default values, and you can modify them as needed.

1. Monitor IP

By default, pfSense will ping the gateway to determine the connection quality of the WAN. In some cases, this is not an accurate measure. For example, if the WAN gateway is actually a local device rather than the other end of the ISP network, the actual WAN link may be down and the gateway ping will not be displayed. In addition, if the ISP gateway starts up, but the ISP encounters an upstream failure, you can only ping the gateway.

You can enter a custom IP address here to determine the connection quality of the WAN. You can use a public website, a Google public DNS, or any IP on Internet that responds to ping. The downside is that if IP is offline or suffers from its own failure, WAN may be flagged when it is actually shut down.

2. Specific gravity

By default, all WAN at the same layer are considered equal when load balancing is performed. If the speed of the WAN is different, the specific gravity parameter allows the system to adjust the link part faster. If one 50Mbit line and the other is a 10Mbit line, it is obviously not advisable to distribute them equally. You can set the weight of the 50MBit line to 5, so the usage is 5:1, which makes it more balanced.

3. Packet loss / delay threshold

Each WAN varies in terms of "normal" operation. Some WAN have low latency and no loss, the connection quality is good, and other WAN can function properly when there is some packet loss or higher delay on the line. These fields are the values that must be set for WAN gateway alarms. On cable cables, it may be good to increase the loss percentage to more than 20. On slow DSL or satellite links, a delay of a few hundred ms is best. You can understand the relevant indicators of WAN lines by looking at the quality map.

III. Gateway Group

Gateway groups (system > routing Management > Gateway groups), as the name implies, they are grouped together and act in a coordinated manner in advance, and they can perform load balancing, failover, or a combination of the two.

A common practice for dual WAN settings is to use three gateway groups for multi-WAN configurations: one for load balancing, another for failover, and one priority WAN. You can extend any number of WAN: give priority to one group and fail over some sort of other WAN. This will allow for selective traffic and load balancing on each WAN.

1. Level

In the gateway group, each gateway is assigned to a level to determine when it is used. The number of lower floors is preferred. If any two gateways are on the same layer, they will be load balanced. If they are on different layers, they will fail over. If the layer is set to "Never", the gateway will not be considered part of the gateway group.

2. Trigger condition

Drop the line

Triggered when monitoring IP 100% packet loss.

Packet loss

Triggered only when the packet loss of the gateway is higher than its defined threshold.

High latency

Triggered only when the gateway delay is higher than its defined threshold.

Packet loss or high latency

With one of the two, it triggers.

3. Load balancing

When two gateways are on the same layer, they will be load balanced. This means that on a per-connection basis, connections are routed on each WAN in a circular manner. If any gateway on the same layer is shut down, it is removed from use, and other gateways on that layer continue to operate normally.

4. Failover

When the two gateways are on different layers, the lower-level gateways are preferred. If the lower-level gateway goes offline, remove it from use and use the next highest-level gateway.

5. Combination due to hierarchical system, there may be any number of combinations of load balancing and failover. If one WAN of the three load balancing WAN is offline, two WAN can be used to continue load balancing, and if two are offline, one WAN can also be used. The only limitation is that there are only five layers, so this configuration can only go deep into five layers.

IV. Firewall settings

Defining a gateway group is only part of the setup. Traffic must be assigned to these gateways using the gateway settings on the firewall rules.

On Firewall > Rule Policy, on the tab of the LAN interface used with the gateway group, edit the existing traffic rules and add gateway settings, select the desired gateway, or add a new rule. Remember, the rules are executed from top to bottom, and once the rules match, the processing stops. If you are using multi-WAN load balancing, remember to add multiple gateways.

Some traffic can be directed to one WAN with a failover group, match some other traffic from another WAN, and bring all rules into load balancing.

Negative policy routing: when a firewall rule directs traffic to the gateway, it bypasses the routing table on the firewall. Policy routing negation is simply a rule for passing traffic to other local or × × connected networks that do not have a gateway set. By not setting the gateway on this rule, it will bypass the gateway group and use the routing table on the firewall. These rules should be at the top of the list, or at least higher than any rules that use gateways. Outbound NAT

If you use a manual outbound NAT, you must add a rule for the second WAN. If the above guidelines are followed, the auto outbound NAT does not need to be adjusted.

VI. points for attention

There should be at least one DNS server on each WAN to resolve correctly. This can be achieved by editing the DNS server under system > General options and selecting a gateway for each DNS server. Ensure that the DNS server selected for a specific WAN is working properly, and the system's DNS forwarder queries all DNS servers at the same time, so it is not affected by WAN failures. If the DNS server is set up on the client, there is no this restriction. However, because the service of the firewall itself still needs DNS, if there is no DNS server that can be used normally, it will affect the related services of the firewall.

7. Local service by default, traffic using proxies such as Squid will bypass policy routing and always use the default route for traffic delivery. It also bypasses the outbound NAT and leaves directly through the WAN IP address. Therefore, load balancing is not possible. In this case, failover can be achieved by selecting the default network concern under the system > Advanced options > incidental components tab.

VIII. Troubleshooting

Check the gateway status or system status > gateway status on the system panel widget.

If failures are triggered frequently, check the quality map and adjust the packet loss and / or delay thresholds for the gateway.

If local or × × traffic fails, make sure that there is a policy routing negative rule.

If traffic always uses default gateways instead of multiple WAN, check the rules to make sure that they have defined gateways.

Original address: https://doc.pfsense.org/index.php/Multi-WAN#Troubleshooting

31 May 2017

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.