Shulou(Shulou.com)06/03 Report--

Multiple WAN connections

Chapter catalogue:

Multi-WAN terms and concepts

Policy routing, load balancing and failover policies

Multi-WAN consideration

Overview of multiple WAN requirements

Load balancing and failover gateway group

Interface and DNS configuration

Multi-WAN and NAT

Policy routing configuration

Verification function

Troubleshooting

One-stop multi-WAN

Multi-WAN of IPv6

Multilink PPPoE (MLPPP)

PfSense's multi-WAN feature allows firewalls to leverage multiple Internet connections for more reliable connections and greater throughput. Before making a multi-WAN configuration, the firewall must have at least two interfaces (LAN and WAN) configured correctly. PfSense can handle multiple WAN lines, but no more than 12 are recommended.

All WAN-type interfaces are treated equally in GUI. Anything that can be done with the main WAN can also be done through the additional OPT WAN interface. There is no significant difference between the primary WAN and other wide area networks.

This chapter first introduces the issues to consider when implementing a multi-WAN solution, and then describes the use of pfSense for multi-WAN configuration.

Select Internet connection

If there are multiple Internet connections, it is recommended that different telecom operators be selected to meet the requirements of multiline redundancy. Multiple WAN of one operator makes no sense. If a fiber optic cable is dug up, all connections will be interrupted.

Multi-WAN terms and concepts

This section introduces the terminology and concepts of pfSense deploying multi-WAN capabilities.

WAN interface type

The WAN interface is an interface that can access the Internet directly or indirectly. Pfsense treats any interface that has a gateway as a WAN. If there is no gateway, the interface is considered a local interface. Do not set any gateways on the local interface. Dynamic IP address interfaces, such as DHCP and PPPoE, automatically receive dynamic gateways and are always treated as WAN.

The existence of the gateway on the interface configuration can change the firewall behavior on the interface in a variety of ways. For example, interfaces with gateway groups respond on its firewall rules, they are used as exit interfaces for automatic and mixed outbound NAT, and they are also considered WAN by the traffic × × wizard.

Be careful

Local and other interfaces may have gateways defined under System > Routing, as long as the interface does not choose a gateway under the interface configuration, such as "Interfaces > LAN".

Policy routing

Policy routing refers to the way that more traffic than the destination IP address passes through different gateways, just like the routing tables in most operating systems and routers. This is achieved by using a policy, usually a firewall rule or an access control list. In pfSense, policy routing is used by using different gateways when editing or adding firewall rules. The gateway contains all gateways defined on the firewall under System > Routing, as well as any gateway groups.

Policy routing provides a powerful means of directing traffic to the appropriate WAN interface or other gateway, allowing anything that firewall rules match, such as directing traffic through specific hosts, subnets, protocols, etc.

Be careful

Keep in mind that all firewall rules, including policy routing rules, are processed in top-down order, and the first matching rule takes precedence.

Gateway group

A gateway group defines a selected set of gateways for failover or load balancing. Configure it on the Gateway Groups tab of System > Routing.

Multi-WAN failover

Multi-WAN failover is a connection that uses only one WAN, and if the preferred connection fails, switch to another WAN. This can be used for failover of two or more lines.

Load balancing

Load balancing in pfSense allows traffic to be distributed across multiple WAN connections in a circular manner. This is done on a per-connection basis. If a gateway that is a load balancing group fails, the changed interface is marked as down and removed from all groups until it is restored.

Monitoring IP: when you configure failover or load balancing, each gateway is associated with a monitoring IP (Monitor IP). In a normal configuration, pfSense will ping this IP address, and if it stops responding, the interface will be marked as down. The options in the gateway group can select different fault triggers, such as packet loss, high delay, combination of packet loss or high delay, or drop.

How to determine the gateway failure?

Determining a gateway failure is a little more complicated than monitoring IP failure and the interface is marked as down. The actual failure criteria depend on the options selected when creating gateway groups and gateway settings.

The settings for each gateway are determined in the advanced settings, which determine the identification of gateway dropping and recovery. Packet loss, delay, drop time, and even gateway detection intervals and thresholds can be configured separately.

Status refresh / forced switching

When the gateway fails, pfSense can choose to refresh all states to force the client to reconnect, and when doing so, the client will use the available gateway instead of the closed gateway. Currently, this feature can only work one-way, which means that it can remove connections from the failed gateway, but if the original gateway comes back online, it cannot force them to return.

This is an optional behavior and is enabled by default.

Default gateway handoff

Traffic passing through the firewall will use the default gateway unless a static route sends packets along a different path. If the default gateway is dropped or turned off, the daemon on the firewall will not be able to make outbound connections. When default gateway switchover is enabled, if the default gateway fails, the default gateway of the firewall will switch to the next available gateway and then automatically switch back when the WAN resumes connectivity.

Policy routing, load balancing and failover policies

This section provides information about common multi-WAN setting goals to configure methods.

Bandwidth aggregation

One of the main requirements of multi-WAN is bandwidth aggregation. Through load balancing, pfSense can achieve this goal. But it is worth noting that if the firewall has two WAN lines for 5Mbps, it cannot achieve a throughput of 10 Mbps in a single client connection. Each individual connection can only be bound to a specific WAN. This is true of any multi-WAN solution except MLPPP. The bandwidth of two different Internet connections cannot be aggregated into a large "pipe" without interference from ISP. With load balancing, because a single connection is balanced in a circular manner, 10 Mbps throughput can only be achieved using two 5-Mbps lines when multiple connections are involved. Applications that make use of multiple connections, such as thunder, will be able to achieve the combined throughput of two or more connections.

Be careful

Multilink PPPoE (MLPPP) is the only WAN type that can achieve full aggregate bandwidth for all lines in the bundle, but requires special support from ISP. In a network with many internal machines accessing the Internet, load balancing will reach a rate close to aggregate throughput by balancing many internal connections across all WAN interfaces.

Separation of priority services

In some cases, there will be two lines of different connection quality. In this case, different network services can be separated between two Internet connections by setting priority. High priority services may include VoIP, as well as traffic to specific networks, such as outsourced application providers, or specific protocols used by critical applications. Low-priority traffic usually includes any allowed traffic that does not match the high-priority traffic list. Policy routing rules can be set to direct high-priority traffic to high-quality Internet connections, while lower-priority traffic passes through lower-quality Internet connections.

In enterprise applications, priority can be given to ensuring that high-quality Internet connections are used in office OA networks.

Failover only

It is a best practice to use failover when a portion of the Internet connection fails. Some pfSense users have secondary backup Internet connections with low bandwidth restrictions, such as 3G modems, which can be used when the primary connection fails and can be configured as a failover gateway group to achieve this goal.

Another use of failover is to ensure that a protocol or destination always uses only one WAN unless it fails.

Weight of load balancing

Uneven load balancing can be achieved by setting the appropriate "weight" (weight) on the gateway. Weight values can range from 1 to 30.

Uneven load balancing WAN_GW weightWAN2_GW weightWAN loadWAN2 load3260%40%2167%33%3175%25%4180%20%5183%17%5183%17%30197%3%

It is important to note that this configuration only considers the number of balanced connections, not interface throughput. It also means that if you use a single high-throughput connection to use the interface bandwidth to the upper limit, other connections will still be directed to this interface.

Multi-WAN consideration

This section contains considerations specific to multiple WAN in pfSense.

Multiple WAN share one gateway IP

Because of the way pf handles multi-WAN connections, pfSense treats each WAN gateway as a unique IP address, and traffic can only be directed using the gateway IP address of the line.

If you have multiple WAN for the same ISP and share a gateway on a network segment, to use multiple WAN, you must add routing devices to one of the lines. If possible, contact ISP and have them reconfigure the WAN lines so that multiple WAN are on different subnets to use different gateways.

PPP-type WAN, such as PPPoE, can use the same gateway on multiple interfaces, but each gateway entry must be configured to use a different monitoring IP.

Multiple PPPoE WAN

When there are multiple PPPoE lines from the same ISP and the ISP supports multilink PPPoE (MLPPP), you can bind the lines to a single aggregate link. This binding link combines the total bandwidth of all lines in a wide area network.

Local services and multi-WAN

Considerations for local services and multi-WAN, because any traffic originating from the firewall itself is not affected by the policy routing configured by the internal interface rules. Traffic from the firewall itself always follows the routing table of the system. Therefore, if you are using other WAN interfaces, you need to use a static route, otherwise you can only use the WAN interface with a default gateway.

When traffic sent on Internet is destined for any WAN interface, pfSense automatically uses pf's reply-to instruction in all WAN type interface rules to ensure that reply traffic is routed back to the correct WAN interface.

DNS parsing

The default settings of the DNS parser require the default gateway switch to work properly with multiple WAN. There are some modifications that can be made to adapt the DNS parser to multiple WAN, including enabling forwarding mode.

DNS forwarding

The DNS server used by DNS transponders must define a gateway if it uses the OPT WAN interface.

Dynamic DNS

You can set DynDNS entries in the gateway group of an interface. This moves DynDNS entries between WAN in failover mode, allowing common hostnames to be transferred from one WAN to another WAN in the event of a failure.

IPsec

IPsec is fully compatible with multi-WAN. Automatically add a static route to the remote tunnel peer address of a specific WAN gateway to ensure that the firewall sends traffic to the correct path when the connection is initiated. For Mobile Connect, the client always initiates the connection and the state table answers the routed connection correctly. You can also use the gateway group as the failover interface to set up the IPsec tunnel.

Open × ×

Like IPsec, it can use any WAN or gateway group.

CARP and multi-WAN

CARP has a multi-WAN feature, as long as all WAN interfaces use static IP addresses and each WAN has at least three public IP addresses available.

IPv6 and multi-WAN

IPv6 can be executed in multi-WAN mode, but usually requires network prefix translation (NPT) on one or more WAN.

Summary of Multi-WAN Settings

The following briefly summarizes the requirements for completing the multi-WAN setup:

1. Create a gateway group under the Groups tab of System > Routing

2. Configure multi-WAN DNS parsers or transponders, and set at least one unique DNS server for each WAN gateway in System > General Setup.

3. Use gateway groups on LAN firewall rules

Use gateway groups for load balancing and failover

Gateway groups are required to set up a load balancing or failover configuration. The group itself does not have any behavior, but when the group is used later, such as in policy routing firewall rules, it defines how projects that use the group will run.

The same gateway can be included in multiple groups so that multiple different scenarios can be configured at the same time. For example, some lines can be load balanced, others can use failover, and the same WAN can be used in both configurations by using different gateway groups.

A very common example setting of two WAN firewalls includes three groups:

1. Load balancing-WAN1 and WAN2 are at the same level

2. The PreferWAN1-WAN1 gateway is located at level 1, and the WAN2 gateway is located at level 2

3. The PreferWAN2-WAN1 gateway is located at level 2, and the WAN2 gateway is located at level 1

Configure gateway groups for load balancing or failover

Create a load balancing or failover gateway group:

Navigate to the System > Routing, Groups tab

Click add to create a new gateway group

Fill in the options on the page as needed:

Group Name:

The name of the gateway group. The name must be less than 32 characters long and can only contain the letter amurz, the number 0-9, and the underscore. This is the name used to reference the gateway group in the gateway entry in the firewall rule.

Tier:

Select the priority of the gateway in the group. The internal gateway group, the gateway is arranged in the hierarchy. The levels are numbered from 1 to 5, using lower levels first. Gateways at level 1 always take precedence over gateways at level 2, and so on.

Virtual IP:

(optional) specifies the virtual IP address used for the interface, if it exists. This option is used for features such as Open × ×, which allows you to select a specific virtual address instead of directly using the interface address only when a particular gateway is active in the group. In most cases, this is the default interface address.

Trigger Level:

Decide when to mark the gateway as closed.

Member Down: the gateway is marked as closed only when the gateway is completely closed, exceeding one or both of the higher thresholds configured for the gateway. When the gateway is completely unresponsive, this may experience the most serious failure, but may miss more subtle issues so that the line can make the gateway unusable before it reaches that level. Packet Loss: marks the gateway as closed when packet loss exceeds the lower alarm threshold. High Latency: marks the gateway as closed when the delay exceeds the lower alarm threshold. Packet Loss or High Latency: marks the gateway as two types of alerts. Description: text that describes the purpose of this gateway group.

Click SAVE

Load balancing

Any two gateways on the same layer are load balanced. For example, if gateway A, gateway B, and gateway C are all level 1, the connection between them will be balanced. Load-balanced gateways will automatically fail over to each other. When a gateway fails, it will be removed from the group, and if any of AMagol B or C fails, the firewall will load balance among the remaining online gateways.

Load weight

If the two WAN need to be balanced in a weighted manner because of the different bandwidth between them, you can adjust the weight parameters on the gateway to adapt to different degrees of load balancing.

Fail-over

Lower-level gateways are preferred, and if they are turned off, gateways with higher numbering layers are used. For example, if gateway An is at level 1, gateway B is at level 2, and gateway C is at level 3, then gateway An is used first. If Gateway An is down, Gateway B will be used. If both Gateway An and Gateway B are down, Gateway C will be used.

Complex / combined scene

By extending the above concepts of load balancing and failover, more complex situations can be applied, such as those that combine the two functions of load balancing and failover. For example, if gateway An is at level 1, gateway B and gateway C are at level 2, and gateway D is at level 3, the following occurs: gateway An itself is preferred. If gateway An is down, traffic will be load balanced between gateway B and gateway C. If gateway B or gateway C is down, the remaining online gateways in that layer will still be used. If gateway A, gateway B, and gateway C are all down, traffic will fail over to gateway D.

Any of the other combinations mentioned above can be used, as long as it can be arranged within the limit of 5 layers.

Load balancing problem

Some websites store session information, including client IP addresses, and if you connect using different public network IP addresses, the site may not be accessible properly, such as banks and other secure websites. The solution is to create a failover group and direct traffic arriving at these sites to the failover group instead of the load balancing group. Or perform a failover or specify a gateway for all HTTPS traffic.

Interface and DNS configuration

The first two projects to configure multiple WAN are interfaces and DNS.

Interface configuration

Install the primary WAN, as described in the installation wizard. Then for other WAN interfaces, perform the following tasks:

If the interface does not exist, assign the interface

Access the "Interfaces" menu item for each additional WAN (for example, Interfaces > OPT1)

Enable Interfac

Enter the appropriate name, such as WAN2

Select the IP address configuration of the desired type according to the Internet connection type

Enter additional information for the WAN, such as IP address, subnet mask, and add gateways.

DNS server configuration

If the DNS transponder is in use, or if the DNS transponder is in forwarding mode, the pfSense must configure the DNS server from each WAN connection to ensure that it can always resolve the DNS. This is especially important if the internal network uses a firewall for DNS resolution.

If only a DNS server with a single WAN is used, the loss of the WAN connection will result in a complete Internet outage, regardless of the policy routing configuration, because DNS will no longer work.

DNS parser configuration

The DNS parser can work with multiple WAN, but the configuration depends on the desired behavior and settings.

If you must use DNSSEC and the configured DNS server does not support DNSSEC, you cannot enable forwarding mode. This can still use multi-WAN, but requires default gateway switching.

If DNSSEC is not a requirement for this firewall, or if the configured DNS server supports DNSSEC, you can perform the following steps:

Under System > General Setup, set at least one DNS server for each WAN

Enable forwarding mode under Services > DNS Resolver

If the configured upstream DNS server does not support DNSSEC, uncheck enable DNSSEC support

DNS servers and static rout

When using a DNS forwarder or DNS parser in forwarding mode, pfSense uses its routing table to reach the configured DNS server. This means that no static route is configured, which only uses the primary WAN connection to reach the DNS server. You must select a gateway for each DNS server defined on the firewall so that pfSense will use the correct WAN interface to access the DNS server. The DNS server from the dynamic gateway will automatically route to the correct path.

Configure the DNS server gateway:

Navigate to System > General Setup

Set at least one unique DNS server for each WAN (up to four)

For each DNS server, select a gateway to use a specific WAN interface

Be careful

You cannot enter the same DNS server, and each entry must be unique.

What to pay attention to when choosing the gateway of the DNS server: first, most ISP forbids recursive queries from hosts outside the network, so when accessing the DNS server of a particular ISP, the firewall must use the correct WAN interface. Second, if the primary WAN fails and the firewall does not choose a gateway for other DNS servers, the firewall will lose all the DNS resolution capabilities of the firewall itself. In this case, access to the DNS will fail because when the default gateway is not reachable, all DNS servers will be inaccessible. If pfSense is used as a DNS server for the local network, it will cause DNS to fail completely.

When using a DNS parser that disables forwarding mode, the unbound daemon communicates directly with the root DNS server and other authoritative DNS servers, making it impossible to use this static routing and gateway allocation. In this case, you need to select default Gateway switching so that unbound daemons can maintain outbound connections.

Extend to multiple WAN interfaces

In the pfsense application example, countless users deploy 6-12 Internet connections, because in some countries, it is much cheaper to get ten 256 Kb Internet connections than a 2.5 Mb Internet connection. Customers use pfSense to offload a large number of internal machines to more than 10 different connections. For more information about this deployment, see the one-stop multi-WAN feature later in this chapter.

Multi-WAN and NAT

The default NAT rule generated by pfSense translates any traffic that leaves an interface of type WAN into the IP address of that interface. In the default two interface LAN and WAN configurations, NAT for pfSense carries all traffic from the LAN interface to the WAN IP address from the WAN interface. Adding more interfaces of type WAN extends NAT to NAT, and that traffic leaves the WAN type interface of the interface's IP address. All of this will be handled automatically unless manual outbound NAT is enabled.

Policy routing firewall rules direct traffic to the WAN interface used, and the outbound and 1:1 NAT rules specify how to direct traffic when leaving the WAN.

Multi-WAN and manual outbound NAT

If manual outbound NAT must be used with multiple WAN, be sure to configure NAT rules for all WAN type interfaces.

Multi-WAN and port forwarding

Each port is being applied to a single WAN interface. A given port can be opened on multiple WAN interfaces by using multiple port forwarding entries, one for each WAN interface.

The easiest way is:

Add a port forward to the first WAN connection as usual

Click to the right of the entry to add another port forward based on the selected port

Change the interface to the required WAN

Click Save

The reply-to keyword in pf, which is used in WAN type interface rules, ensures that when traffic enters through a particular WAN interface, return traffic returns as it enters the firewall. Therefore, port forwarding can be actively used on all WAN interfaces at any time, regardless of any possible failover configuration. This is particularly useful for mail servers because the address on the secondary WAN can be used as a backup MX, and the site can receive mail even when the primary line is down.

Multi-WAN and 1:1 NAT

The 1:1 NAT entry is dedicated to a single WAN interface and, like outbound NAT, only controls what happens to traffic when it leaves the interface. The internal system can be configured with the 1:1 NAT entry on each WAN interface, or the 1:1 entry on one or more WAN interfaces, and use the default outbound NAT on the other WAN interfaces. When 1:1 entries are configured, they will always override any other outbound NAT configuration for that particular interface.

If the local device must always use the 1:1 NAT entry on a particular WAN, the traffic for that device must be forced to use that particular WAN gateway.

Policy routing configuration

According to the above steps, the multi-WAN for pfsense has been configured, but if applied, firewall policy routing needs to be configured to achieve failover or load balancing.

Be careful

If default gateway switchover is enabled, failover can still run without a policy route.

Configure firewall policy routing rules

Setting a gateway on a firewall rule will cause traffic that matches the rule to use the selected gateway or gateway group and follow the behavior of the gateway group.

The easiest way to configure a firewall for policy routing is to edit the existing default delivery rules for LAN, and then select a gateway group in it. Using this rule, any traffic that matches the default pass-through rule on LAN will use the selected gateway or gateway group.

Navigate to the Firewall > Rules, LAN tab

Click on the line with the default delivery rule

Click Display Advanced (Show Advanced Settings) in Extra Options (extra options)

Select the desired gateway or gateway group from the Gateway drop-down list

Click Save

Click Apply Changes (apply changes)

These are the basic configurations used by multi-WAN, and more complex configurations are required if more functionality is required.

Bypass policy routing

If there are other local interfaces, × × ×, MPLS interfaces or traffic that must follow the system routing table, the traffic must be configured to bypass policy routing. It is simple to make a rule to match the relevant traffic, and then place the rule on top of any rule that has the gateway configured, because the first rule to match is the rule used.

This can be promoted by establishing aliases for any RFC1918 traffic that covers all private networks and then using aliases in the rules. The aliases include 192.168.0.0 and 10.0.0.0.

In the sample rule of bypass policy routing, local and × × traffic bypass policy routing, HTTPS traffic uses WAN2 first, and all other traffic is load balanced:

Bypass Policy routing sample Rul

Hybrid failover and load balancing

As shown in the figure Bypass Policy routing sample rules, you can use both failover and load balancing by carefully sorting on the interface. Rules are processed from top to bottom, and the first priority is to implement them. By placing more specific rules near the top of the list, and the general "match all" style rules at the bottom, rules that use different gateways or groups can use any number of different combinations.

Force the gateway to use

In some cases, traffic can only use one gateway, never load balancing or failover. In this example, the device must exit through a specific WAN and lose all connections if the WAN fails.

First, set the gateway to a firewall rule that matches traffic from that device to a specific WAN gateway. If the gateway is shut down, the rule will work as if the gateway is not set, so a few further steps are needed.

Add a rule directly below the rule that matches the traffic, but set it to reject or block. The rule cannot set the gateway.

Next, configure the firewall to ignore the rules for closed gateways (gateway monitoring):

Navigate to the System > Advanced > Miscellaneous tab

Check "Do not create rules when gateway is down (do not create rules when the gateway is down)"

Click Save

When on, the first rule is completely omitted until the next matching rule. In this way, when the first rule is automatically omitted, traffic will be stopped by the rule.

Verification function

Once multiple WAN is configured, it is best to test its functionality to verify that it works as expected. The following sections describe how to test each part of a multi-WAN configuration.

Test failover

Testing multiple WAN in a controlled manner immediately after configuration is a key step in this process. Don't wait for the Internet connection to fail automatically for the first test. Problems can only be found when you encounter difficulties and stress.

First, navigate to Status > Gateways and make sure that all WAN gateways appear online under status and on the Gateway groups tab. If not, verify that the correct monitoring IP address is used.

Create WAN Failur

Depending on the type of Internet connection used, there are several ways to simulate a WAN failure. For any type, first unplug the destination WAN interface cable from the firewall.

For cable and DSL connections, power off the modem / CPE and unplug the coaxial cable or phone line from the modem in a separate test. For fiber, wireless, and other connection types to routers other than pfSense, try unplugging the Internet connection from the router and shutting down the router itself.

Verify interface statu

After unplugging the WAN interface cable or powering off the router, refresh Status > Gateways to check the current status. Because the gateway monitoring daemon notices the packet loss, the packet loss exceeds the configured alarm threshold and is marked as offline.

Verify load balancing function

This section describes how to verify the functionality of the load balancing configuration.

Verify HTTP load balancing

The easiest way to verify HTTP load balancing is to visit the website that displays the public IP address that the client uses to access the site. Such as: www.ip138.com/

Browsers have a habit of keeping server connections open and caching results, so the best browser-based tests are to load multiple sites or close the browser window when the site is loaded. During each connection, if load balancing is working properly, a different IP address should be displayed. If there is other traffic in the network, the loaded IP address of each page may not change. Repeat the test many times, and the IP address should be changed at least a few times.

If the IP address never changes, try several different sites and make sure that the browser does request the page again instead of reading the class content from its cache. Manually remove the cache, close and reopen the browser, and try to use multiple Web browsers to further troubleshoot the load balancing configuration.

In addition, curl is a better testing tool that ensures that caching and persistent connections do not affect the results.

Testing load balancing with traceroute

The traceroute utility (or tracert in Windows) shows the network path to a given destination. With load balancing, running a trace route from the client system behind the firewall should show a different path for each attempt. Because of the way the routing feature is traced, wait at least one minute after you stop tracking the route, and then start another test so that the status expires, or try a different destination each time.

Use traffic graph

The real-time traffic graph under Status > Traffic Graph and the system panel widget can be used to show the real-time throughput on the WAN interface. When using Status > Traffic Graph, each browser window can display only one graphic, but you can open other windows or tabs in the browser to view all WAN interfaces at the same time. The traffic graph widget of the system panel allows traffic graphs for multiple interfaces to be displayed simultaneously on a single page. If load balancing is working properly, traffic will be displayed on all WAN interfaces.

The RRD flow graph under Status > Monitoring is useful for long-term and historical assessment of WAN utilization.

Be careful

Bandwidth usage may not be fully evenly distributed because multi-WAN connections are simple loops regardless of bandwidth usage.

Troubleshooting

This section describes some of the most common problems with multi-WAN and how to resolve them.

Verify firewall rule configuration

The most common error when configuring multiple WAN is incorrect firewall rules. It is important to keep in mind that the first matching rule takes precedence and any other rules will be ignored. If the policy routing rule is lower than the default LAN rule in the list, the rule will not be matched because it will match the default LAN rule first.

If the rules are sorted and configured correctly, it helps to enable login to the rules and ensure that the appropriate policy routing rules are passing traffic.

Policy routing does not apply to network traffic or all traffic

When using agent software that transparently captures HTTP traffic, such as squid, it overrides any policy routes defined for client traffic on that port. Therefore, no matter which gateway is set in the firewall rule, traffic from HTTP (TCP port 80) still passes through squid and follows the default route of the firewall.

Failover does not work

If there is a problem when the Internet connection fails, it is usually because the monitoring IP address is still answering, so the firewall believes that the connection is still available. Check Status > Gateways for verification. The IP address on the modem can be used as a monitoring IP address, and it is still accessible even if the Internet connection is disconnected.

Load balancing doesn't work.

Check that the gateway group is correctly configured for load balancing and that there are at least two gateways on the same layer.

Check that the LAN firewall rules match the correct load-balanced gateway group.

Check that all gateways in the group appear online under Status > Gateways. Connections marked offline will not be used.

Check the test method. "do not test with a Web browser, test with Curl, as described in verifying load balancing."

Check to see if traffic is using a proxy server, or otherwise started from the daemon of the firewall itself.

Incorrect marking of gateway offline

If the gateway is listed as offline, but the WAN is actually normal, you can queue in the following ways:

First, the test monitors whether the IP address responds to the ping from the client device on LAN, and tests again from Diagnostics > Ping.

Manual ping can work if monitoring IP addresses drop ICMP echo request messages without a payload, but gateway monitoring may not be effective. Please set the payload to 1 or higher.

If the gateway or monitoring IP address does not respond to ICMP echo requests, enter a different monitoring IP address to test.

If the monitoring IP address is configured as a DNS server that is not on the same subnet as the WAN, the static route may cause a conflict and the echo request to the gateway may not follow the expected path. Solution: set a non-conflicting monitoring IP address on the gateway.

If there is an outbound NAT rule on WAN, it may cause problems with traffic on the firewall, including monitoring traffic, as this will also come from NAT traffic on the firewall itself. If the source address is changed to CARP VIP, there will be a problem. Solution: repair outbound NAT.

If everything else fails, the line may indeed be offline, but the test method seems to show. Verify the interface and gateway settings and rerun the test, and try to use traceroute to ensure that traffic is leaving the expected path.

Ping IP address is good, but Web browsing failed

In this case, the most likely reason is DNS. If the firewall DNS settings do not match the DNS settings in Interface and DNS configuration, the client may not be able to resolve the DNS when the WAN is down. Solution: review the settings and fix any problems found.

One-stop multi-WAN

Cisco and other vendors call a VLAN router a "router" because it can be a functioning router with only one physical network connection. PfSense can be configured in this way, using VLAN and managed switches that can be trunked with 802.1q. Most deployments running more than five WAN use this approach to reduce the number of physical interfaces required for firewalls. In this deployment, the WAN interfaces reside on one physical interface on the firewall, and the LAN network resides on other physical interfaces. The multi-WAN WAN shown in the figure illustrates this type of deployment.

One-stop multi-WAN

Multi-WAN of IPv6

If the firewall is connected to multiple ISP or tunnels with static addresses, you can use IPv6 multi-WAN.

Other

Gateway groups work in the same way as IPv4, but address families cannot be mixed within the group. The group must contain only IPv4 gateways or only IPv6 gateways.

In this section, "second WAN" refers to the second or other interface that has an IPv6 connection. It can be an actual interface with a native connection, or a tunnel interface when using a tunnel proxy.

Matters needing attention

In most cases, NAT will not be used with IPv6 because everything is routed. This is great for connectivity and for businesses that can take on provider independent (PI) address spaces and BGP peers, but it doesn't apply to small businesses and home users.

Network prefix translation (NPt) allows a subnet to be used for a LAN with full connectivity through its native WAN, but connections can also be converted on an additional WAN, so it seems to originate here. Although the LAN subnet is not a real connection through an alternate path, it is better than no connection if the primary WAN is shut down.

Warning

This does not apply to dynamic IPv6 types where subnets are not static, such as DHCP6-PD.

Request

To set up multiple WAN for IPv6, the firewall must have:

IPv6 connection to static addresses on two or more WAN

Add the gateway to the two IPv6 WAN in System > Routing, and confirm the connection between the two.

Get / path routing / 64 from the provider

LAN uses static routes / 64

Set up

The IPv6 multi-WAN setting is very close to the IPv4 setting. The main difference is that it uses NPt instead of NAT.

First, on the System > Routing,Gateway Groups tab, add a gateway group for the IPv6 gateway and set the level as needed. This is the same as IPv4.

Navigate to System > General to set up an IPv6 DNS server for each IPv6 WAN, which is also the same as IPv4.

Add a NPt entry in the Firewall > NAT NPT tab and use the following settings:

Interface: second WAN (or tunnel using middleman) Internal IPv6 Prefix:

LAN IPv6 subnet Destination IPv6 Prefix:

Note the second WAN route IPv6 subnet

This is not / 64 of the WAN interface itself, it is / 64 that is routed upstream to the firewall on that WAN.

This is similar to IPv4's 1:1 NAT, but for the entire subnet. When traffic leaves the second WAN, if it comes from the LAN subnet, it is translated to the equivalent IP address in another subnet.

For example, if the firewall has a 2001:xxx:yyy::/64 on the LAN and a 2001:aaa:bbb::/64 on the second WAN, if the traffic exceeds the second WAN, the 2001:xxx:yyy::5 will be displayed as 2001:aaa:bbb::5.

Like IPv4, gateway groups must use LAN firewall rules. Edit the LAN rules for IPv6 traffic and set them to use gateway groups to ensure that there are no directly connected subnets / × × rules set by gateways so that they are not routed by policies.

Alternative scheme

Some users prefer to configure LAN with "private" LAN subnets in the fc00::/7 space and set NPt for both IPv6.

Multilink PPPoE (MLPPP)

Multilink PPPoE (MLPPP) is a unique WAN option that binds multiple PPPoE lines from the same ISP together to form a larger virtual line. This means that the firewall can get the true overall bandwidth of all the lines in the bundle. For example, if a firewall has three 5Mbit / s DSL lines in a bundle, it may get 15Mbit / s speed from a single connection.

Request

The biggest obstacle to MLPPP is that ISP must support it on the line connected to the firewall. Few ISP are willing to support MLPPP, and if there is, it's worth taking advantage of.

Set up

The setup of MLPPP is very simple:

Navigate to the Interfaces > Assign, PPPs tab

Click Edit entry on PPPoE WAN

Hold down the Ctrl key and click to select other physical interfaces that belong to the same MLPPP

Click Save

PfSense will then try to bind the line using MLPPP.

Matters needing attention

One disadvantage of using MLPPP is that troubleshooting is much more difficult. Statistics and status do not apply to each line. To determine the status, read the PPP log, because there is no separate way to query the line. In some cases, it is obvious whether the line is off or not, because the modem may have a significant problem (out of sync) or a reduction in the maximum available bandwidth.

Translated from pfsense book

2017-9-27

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.