Anda di halaman 1dari 18

Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.

php/Multi_WAN_/_Load_Balancing

Search

Personal tools

Log in

Multi WAN / Load Balancing


From PFSenseDocs

Contents
1 Caveats
2 Overview
3 Intro
4 Installation
5 Setting up your modems / routers
6 Finishing installation
7 Basic pfSense settings
8 Interfacing with modems / routers
9 Setting up load balancing and failover
9.1 Selecting a Monitor IP address
9.2 Setting up the pools
9.3 Set up useful aliases
9.4 Set up the basic firewall rules for outgoing access
9.5 Setting up DNS for Load Balancing
10 Port Forwarding and Applications
10.1 example port Forwarding follows
10.2 Supporting bittorrents
10.2.1 Summary of setup
10.2.2 bittorrent setup
10.2.3 Setup outgoing rule
10.2.4 Setup port forwarding on your modem / router
10.2.5 Setup port forwarding on pfSense
10.2.6 Turn on logging on the auto setup rule
10.2.7 Testing your configuration
10.2.8 turn off logging

Caveats

1 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

This page describes the setup using pfSense 1.1, updated to January 2007 (or later).
Important: if you are using pfSense 1.2 then use the updated documentation: MultiWanVersion1.2
For your own good, you may want to ignore most of the tutorials available, as they are either completely
confusing, or highly contradictory. The following is an attempt to very simply get you started.
Note that currently most pfSense add-on packages do NOT support multi WAN and all their traffic will use
the WAN connection.

Overview
This setup enables pfSense to load balance traffic from your LAN to multiple internet connections (WANs).
Traffic from the LAN is shared out on a round robin basis across the available WANs. pfSense monitors each
WAN connection, using an IP address you provide, and if the monitor fails, a failover configuration is used, this
typically just feeds all traffic down the other connection(s). This example sets up 2 WANs, but 3 or more can be
used.

Intro
You will probably find you have three types of traffic you need to allow for:

1. Traffic that can be load balanced with no problems (e.g. general web browsing)
2. Traffic where one connection is preferred, but it's alright to failover to the other if the first one fails (e.g.
some bank websites, games like counterstrike, other apps - like Microsoft's new web conferencing)
3. Traffic that has to go to one specific connection; if the connection is down, it will just have to wait (e.g.
SMTP mail to your ISP, which typically has to come from inside their own network)

Installation
This is a quick / simple installation guide, you can find more detailed instructions in the full Installing_pfSense
part of the Wiki.

First step, install a Video card, Keyboard, a CD-ROM drive, an IDE hard Disk drive, 128MB of ram or more and
at least three Network interfaces in your target machine. Do not install any unnecessary hardware like a modem
because Pfsense cannot use it.

The hardware setup for the installation tested was Pentium Pro 200, 128MB EDO ram, Floppy 1.4MB, Trident
VGA, 4 Realtek 8139D PCI cards, ATAPI CD_ROM 24X, 2 IDE 1GB drives. As you can see it was quite an old
system but it all still worked quite well. Pfsense was also installed on a DELL Dimension 4100 800MHz without
any problems.

Next, download the current Snapshot ISO from http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2


/iso/pfSense.iso.gz Once the download is complete uncompress the file and burn the CD.

Set up your BIOS to boot from the CD and then insert the CD into the drive. Reboot the machine and watch the
FreeBSD 6.2 operating system boot up your machine. Do not worry if you cannot catch everything that is
scrolling by because you can see all of it when the boot is complete by pressing the Scroll LOCK on your
keyboard and using the Page UP/DN keys. The boot process should stop and ask you to configure the network
interfaces. If you managed to make that far the rest of the installation, most likely, will be successful.

Answer no to the first prompt asking to setup Virtual Interface/Lan by typing n.

2 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Now it will ask you to select the LAN interface. This is the interface that you will attach to an Ethernet switch if
more than one computer will be accessing the pfsense to get to the internet. To select this interface use the
automatic procedure by disconnecting all interface cables from all the network interfaces of the pfsense. Follow
the instructions on the screen and then attach the computer via an Ethernet cable to the LAN port. Mark this
interface as the LAN interface.

Next it will ask you to select the WAN port. In a Dual Wan configuration the Wan port is the primary wan. If you
have not set up your DSL/CABLE modem/routers yet select an interface by specifying the name of the interface
as shown on the display. This interface can be changed later on.

Then select the OPT1 port specifying the name of the next interface as shown on the display. The OPT1 port will
become your secondary Wan port. Even if you have more interfaces to configure press enter at the next interface
request to end the configuration.

Pfsense will start to load and configure itself. With a little luck, you will pass the point where pfsense configures
the WAN interface. This is where the interrupts are tested and if your hardware is set up properly, or if you have a
newer computer, it will breeze through and arrive at the Pfsense Console Setup page. Here you will install pfsense
to your hard disk by entering 99. If you do not make it to this page you have a hardware compatibility problem
with the FreeBSD operating system.

Installation is pretty painless, tell it to format and make a new partition if you want everything cleaned off, and
once complete you'll see FreeBSD loading. The loading will take some time . This time can be used to determine
how you will connect the pfsense wan ports to the internet.

Setting up your modems / routers


If you have CABLE/DSL modems that are bridge routers you can use them in bridge or router mode. The client
ID (PPPoE) is installed on the modem/router and the modem/router maps the Public IP it receives to a Private IP
on the modem/router LAN interface. How to do this is specific to each modem/router.

WAN (Wan1) modem/router LAN IP (192.168.0.254)

LAN Gateway (192.168.0.254)

DNS relay (192.168.0.254)

DHCP Server (192.168.0.2 -> 192.168.0.253)

OPT1 (Wan2) modem/router LAN IP (192.168.2.254)

LAN Gateway (192.168.2.254)

DNS relay (192.168.2.254)

DHCP Server (192.168.2.2 -> 192.168.2.253)

Once you have set up the modem/routers test their connectivity by accessing the internet and obtaining the Public
IP either by the modem/router web interface or using http://whatismyip.org

Finishing installation

3 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

The software installation to the hard disk should be complete by now so attach the modem/routers to the WAN
and OPT port and a computer running Internet Explorer or Firefox on the LAN port that you marked previously.
It does not matter if you do not have the modem/router in the right ports because you can tell which one is in
which port by looking at the DHCP address received by the pfsense WAN and OPT1 interfaces.

Reboot the pfsense by a three key reset. Once FreeBSD loads, it will tell you as it does so if there were any
errors. Once the reboot is complete make sure you’re your attached computer has a valid IP address in the
192.168.1.x subnet. If it does not, force a repair on the LAN connection of your computer.

Time to start the pfsense WebConfigurator, the GUI ,which lets you do many things besides setting up pfsense!
Enter http://192.168.1.1/ into your web browser.

Basic pfSense settings


You will be prompted to login. Use Admin as user name, and pfsense as your password. The Setup Wizard will
start and guide you through the initial configuration of pfSense. Set the italicized parameters as below and leave
the others as they are set.

On this screen you will set the General pfSense parameters.

Hostname:pfsense

Domain:private.lan

Primary DNS Server:

Secondary DNS Server:

Please enter the time, date and time zone.

Time server dns name:pool.ntp.org

Timezone:Etc/UTC

On this screen we will configure the Wide Area Network information.

Type:DHCP

Hostname:pfWan1

FTP Helper:checked

Block private networks:unchecked

On this screen we will configure the Local Area Network information.

LAN IP Address:192.168.1.1

4 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Subnet Mask:24

On this screen we will set the Admin password which is used to access the WebGUI and SSH services.

Admin Password:admin

Admin Password AGAIN:????????

Click 'Reload' to reload pfSense with new changes. If you changed the password, pfSense will ask you to log
in again.

You need to make sure that DNS queries are being handled by the modem/routers. This is handled by Services:
DNS forwarder page. Check the appropriate boxes.

5 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Alright, if you've gotten this far, you can probably already surf the internet. If so, this is an excellent sign. If not,
you may find that you experience trouble that is NOT pfsense based. Make sure your cables are good, and your
internet is working on both incoming internet connections.

Interfacing with modems / routers


Before continuing to configure the pfsense Web GUI make sure that the modem/routers are on the correct
network interfaces. The interfaces are shown on the boot up display attached to the pfsense. Make sure that your
primary Wan1 modem/router (192.168.0.x) is attached to WAN and that your secondary Wan2 modem/router
(192.168.2.x) is attached to OPT1. If they are not, you can correct them by selecting the right interface using the
drop down boxes under

Interfaces:Assign

LAN rl0 (00:xx:xx:xx:xx:bc)

WAN rl1 (00:xx:xx:xx:xx::a1)

OPT1wan2 rl2 (00:xx:xx:xx:xx:96)

Once the pfsense interface selection is complete the MAC (00:xx:xx:xx:xx:a1) address of WAN interface rl1
needs to be made static to 192.168.0.2 in the Wan1 modem/router’s DHCP server. The Wan1 modem/router’s
web interface should be accessible through the pfsense at 192.168.0.254. In addition set the port addresses of the
Wan1 modem/router interfaces to HTTP:8080 FTP:8021 TelNet:8023.

The MAC (00:xx:xx:xx:xx:96) address of OPT1 interface rl2 also needs to be made static to 192.168.2.2 in the
Wan2 modem/router’s DHCP server. The Wan2 modem/router’s web interface should be accessible through the
pfsense at 192.168.2.254. In addition set the port addresses of the Wan2 modem/router interfaces to HTTP:8080
FTP:8021 TelNet:8023.

A reboot of both modem/routers and the pfsense is required after these changes.

The new URLs are http://192.168.0.254:8080/ for the Wan1 and http://192.168.2.254:8080/ for the Wan2
modem/router.

Now finish setting up the pfsense interfaces as follows

Interfaces: LAN IP configuration

Bridge with:none

IP address:192.168.1.1/24

FTP Helper:checked

Interfaces: Optional 1 (OPT1wan2)

Enable Optional 1 interface:checked

Description:OPT1wan2

6 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Type:DHCP

FTP Helper:checked

Hostname:pfWan2

Setting up load balancing and failover


It is time to set up Outgoing Load Balancing and Failover. You will not have any
pools. You will create 3 pools.

Wan1BalanceWan2 - used to share out all access on a round robin basis as


long as both connections are available
Wan1FailoverWan2 - used when Wan1 is down - all traffic will use Wan2
Wan2FailoverWan1 - used when Wan 2 is down - all traffic will use Wan1

Selecting a Monitor IP address

pfSense monitor's each WAN connection by pinging the monitor address you how the various Pools and
specify. If the ping fails, the link is marked down and the appropriate filover gateways are related, and how
configuration is used (actually if the ping fails it retries a few times to be sure, they can be used}
this avoids false indications of the connection going down).

Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it is monitoring, so
don't use a popular web site as this will force all its traffic down 1 link. Better to use a router or server in your
ISP's network.

Good addresses to use are the default gateway your modem has assigned (if it responds to ping!), your ISP's DNS
server, webmail server, or a router within your ISP's network - you can find one of these by using traceroute to a
public service, be careful though, larger ISPs will have networks that dynamically adapt so a router you see now
may not be there an hour later!

Setting up the pools

Select Services:Load Balancer. You can create the pools by clicking the button then filling out the Edit Pool
page

7 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

with the following

Load Balancer:Pool:Edit

Name:Wan1BalanceWan2

Behavior:Load Balancing

Monitor IP:WAN’s Gateway

Interface Name:WAN

click add to pool

Monitor IP:OPT1wan2’s Gateway

8 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Interface Name:OPT1wan2

click add to pool

Save

Create new pool

Name:Wan1FailoverWan2

Behavior:Failover

Monitor IP:WAN’s Gateway

Interface Name:WAN

click add to pool

Monitor IP:OPT1wan2’s Gateway

Interface Name:OPT1wan2

click add to pool

Save

Create new pool

Name:Wan2FailoverWan1

Behavior:Failover

Monitor IP:OPT1wan2’s Gateway

Interface Name:OPT1wan2

click add to pool

Monitor IP:WAN’s Gateway

Interface Name:WAN

click add to pool

Save

You have successfully created 3 Gateways.

The results should look as follows

9 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Set up useful aliases

These pools can be used as gateways in the Outgoing Firewall Rules. To make it easier, define at least 4 aliases
under Firewall:Aliases.

HTTPsAll Ports 22, 443, 444, 3389, 8443 Secure Protocols

SS6520s IPs 192.168.0.254, 192.168.2.254 Internet Routers

SS6520a1 IP 192.168.0.254 Speedstream 6520 ADSL2 Wan1 Router

SS6520a2 IP 192.168.2.254 Speedstream 6520 ADSL2 Wan2 Router

10 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Set up the basic firewall rules for outgoing access

Add the following to Firewall:Rules on the LAN tab by cliking

Using this page to set the rules Firewall: Rules: Edit

11 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

12 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Create the 5 Rules defined below

Once all of the active rules have been added and Applied the Dual Wan setup is complete!

Setting up DNS for Load Balancing

Make sure that you have a DNS server from each ISP in the General Settings. This will ensure that you have DNS
service in case one ISP goes down. You will also need to setup Static Routes for each DNS server. In this example
if the DNS is on the WAN link then the static route for that DNS server will have 192.168.0.254 as the gateway.
If the DNS server is on the other ISP (ie OPT1) then the static route will have have 192.168.2.254 as the gateway.

13 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Port Forwarding and Applications


If you need to support servers on the LAN use the NAT port Forward tab to open the ports you require for both
the WAN and OPT1wan2 interfaces. NAT port forwarding automatically creates Firewall rules for those ports.

example port Forwarding follows

14 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

15 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Supporting bittorrents

bittorrents are best coped with by restricting the traffic to only use 1 WAN connection. This description locks
bittorrent to one WAN connection. With a bit more setup it would be possible to make this failover, but when it
failedover I'm not sure how long the bittorrent application would take to sort out both itself and the peers it was
connected to, so it may not be worth it anyway!

If you want to understand more about port usage and other things then use Brian's FAQ here...[1]
(http://btfaq.com/serve/cache/25.html)

Summary of setup

bittorrent uses both outgoing and incoming connections, so a number of things need to happen:

1. make sure that your bittorrent application is configured to use only a single port (does not change each time
you run bittorrent).
2. set up a rule on LAN to make sure that outgoing connections from the machine running bittorrent always
go the same way.
3. set up port forwarding on the modem router on the appropriate WAN connection to forward to pfSense.
4. set up port forwarding in pfSense to forward to the machine running bittorrent.
5. turn on logging on the auto setup rule on WAN or WAN2 to alow traffic to the bittorrent machine.
6. test your config using the bittorrent application's port forward checker.
7. turn off logging on your new rules
8. sit back and watch the data flow.

bittorrent setup

This varies depending on the bittorrent application you use. I use uTorrent.

You can use a randomly generated port on first set up, but don't change the port on
each run(unless you want to change pfSense and your modem every time as well!

You don't need to use UPnP port mapping, and you only check the firewall connection settings in
exceptions box if you are using Windows Firewall. uTorrent

Setup outgoing rule

This LAN rule makes sure that the connection to the tracker goes down the right pipe. Change the address
192.168.1.250 to the LAN address of your bittorrent machine.

Turn on logging when you first put the rule in, and once you know it is all working you can turn it off.

Note that I have logged uTorrent and it also outward connects to torrent peers using source ports from around
2000 upwards (each new connection increments the port number). For this reason I think the best answer is to set
up for all traffic from the bittorrent machine to be mapped to the one connection, rather than specific ports.
Maybe someone who knows can refine this.

Change the address 192.168.1.250 to the LAN address of your bittorrent machine.

16 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Setup port forwarding on your modem / router

If your mode / router is NATing, then you need to set it up to forward the port setup in step 1 to pfSense - 25017
in this example. You'll need to look in your modem / router documentation for this, or consult Brian's FAq as
linked at the top of this section.

Alternatively your router may allow you to forward everything to pfSense - my Linksys ADSL modem has this
facility, which makes life easy.

Setup port forwarding on pfSense

Now set up a matching port forward on the WAN interface to forward the port to your bittorrent machine.

Make sure you leave the box Auto add a firewall rule... at the bottom of the page checked.

Turn on logging on the auto setup rule

Now go into Firewall - Rules and selct the tab for the interface you are using, there should be a new rule to handle
the traffic for the port forward you just set up. Turn on logging on this rule and apply the changes.

Testing your configuration

Now its time to see if it all works. Run up your torrent client and if it has a port forward. In uTorrent, there is a
button on the form Options - Speed Guide. called Test if port is forwarded properly. This launches a web
browser that will report if the port is properly configured.

Now start up a torrent, and after a few seconds go and check the Status - system logs and select the firewall tab.

You should see traffic to port 6969 from your bittorrent machine as it connects to the tracker.

Then you should see outgoing connections from your machine to many different addresses and ports as your
torrent client contacts peers.

Then you should start to see incoming connections (WAN / WAN2 interface) from some of those peers to your
machine. These should all be using the port you are configured to use in step 1.

Your torrent client should by now show lots of activity, with multiple peers connected and plenty of incoming
traffic. After a few minutes outgoing traffic should start to grow.

turn off logging

Assuming all is well, turn off all the logging that you set up before you sit back and enjoy the data flow

Retrieved from "http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing"


Categories: Documentation | Load balancing | Multi-WAN | High Availability

17 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Privacy policy About PFSenseDocs Disclaimers

This page was last modified on 19 November 2009, at 22:52. This page has been accessed 72,787 times.

18 of 18 12/30/2009 3:44 PM