How to use Multiple WAN on pfsense for Fail over and or Load Balancing

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

time here from Orange systems and we're going to talk about Gateway groups and load balancing and PF sense now the first question I want to get out of the way because this question comes up quite a bit is most commonly asked is if you have more than one service provider for your network connection can't you load balance your way to Mega connection the cumulative rate of all those connections combined and that's not exactly how that works I have a video linked down below about sd-wan where I kind of explained yes you can Bond them together but when you Bond them together you only get the connection speed that's available to a single host in a single let's say TCP stream it doesn't automatically Bond all the connections together to give you the cumulative rate now we are going to talk about load balancing because when you have many hosts and that's often why this is done it will balance the connections across multiple connections but it does not automatically just give you let's say when you're doing a download or a speed test the rate depending on how many streams that speed test is actually testing or those connections allow so something for example requires a single TCP stream it's only going to go as fast through a single provider that's where that sd-wan comes in because bonding different providers together well that's something that can be done it's just a little bit more complicated than just setting up a load balance but today we're going to focus on the load balance the Gateway groups how to set them up and I did another video on policy routing we're going to be covering how you set the policy routing to make that work it's very similar to policy routing but we're actually going to policy route not just off of a Gateway but off of the group that we build for either the load balance or the failover and yes you can have many of them or multiple them in there now before we get started in this video Let's Take a sponsor first are you an individual or company looking for support on a network engineering storage or virtualization project is your company or internal I.T team looking for someone to proactively monitor your system security or offer strategic guidance to keep your it systems operating smoothly Not only would we love to help consult on your project we also offer fully managed or co-managed IT services plans for businesses in need of it Administration or it teams in need of additional support with our expert install team we can also assist you with all of your structured cabling and Wi-Fi planning projects if any of this piques your interest fill out our higher us form at Lawrence systems.com so we can start crafting a solution that works for you if you're not interested in hiring us but you're looking for other ways you want to support this channel there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel and now back to our content let's do a quick overview of how this lab is set up this is a basic Ubuntu system I have set up at 192.168-40.151 that is behind the PF sense it has the option of going out wan2 or Wan and these are the addresses set to WAN 2 and the other Wan then it goes to our simulated internet which then lands on 172 1669152 I'm using a tool called iperf3 so we can create a connection from here and figure out which way it's going to route or we're going to actually balance the routes between them and then land over to this IP address now by doing this in switching and we'll simulate a failover you'll see how the switching occurs and how the bandwidth management works for there because we're going to do it first with a single stream and then we're going to start splitting the streams to kind of get an idea of how that load balance part works all right so we're over in our PF sense we can see 192.1683.217 here and 192.168 4.5 those are the two different wands that are set up we go to system and routing we can see see that the WAN DHCP which is just the regular Wan is set to the default gateway so if we do a quick test with the default gateway set and we're just going to switch over here and just do an iperf test so now we're sending some traffic about 200 Megs a second and you can see that traffic going over Wan not Wan 2. Wan 2 is only in the kilobits this one's going about 26 megabits here so you can see it matches the amount that's going out the land if we go over here system routing and we were to switch it to be Wan 2 Gateway hit apply jump back over here do this up Arrow it's going to run that same test again and now we see the traffic going out when two pretty simple to get these connections going out either one of them and switch your default gateway let's go ahead though and go back over to routing and build a balance group so we're going to call this one balance tier one tier one when you want them balanced you choose them both to be the same tier this will create a balance group between these two different interfaces or if you had more interfaces the same rules apply and then as far as member down packet loss or high latency these are some options you can choose when you want to remove that member from the list so it will work also as a failover even with them at the same tier it's just going to split the connections between these two services so we'll leave it the trigger level uh we'll go ahead and do packet loss or high latency because I usually want to drop out once there's too much packet loss on one of these you can also adjust these latency and packet thresholds I have another video linked about how to do Gateway monitoring mpf sensor I dive more into detail now we'll call this are balanced connection save apply now you're probably thinking that should do the trick and then we should have balance but actually there's another step you need to do so this did set up the balance but what it didn't do was automatically create a rule for it so right now it's still just going to go out whatever the default gateway is so we're going to go over here to firewall rules then we're going to go to LAN we need to edit this Rule now this is the same as my policy routing video that was discussing the other day I'll link that one down below but we're going to go down here and we want to choose the balanced option for the Gateway so the Gateway balanced hit save and apply so now we can look at this rule this is the allow all rule balance now you can choose each individual Network you have or different rules based on policy routing that you want balance maybe you don't want everything balanced maybe you want certain things balanced you could have different rules based on different sources different networks so that is the policy works the same way for creating it and applying it then to a load balance group so let's go ahead and run the test again so go to the screen here kick off this iperf test again we can see the same speed because as I said it's not going to give you more speed but what you're going to notice is it's only setting it out when this is the single stream problem because by default I perform only sends a single Stream So if we take the stream though and we're going to change it and we'll use the option Dash capital P and we'll break it out just into two streams and now it's going to load balance because with two streams now we've got two of them running simultaneously half goes here and half goes here so the cumulative of Wan and Wan 2 equals the total for lamb now because now we created that balanced connection between these two devices but as I said if there's a single stream there's nothing it can do it can't break that single stream to put it across two because that's not how tcpip connections work right the next thing we're going to do is fail this connection and the way I'm going to fail it is just disable it inside my lab you'll actually see this go offline packet loss and we're going to run the connection again just to show you how that works it was still able to find the connection but of course it's only going to go out because it can't go out wind twos it's down it's only going to go out the one win so the load balance works perfectly fine for this it will split them it will easily fail over when one of these goes down so let's go ahead and bring this one back up and create a different group so we're going to system routing Gateway groups and we'll just see how they failover group and we want the first win to be tier one well let's make this one tier two and that one tier one there we go we want it to default to this same thing remember down hit save and this is going to be our failover one I guess we could probably give it the description of failover group hit save apply and then we go back over here to firewall rules LAN and we can create another rule or we can edit this one and change this one from balanced to failover group hit save so now this instead of splitting is going to be in a failover mode so right now it's going to default to this one here you can see the little Globe to tell me that the 4.1 is the default gateway so if we go over here run test it's on Wan right now going out when two now we're going to go ahead and drop way into put it offline offline packet loss which broke this connection so we're just going to cancel it I'm going to terminate it because when you drop it it's going to drop that connection server busy try again later it's going to take a second to drop all those connections that we just broke because it's thinking there's another test still coming in all right we can start the connection again here and if we go over here now it's going out when one that's all you have to do pretty simple now for the rules you can create as I said different rules inside of here so we did this one for failover maybe you want a roll where you have single hosts that you want so certain sources people single hosts or Alias you want like these ones to work and say for example if the source is the IEP address of the system we're doing we want this one to be part of that load balance group so we're going to go ahead and change the gateway to balanced on this one than other devices will be all on the failover so anything over here is going to be balanced anything on this one's going to be failover you can see how you can kind of build your rules out on an as needed basis for those it's really that simple for setting the failover groups and Gateway groups you do want to make sure one thing because this is my favorite way I learned to break PF sense setting up this demo this one's set up for balance this one's set up for failover and I'm gonna kind of call this a bug because we can go here to our Gateway groups and if we want we can delete a Gateway group if you delete a Gateway group that is assigned instead of getting an error you'll manage to lock yourself out of the PF sense you can go to the command line and restore that last change you made that locked you out of the PF sense this causes kind of an interesting condition I didn't see if there's a bug report on this yet but if not maybe I'll follow one because it should warn you that these groups are in use also of note if you set them here to something other than automatic such as the failover group and hit save and apply and then delete one of those Gateway groups that are applied there it will also lock you out of your PF sets a couple quick things I learned during the demo now a couple Advanced topics I want to cover here one of them is problems with load balancing and this is on the PF sense documentation and the sticky connection feature is intended to fix this potential problem and that's that a expected site may require a host let's say your phone is wanting to connect to some site or a client behind your PF sense your computer is trying to connect to a site and it expects not only the first connection but subsequent connections to all come from the same IP address and in the case of having two different isps with two different public IP addresses if you balance the subsequent connection so they come differently you could run into a little bit of problem and this is where they have the sticky connections for that so let's show you where the sticky connections are we go to system advanced miscellaneous and just check the box use sticky connections no need to reboot your firewall if you do this or change anything really you just click save but this sticky connections may solve if you're having problems with this this could actually cause a lot of drama that you may not even know about when you set up a load balance because you don't necessarily know what doesn't work by having those connections come from two different sources until you have a lot of clients on a network so that option is there if you need it and this is called unequal cost load balancing pfSense software can achieve unequal cost load balancing by setting the appropriate weights on the gateway to discuss under Advanced Gateway settings by setting a weight on a Gateway it will be used more often in a Gateway group and weights can be set from 1 to 30 allowing and this is where you're going to set your splits to split up the loads note this is a distribution of strictly balancing number of connections it does not take into consideration the interface server put or existing load into account so we're going to split the connections based on the quantity of them not the bandwidth that they're using so let's go ahead and look at that real quick now to do the unequal cost load balancing these are where those settings are we're going to edit the Gateway and we're just going to set this one at a weight of two so this one has a weight of two we're going to hit save we're going to look at the other one we're going to leave it at a weight of one so that's the default so we've got those both set now make sure we apply the changes now this applies equally to both of these it doesn't really matter though unless you're using the balance because they're both set to tier one so then it will take that into account so we're going to go and make sure we're using that particular Rule and we are here's our default gateway rule it's set to the balance both of these gateways are active so we go here and now we're going to see how the connection loads between them so we'll just split this to iperf dash p100 for a hundred connections and it will now distribute those connections based on that weight so because this one has a higher weight this one's going to get most of the connection so we got 18 going here and we got about eight going here to build the cumulative of our land now if we wanted to adjust that balance differently go over here back to our routing go here and set this to a weight of three save apply back to here and let's see how it distributes it now run that connection test again and it brought this one down to about six and that means this one goes up to about 22. get that connection going across there kind of gives you an idea how you can adjust those in two nodes based on your requirements if those are requirements generally you just load balance them and let it spread the connections out across there and it generally works fine so hopefully this leaves you with a clearer understanding of how PF sense Works in terms of load balancing do take the time to read through their documentation I always recommend it that's the source material I have for my videos here in case anyone was wondering they added lots of testing in labs to learn what you can break that's always the fun thing and why I have a lap leave your comments and thoughts down below or hover my forums for a more in-depth discussion thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the Subscribe button and the bell icon if you'd like to hire a sure project head over to lawrencesystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for YouTube and a patreon page where your support is greatly appreciated for Deals discount Johnson offers check out our affiliate links in description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and Designs come out well randomly so check back frequently and finally our forums forums.lorentsystems.com is where you can have a more in-depth discussion about this video and other Tech topics covered on this channel thanks again for watching and look forward to hearing from you

Info

Channel: Lawrence Systems

Views: 27,962

Rating: undefined out of 5

Keywords: LawrenceSystems, pfsense dual wan load balancing and failover, pfsense wan load balancing, pfsense load balancing 3 wan, pfsense failover dual wan, pfsense failover, pfsense failover wan, pfsense failover and load balancing, pfsense failover wan setup, pfsense failover router, pfsense failover gateway, pfsense failover not switching back

Id: acDvlzmsnaE

Channel Id: undefined

Length: 15min 59sec (959 seconds)

Published: Sat Dec 17 2022