OPNsense Firewall Multi-WAN Failover and Load Balancing (2024)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

by the end of this video you'll be able to do uh one failover if you've got more than one internet connection using open sense if you've got this far and you've obviously googled this video or it's been suggested to on YouTube then assuming you already know what open sense is if not take a look at my other videos I have done videos on um how to install it and I say I'm going to cover a lot more so with that let's get started Sheridan computers it Communications support to give you a brief overview of what we're trying to achieve we have our open sense firewall and that basically has two one interfaces so we got our one one which is on 10150 one or two ignore the fact that all the IP addresses are private it's just the way I set up for this demo so I'm not revealing any public IP addresses or anything so our 1 one is on 10.1 50102 obviously the Gateway is in line so our ISP Gateway is on 10.15.1 this z0 is just obviously it pick a random IP address up so with that we've also got our onew and the I address for that is 19216811 100100 with the Gateway for the ISP being 1921681001 and again we've just got 000000 because that'll be filled with whatever IP address it's provided to us by our ISP so the goal of both of these is to get us to the internet and what we're trying to achieve here is failover so by default we want our traffic to go through isp1 and if for whatever reason that isp1 goes down and it's not available then obviously want all our traffic to go out of ISP to with the goal of obviously whichever ISP we're going through um we get to the internet and we get to example.com so our example.com machine um don't try the things that I doing with example.com yourself so I've changed the IP address of example.com so you can see that resolves to 192 sorry to 17216 69101 so that won't be reachable for you and some of the um tools that I use are not going to be available to you so this is our internal system um that's why they're all on internal non rotable addresses so we've set this up on one VLAN we've set this up on another just so we can demo it uh with that so our open sense firewall the land side of it is 101102 and we have our host one here so host one is our internal computer system so you you you could have like five of these 10 of these however many you want but we're all going to have the Gateway set to a 10.1.1 20 which is our open sense so with that I hope it gives you an idea of what we're trying to achieve so basically we just want all traffic to go through here if it fails then we want all traffic to go through here instead with that let's switch over to open sense and take a look at that okay let me just uh move this over here so you can see it properly so you can see we've got our L address here 10.1.1 10.20 which is what we've got on our diagram we've got our one1 which is a 10.1 50102 which is this one here and then we've got our one two which is 192168 100100 which is this here so our gateways just on um whatever the sub is1 so 10.1 50.1 1921681001 and we can see those here 1 12 1 192 168 1001 um marries up with that and then 10.1 50.1 marri's up with that just save this okay um so the first thing that we're going to want to do is just to check our DNS and system settings are right so what we're going to do is head over to system and then just scroll down to settings and select that we want General so once we're in general system settings uh I'm assuming at this stage you've got PF sense PF sense open sense up and running um so what we're going to do is set our DNS servers so I'm going to change this to Google's primary DNS server which is 8.8.8.8 I'm going to tell that to use one one then I'm going to set uh another DNS server to 8.8.4.4 and set that to one two so I'll try traffic for 8888 goes through 111 and um 8844 um is Google's seconda server we want that to go out with one to uh there's an option here to allow DNS server to be overridden that's down to you to be honest in your settings but I say I'm assuming you've got your One interfaces working um allow default Gateway switching since we've got two one interfaces we're going to want to enable that so we'll go ahead and just click save on that and then just to uh test that both your one interfaces are actually working if we go into interfaces then we want Diagnostics uh and then ping I'm going to do a couple of ping test just to make sure that the both of the one interfaces are working properly before we continue so for the host name Rip I'm going to Ping uh 9999 which is quad 's DNS leave the address family to um IP version 4 now the source address I'm going to set it to 1 one which was 10.1 50102 so 10.1 50102 then we'll just apply that and that's worked so one one's working and now we're just going to test one two by changing this to the uh the sagest to one two which is 192 168 100 100 so we change that to 192 168 100 100 apply that so that's worked we've pinged 9999 from both so from both of our one interface addresses and they've come back with no problems so it's a good idea to do that just to make sure you don't get any problems further down the line I can remove these now and with that I'm going to head up back up to system and gateways and then configuration so you can see this is where our gateways are defined now the only thing that I've done on this because I've got two interfaces for the one is I edited one one which I'm using for my primary Gateway so click on the edit on this Upstream Gateway I have it ticked as you can see here this will select the above as a default gateway candidate so I've got that ticked from a one one um by default disabled Gateway monitoring is by default on open sense for some reason so we need to untick that and then for the monitor IP for 11 one I'm going to set the same to how we set the DNS servers so we set the DNS server for Google's primary to one one which was 8.8.8.8 and then I'm going to save that so that'll update itself in a minute and then I'm going to go and edit the one twoo again onti disable Gateway monitoring and then this time we're going to set that to what we set the DNS servers to go out of one two which is Google's secondary so 8 8.4.4 I'm go ahead and save that and apply so I just press F5 to refresh the page uh or you can obviously just click on refresh up here so now we've got this right and we've got our gate monitor set up so like I said make sure that you have the monitoring set up to the same as what we set up the DNS to so on the system um what was it settings General we have Google's primary 8888 out of 11 one which is the same as we've set monitoring up so 8888 through1 one and then we had Google's primary 8 844 going out over one two so just make sure that you've got them set right as you can see here I've got 8844 we've got that going out one two right so once you've got those set um again under system and gateways this time we want group just under configuration so we're going to go ahead and select that and this is where we can Define Gateway groups so what we're going to do is set up a Gateway group that's called untrusted and we'll add both one one and one two so basically one one and one two become a combined Gateway so to do that click on this ad over here and then going to go a group name so I'm going to call this untrusted because the one's untrusted and when it comes up to setting Gateway priority now I'm going to do another video that covers uh load balancing with failover but to give it away um it all boils down to Gateway priority excuse me so what we're going to do is set one one it's to one which means that's preferred and most set one two to tier two um so it means it'll try and use this 1 one to send traffic by default and then if it can't it'll go to one two if you had like 13 1 14 then you'd s to three and four trigger level we're going to set to packet loss or high latency so if we notice we get packet loss um then it'll automatically start changing the gateways so I say I'm going to do another video on um load balancing but if that's what you're trying to achieve and you're watching this then all you need to do basically is set this to tier one and sorry tier two once that's set to for failover you trigger level packet loss or highlight and say now pool options so if we was using low balancing with them both set to tier one we' select round robin with sticky address now we're doing fail over so we've got tier one tier two so what we want is just round robing so round robbing means that it'll try and say use this if it's down use this one the sticky address for use with um load balance in we basically if you've got like two clients on your network it'll send one out one Gateway one out the other um and it'll just stay like that so it's so https doesn't break and things like that now I'll cover that um in a separate video like I say now for this we're just going to put the description it's fail over and then save that so give it a group name untrusted is good cuz both one interfaces untrusted whichever one you want if you want one two as your primary and one one is your fail over then you'd set them that way around so lowest priority wins so one one two one one two 2 two save and apply so you can see now we've got our un trusted Gateway and both 11 one and one two are members of it so now with that um the next thing that we need to do is adjust the firewall rules so if we go down to and just close that head over to firewall and head down to rules then under our Lam rules the default rules appear so by default anything from the ler is allowed anywhere now this we want to edit this default rule so this default allow all is the rule that we want to edit and we're going to click the edit button and then scroll down until you find Gateway so set a default which is if you remember when we looked at one one um I stated that I'd set that as default gateway which is what's used for open sense itself um and we enable Gateway switching so if it goes down open sense can still access the internet but now we want to change this to our untrusted Gateway group so what we're basically doing is telling let me save that and I'll apply those changes so what we're basically doing is telling all land traffic to go through untrusted um which is failover now you could add another firewall rule in here if you didn't want all your traffic to fail over for example if if you learn to speak some if you only wanted your servers to fail over um then you can set another rule up where your servers an as an alien um and just have your servers fail over if bandw was limited for example on your secondary one um or you can have it as we're going to do here just allow default want everything to go through untrusted so with that let's head back to the dashboard so I'm going to go up to Lobby dashboard going to drag this over so this is our system that's um 101105 it's looking at our diagram is this host here let's that gone come back um our example.com which is this host here I have opening this window and I've got ier listening to listening on it so if I do iper fre um C example.com so that's working so obviously we can access it and we can see that that came from 10.50 10.1 50102 which is this address here so that's the address of our 1 one so what happens if this fails well let's make sure it works so what I'm going to do is I'm using prox MOX here so just to um demonstrate the fail over so you don't need to worry about this so one one is on one this one so if I edit that and I disconnect it and click okay and switch back so we can see one one is Now offline and we can see the loss so in 10% status has switched to packet loss now it's offline so even though it's offline if I pull this back up um just clear the screen on that I do that again so you can see that the um that's now com from 192 168 100.00 so that's fail overworking between two one interfaces and if I go back in and I reenable my one interface say ignore the fact that I'm using Pro marks so we can see now that it's showing online and sorry now you can see it's showing as online um I just refresh that cuz was still showing one one is down but the Gateway was showing up right so with that see if it's switched back yet you see we've switched back to 10. 1.50 102 so the first time we did it we got the reply from our 111 which is 10.50 102 when 11 one went down we got it from our2 address now it's come back up we've got it from our 1 one um that's pretty much it for failover and now I did say I'm going to cover low Bal in another video and I will but since we're here we might as well do it um it doesn't take much to configure so what I'm going to do is go back into our Gateway groups so I headed into system and then gateways groups and I'm going to create another one so I'm just going to hit the add button I know we're already using them here but we're just going to add another one so we'll add another one in set this group group name to low balancing and as I mentioned before this time we want to set both the one one to tier one and want to set the one two to tier two we're going to change this trigger level to packet loss high or high latency and as I discussed before we need to set round Robbin with sticky for this and we do okay to that we apply those changes na show offline press F5 or refresh your browser and they I'll come back online so now you can see it's slightly different where the untrusted shows tier one tier two so that's primary and fail over this time we've got low balancing and you can see that they're both on the same line so now if we go back into uh firewall rules and then L and this default lamb rle that we set to untrusted we're going to go and edit that and and then scroll down to Gateway but this time I'm going to say it to load balance him and save it and apply those changes so now what will happen is where's my G this time if I do ier3 example.com minus P2 so it's re rece received received two streams from 1921681001 100 and that's what we wanted we wanted both streams to um go from the same interface because if you visit a website and you I don't know you fill in a form out or whatever you doing and you submit the form you might get a different IP address and that's what the sticky does so where was it on the gateways where's gateways system gateways group I'm just going to edit this group that we set for Lo balancing just to demo what this does if I set that to Round Rob him then apply those changes again just refresh the page um now what we should get and just clear this that's not going to work now you can see that this split so we've got one stream going out of one one and one stream going out of one to but I say if you do load balance that way it's likely to break on a lot of sites um if you visit a site generally when you log in for security reasons um if they're done right it should um bind that to your IP address and if your IP address changes when you start visiting the site it's going to break especially on things like buns or anything that's https so I was just Dem demonstrating it um so I might do another video on it I'm not sure if there's much point so Gateway groups we going to edit it and set this back to Sticky address and then save that and apply those changes refresh that if you're as impatient as I am and then when we do that again you can see that um everything's now coming from one one so with that um it doesn't push everything through one one it'll push devices through so if you have like five computers it'll randomly split in between one one and one two and keep it that way so that's a good thing to uh just keep in mind if you want to do load balancing this load balancing option with the um sticky address if you want to change the default time out of that so say if you're fill in a form out um I don't know if you're filling a credit application form out or any type of long form it's going to take 10 or 15 minutes fre to fill out 20 minutes and you might want to adjust that and you can do it by um taking a look at the firewall rules so if we head over to firewall rules uh so firewall settings Advanced we scroll down to multiwan so use sticky connections is TI this Source tracking timeout is what you can set it to so let's set it to 5 minutes and 310 minutes 600 if you want to set it to an hour if you think that's sensible set it to 3,600 [Music] um the last thing you might want to check is Nat uh outbound if this is set to automatic outbound rules and you're not going to need to do anything cuz it's automatically going to create these for you um so you can see we've got n real set for one one and one two just keep that in mind because if you set to manual outbound not g manual outbound KN wheel generation and you only have them set up for one one then you're going to need to add them in for one two as well the last thing I'm going to cover on here um if we go back into uh system and gateways and configuration now under these um where we've got our one one and one two gateways we set in under group edit we set this option here for trigger level packet loss or latency under most circumstances the defaults will be fine but if you want to um fine-tune this yourself if you're going into configuration and then edit either of your gateways we toggle this Advan mode up here so you've got Gateway priorities it basically just means uh choose a value between 1 and 255 influences a s order when select in a default gateway low me more important um this way um if we set that to what Gateway we on here if we set this to we one one so if we set that to two and one two was one then it would mean twice as much traffic would go over one one than one two um you set it to four and then obviously four times as much traffic could go through so you you know if you've got a slower connection and you want to balance it out a little bit more you can do that with with the weight um wait for this Gateway used when using a Gateway group and the uh packet loss you can adjust here so the latency and packet loss you want to find tune it you can do that under here so that's in milliseconds and the default is 500 so if you have a bit of a dodgy connection you want to increase it a bit you can do that in there I think the data length is for when you um send in keep ales and ping and things just to make sure the Gateway is available so under most circumstances you'll be fine to set it just leave the defaults I just waited to show you that the advanced section is there if you wanted to change it um I think I've covered pretty much everything um defaults should be F in most cases I just waited to I say um show you how you can change the weight so that more traffic goes through one over the other cuz in most circumstances when you've got this you Mo your connections won't be the same speed so it's sometimes handy to do that so if one's twice as fast one one's twice as fast as one two you can adjust that here but obviously clicking this full help up here talk with full help on so you can see what all the settings do for you me switch this back over I hope that helps if you're looking to set up load balancing on um open sense so just um let me just switch back to this one second um when we went into firewall rules and Lan uh as I mentioned we've set this Gateway here and I changed it to low balancing so you'll notice when I went into gateways which is under the system gateways configuration sorry group um we got both of them in there um so when you go into your firewall rules [Music] L you can set up multiple groups so we change this to load balancing if we wanted to switch it back to failover then we can go back down to the Gateway and we can change it back to untrusted um I probably should have called that fail over for when I was doing this but I weren't really planning on covering load balancing as well so just keep that in mind um you can set like an AAS up for your servers so if you wanted your servers to load balance um then you can do if you want service to fail over obviously load balancing does work as fail over as well um in fact when we go to Gateway groups wrong one system gateways group so I've set un trusted um which is just the failover we've got the load balance in one now what I normally do is set a couple of groups up I did this in the PF sense video that I've just done so what I normally do is prefer one one set description is prefer one one fail 2 one 2 and then you can do OB say set it that way so whichever you got prefer one one so we got prefer one one preferred um then save that and then obviously we can add another one prefer one two so you can set one two as primary um again change that to how you prefer packet loss or high Laten is what I generally say it to uh so prefer one two fail 2 one one it's completely up to you how you set all them up um but having them set like that just gives you more customization over what you do so you can have some TR some like systems to prefer one two some systems to prefer one one um just something to do straight load balancing some to do fail over just you can set the rules up then basically to do whatever you want so uh if you don't use them it's not going to cause any arms of the system I just refresh that page so they're online but yeah um me switch back again so yeah if you found that useful um please like this video um it does help support the channel and it helps that YouTube algorithm um suggest it to people consider subscribing to the channel I am planning on doing a lot more open sense videos um I'm already covering pre sense so I am going to cover open sense as well a lot more um so subscribe if you're interested and if you hit the notifications icon you might get um notified about the videos as they are released so I'll see you in the next video thank you for watching

Info

Channel: Sheridan Computers

Views: 3,480

Rating: undefined out of 5

Keywords: OPNsense failover and load balancing, OPNsense dual wan load balancing and failover, load balancing, #load balancing, OPNsense load balancing, OPNsense wan load balancing, OPNsense load balancing 3 wan, OPNsense load balancing 2 wan, failover, OPNsense dual wan load balancing, OPNsense load balancing wan, load balancing and failover with gateway group, load balancing OPNsense, dual wan failover, OPNsense dual wan basic load balancing, wan failover, OPNsense failover, sheridan

Id: SKhdtK4m5mM

Channel Id: undefined

Length: 35min 51sec (2151 seconds)

Published: Fri Mar 22 2024