OPNSense Firewall Multi-WAN Failover and Load Balancing - Virtual Lab Building Series: Ep 6

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video i'm going to show you how to set up the multi-wand features in open sense so we can achieve failover and load balancing let's jump straight into the lab [Music] [Music] so we're going to be continuing with our virtual lab building series and we're going to be setting up open synths to utilize its multi-wan features so for those of you that don't know what multi-wane is it's basically used for redundancy purposes so if we look at the diagram that i've set up here we have in this scenario two isps when one and when two that it's connected to our open sense firewall and then we have our usual lan gateway connected to this virtual switch and then to our kali test machine so in this scenario we're going to look at two ways that we can utilize multi-lan the first one is going to be for failover so when when one for whatever reason goes down say the isp has a fault or there's general packet loss or anything along those lines then when two will essentially pick up the load and then the second scenario we're going to look at is load balancing how we can share these two wan interfaces to increase the amount of bandwidth that we can offer to our clients on our lan i'll when one for the sake of this lab will be on the 10.0.2.0 network and our when to interface will be on the 10.0.3.0 network so to simulate this in virtualbox if you've been following my lab already you should have a working opensense firewall already set up with the basic configurations for this lab we're going to need to do some minor changes to the the interfaces so firstly we need to go to tools and to preferences and then to network and then inside network we need to set up two net networks the one for the isp1 and the second one for the isp2 it's simple to do this you just click on this add new network and it'll create them i'll just show you the ones that i've created already for isp1 as per the diagram i showed you earlier it's connected to 10.0.2.0 and we want to support dhcp then so the system can automatically give our firewall and ip address on that interface and we'll click ok and then the same applies for the virtual isp or the simulated isp for the second interface that will be connected on 10.0.3.0 and once again we want to allow dhcp on that particular network we'll click ok then once you've done that before we start up the firewall you need to come across to the settings of the actual firewall and you need to go to network and you'll see over here you've got your various adapters one two three and four so in my case adapter one i've configured as one of those net networks or one of those wan interfaces so you'll select net network and then you choose the name of the net network that we just set up so in this case it'll be ispsim1 then for adapter2 i've connected this to my lan or my internal network i've showed you in previous videos how this works and then for my adapter 3 i've set that up also as a net network and i've assigned it to the ispsim2 network so this will be our second wan in interface once you've done all that you'll click ok and you can start up your firewall so once your firewall is started up we're going to open up our browser and we are going to log into the firewall i'm just going to use the default passwords that are and usernames that are set up in the previous labs and we're going to log into the firewall so the first steps here are going to be the interface assignments that we need to do so you'll come across to interfaces and then to assignments and then this will look slightly different when you set it up the first time around your when to interface will have a different name i'll put up a screenshot just to show you how that looks but basically you'll have a new interface and you'll see it'll be for the em2 interface you will then click the little plus button on the extreme right hand side and then this will add the interface assignment for you and then once you've done that you'll see it'll be called opt-1 or opt-1 what you'll do then is you'll just save this and then we'll go across to opt one and we will then rename opt one to when to and from there we will then enable the interface and block the private networks and the bogon networks and we will configure it that we have it forward set up for dhcp for ipv4 and once you've done that you'll click save and you will apply the changes so the next step is we're going to be having to set up what they call gateway monitoring so in order to do this we're going to go to system and then we're going to go to gateways and to single then for each of the gateways that we set up you'll see we'll have a wan dhcp which is our our first wayne interface when one and then we'll also have a when two interface setup when you do this initially you won't see any of these monitoring ips so what we'll need to do is we need to set this up so you'll click on the little edit button and inside yeah you'll make sure that you have selected the interface correctly which would be when it will be your ipv4 address family and the ip address is dynamic and then the most important settings here is to make sure that you uncheck this disable gateway monitoring checkbox this basically will turn on the monitoring if this checks checkbox is enabled then the firewall will always consider this interface to be in an upstate which we don't want in this case especially when we are using it for failover purposes then this monitor ip address that you see over here this 8.8.4.4 this is the ip address that the firewall is going to be periodically pinging to determine if the wan connection is up or not and then the final step for our main gateway on wan one we just want to make sure that our priority is set to 1. the lower the priority the more preference the gateway is going to have once you've done that you can click save and then we're going to repeat the same steps for the second wan interface in this case we're going to be once again unchecking the disabled gateway monitoring checkbox and we're going to use a monitoring ip in this case of 8.8.8.8 it has to be different to the to the the first wayne interface that we set up and then we're going to give this one a priority of 254 which is higher so this would then become a less preferred gateway for our scenario and that would be our backup gateway essentially you'll click save and you'll move on from there so once we've configured our gateway monitoring we need to then set up what they call a gateway group so to do this we need to then go to gateways again and then just below where we were we need to select group and then inside the the group this is where we can set up set up our failover group so initially it won't look like this there will be nothing here i already set this up but let me show you how you do that so if we just go to edit we're going to give it we're going to give our group name in this case i just called mine gw underscore group and then we're going to set up our gateway priority for each one of our wan interfaces these tiers that you see here tier 1 and tier 2 just allows the system to know which one of those gateways is going to be the main priority so in this case my when underscore dhcp which is my when one interface i've given that a tier 1 classification which means it's my primary gateway and then with when 2 i've given it a tier 2 which means it's my secondary or my backup the trigger level you have various options to pick year so you could have it as a member down or packet loss or high latency or packet loss or high latency in this case i've just set mine up to be packet loss so as soon as packets are lost and they meet a certain threshold on my when one interface then will automatically fail over to when to and then just below that we just give it a description i call this my failover group just a side note with this if you were trying to set this firewall up as a load balancer or to do load balancing across your two-way interfaces what you would do instead of having your tiers set up as one and then two for the failover you would then give the tiers identical values here so if we wanted to load balance between when one and when two we would simply just set up when 2 to be tier 1 as well and then it will equally load balance between those two connections so once you've done this you'll click save and we're ready to move to the next step so for the failover to work correctly we have to configure and make some changes to the dns settings of our firewall in order to do this we're going to go through to our system again and we're going to go to settings and to general and if you come down to this middle bit over here where it mentions the dns servers we then would want to match up our dns servers for each interface like we set up prior so for when one when you were using 8.8.4.4 we'd set that as a dns server and from this little drop down box over here we'll assign it to the wan one interface the same applies for wan 2 where we set up at 8.8.8.8 and that will apply for when two and then once you've done that we're gonna scroll down right to the bottom and this is a important but over here you need to make sure that the gateway switching checkbox over here has been checked so this allows default gateway switching and basically this turns on the ability that if one of the gateways go down our main gateway goes down that it will automatically fail over to the second gateway which is exactly what we're trying to achieve with the failover once you've done this you'll click save and we'll move on to the next step the next step is we need to make some changes to the firewall rules for this to work correctly so we're going to be adding a firewall rule so we'll come down to firewall and we're going to go to rules and then to lan and then the rule the first step that we need to to modify is this default lan this default allow lan to any rule so we'll come through to the little edit button over here and to the piece that we need to edit here is the gateway so we'll come down to gateway and on the drop down box you'll select your gateway group that we created earlier and you'll simply click save on that one then what we need to do is we need to create a new rule in this case i've already created one but i'll show you what we need to do you'll click on your ad rule and we need to set up a pass rule for the interface lan coming into it on ipv4 we need to make sure that the protocol is both tcp and udp and if we scroll down the source needs to be any and then this destination section we need to select a single host network and we need to allow this connection to our firewalls local land address so 10.200.200.254 which is the case of this one and we will set the subnet to 32 volt to a slash 32 then the destination port range needs to be from dns and to dns and we'll just give it a basic rule a basic description we'll call it local root dns and once you've set all that up we'll click save and then you'll notice that when that rule is created it will fall below these two ipv4 and ipv6 rules you'll simply click on it and in this case you'll then use this little arrow button over here when you've selected it which it will then move the rule before the one that you've just selected like in this case you can see i have it above all of my other rules and then once you've done that you will click apply and it will apply those firewall rules for you so we've now completed all the steps for failover to work correctly however there are a couple of advanced options which we can still look at if we need to tweak this so in order to access the advanced options you're going to go through to system and then to gateways and single again and then let's just say we want to modify some of the advanced rules for our when one gateway we'll simply click on edit and if you come to the bottom here there's a button that says advanced and you can click on this and then you'll see under this advanced menu we've got some weighting options where we can we can give our our particular gateway a certain weight and then there's also things like latency thresholds packet loss thresholds probe intervals etc we can then fine-tune these variables here in order to make our failover perform potentially better or modified for our particular scenario so one scenario that comes to mind is let's just say you have a wan connection one that's running on say 10 mpbs and the other one's double that it's running on 20 mpbs but in that scenario we don't want to give each of those gateways equal amounts of weight so what we will do in this case is we can come through to our weighting option over here and basically this gives us one to five on our 10 meg connection we could give it a weight of one and on our 20 meg connection obviously having more bandwidth we can give it a weight of two and what this means is that there will be twice as much traffic that will go through the 20 meg connection as what they would on your 10 megabit per second internet connection so in this case we can get better utilization out of our higher bandwidth connection so to show you how this works we're going to test the connections by using traceroute then so i can show you when we disable or simulate one of the connections going down how the firewall automatically will then route out of the backup wan interface so if we look at the dashboard we can see over here that our gateways are both active at the moment and the monitoring setup and they both are showing zero percent packet loss and they're both online so we're going to do is we're going to open up a terminal and we're going to type in traceroute and then dash i because we want to tell trace root to use icmp in this case to do the trace for us and we're just going to be tracing through to the 4.2.2.2 dns server and we'll hit enter and we'll provide okay with the password and it'll complete its trace route and you'll see in this case the first hop that it went through was through the firewall which was 10.200.200.254 and then it exited through the 10.2.1 network which is the gateway on the isp's network on wan number one and then it continued its path through to its final destination so to simulate the wan one connection going down you'll come back to virtualbox like you can see on the screen and we're gonna go to settings and inside settings you're going to come through to network and advanced and you're going to then on adapter one which in my case is the way in one interface we're going to then unplug the cable and we're gonna click okay now the cable is unplugged if we go back to our firewall dashboard again you can see at the bottom over here we now only have when two available if you go into system and into gateways into single you can see over here that where number one is offline and there's a hundred percent packet loss so we've confirmed that that interface is down then we're going to come back to our terminal and we're going to run the same command we did earlier for trace route to the same ip address and we're going to hit enter and then if we examine the traceroute results we'll see once again that it left through our firewall which is that 10 200 or 200.254 however in this case it's now traversed the 10.0.3.0 network which is our when two's network and it left through the 3.1 gateway which was the gateway on the second wan interface second isp which we set up and then it continued through to its path so through this test we've successfully seen that the failover is in fact working correctly and that the firewall has now failed over onto the second wane interface as intended so to wrap this video up we've successfully configured the wan failover on our open sense firewall by first of all assigning a second way an interface setting up gateway monitoring on both the interfaces then so the interfaces could be aware if they were functional or if they were offline we created a gateway group combining those two interfaces into this failover group and we've made some changes to the dns settings and the general firewall rules in order to make this function correctly we also looked at some advanced settings of how we can use load balancing and also demonstrated a trace route to show that the failover mechanism is working as intended if you guys enjoyed this video please don't forget to subscribe and to give me a thumbs up it would be greatly appreciated and as always if you have any comments or any questions please do drop them in the comments box below thanks for watching and i'll see you guys soon cheers for now [Music]
Info
Channel: LS111 Cyber Security Education
Views: 23,476
Rating: undefined out of 5
Keywords: pfsense, pfsense setup, firewall, pfsense firewall, pfsense tutorial, opnsense, opnsense virtualbox, failover, load balancing, multiwan, wan monitoring, cyber security full course, cyber security lab, homelab setup, infosec, homelab, cybersecurity for beginners, opnsense multiwan, opnsense load balancing, opnsense wan monitoring, what is a firewall, network security, opnsense firewall rules, opnsense install, opnsense vs pfsense, opnsense setup, install opnsense
Id: CcXYiFj9mBA
Channel Id: undefined
Length: 23min 30sec (1410 seconds)
Published: Fri Mar 25 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.