pfSense Dual WAN Load Balancing & Failover Tutorial 2024

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so you're looking to set up load balancing on pfSense with multiple one connections I'm going to show you how to do that in this video so whilst it does cover failover if you're just interested in failover and nothing else I have done a previous video on that and failover without load balancing is fairly simple so that's why they're in separate videos and I hope by the end of this video you'll understand why they are completely separate because failover is pretty easy to set up load balancing it's easy but there's just a couple of things that you need to consider so let's Dive Right In Sheridan computers it Communications support this is pretty much a base install of PF sense now before we continue to configure load balancing we need to make sure that our interfaces are working both our one interfaces so you can see here we have 1 one which is on 10150 101 we've got our Lan which is on 10.1 10.25 and we have our one two which is on 1921 1681 10020 so we should be able to tell the difference between them on the dashboard I've added the interfaces and I've added the gateways so our one one one Gateway is 10.1 50.1 and our one 2 Gateway is 1921681001 so adding this stuff onto the dashboard just makes it a lot easier to test any problems uh and with the traffic graphs we can make sure that the traffic's being load balanced properly so I recommend that you least add interfaces gateways and your traffic graphs to your dashboard with that we need to make sure that both our 11 one and R12 are working before we proceed to start start configuring load balancing so if we go to Diagnostics and I head to Ping in the host name I'm going to put Google's IP uh Google's primary DNS server we'll leave the protocol for ipv4 I'm just going to set the source address to one one to make sure that traffic is going out of one one properly if we hit ping we should get a response from 10150 101 so we have so that's our 11 one IP address and to test one two I'm literally just going to change the source address to one2 now we should get the same reply from 8888 but this time it should come from 1 1921 168 100 subnet which it has so we've got the reply from 192 168 120 interface so we've confirmed that both of our one interfaces are work working so with that the next thing that we need to do is to configure our DNS so I'm going to head up to system and then we'll head to General setup once we're in the general setup we have this DNS server settings here so we need to set two DNS servers one for each of our one interfaces if you've got three then you're going to add three DNS servers so we've got Google in here as you can see but I'm going to set the gateway to one one and I'm going to add a second DNS server this time we're going to put 8.8.4.4 for Google's secondary DNS and we're going to want that to use one two so me save that okay so chains have been applied so this is the important section A 88881 one 8844 DNS traffic is going to go through one2 um now it's important that you set these up so your system knows how to root traffic the next thing that we need to do is to set up our gateways so what we're going to do again is head across up to system and we're going to select routing so when you're in the routing um configuration section you can see we've got our gateways this um Globe here that shows default gateway shows a current default gateway so if whichever Gateway it's using this obviously shows a default one um you can ignore this line here so we're using one 2 DHCP and one 1 DHCP so with that we need to create a gateway group so we're going to go ahead to Gateway groups and then we want to add a new group and we're going to call this uh load balancing so the Gateway priorities are obviously uh which the priority in which gateways are used so want tier one for our one one Gateway we want tier one for our one two so if you set that to tier two that basically sets it to um failover and we are going to do that in a minute as well so if you've got the third one you can set that to tier three and it'll try to use Gateway One then it'll try to use Gateway two and then it'll try to use the third one we've only got two so we want to use low balancing and we're going to set 1 one DHCP on 2dh CP both to tier one and that's how we achieve low balancing I'm going to set the trigger level to packet loss um which is used for fail over so we're just going to put load balancing use both one one and one two we'll save that now because we're doing load balancing we also want some other Gateway options so we want an option to be able to prefer traffic to go out of one one and we want an option to be able to prefer traffic to go out of one two you'll see why this is important later I will explain uh so we're going to add another Gateway and Gateway group sorry I'm going to put prefer one one and then we're going to set our one one to tier one but our one two this time we're going to set to tier two so if that'll try to send traffic out of one1 if one one's down for whatever reason it'll go through one two and again we'll set it to packet loss our high latency and put a description in so we're going to put prefer 1 one fail to one two and save that now we're going to add another one these are optional if you're not going to use them but they're handy to have anyway it's not going to make any difference having them defined even if you don't use them so I'm going to do add another Gateway group and I'm going to put prefer one two so what we're going to do this time is set Gateway two TI one so that's a preferred route and then we're going to set our one one to tier two so I'll try you this one first and if that's down it'll use one one and then put a description in so I'm going to put prefer one two Bale 2 one one and apply those changes it's handy to add these in say even if you don't use them if in future you're going to add Services um that you want you might want to send some things out of one two you might want to bind some things to one one and it's just a good idea to have them in so with that we're pretty much ready to set up our rules for load balancing so what we can do now we go to gateways um I normally set these to uh the specific on so prefer one one fail to one two which is for the PF sense routing itself and if we do that and we save it and apply those changes so what we're doing there is just telling pfSense itself that if it can't use tra one one use one two um next thing we're going to go do is go into firewall uh rules and then on our Lan so you don't want to be putting any form of gateways into your one one or one two for load balancing um just kind of leave them uh any sorry firewall Wheels um so under Lan you can see that we've got the uh default rules here excuse me the default allowed to any rule um we need to set the Gateway cuz it's going to use a default one which is prefer one one fail to one two which is is the default rule that we've just set on the system and routing anyway with that edit the default L Rule now if I change this to sorry where is it display Advanced on the Gateway can see where it is we're going to prefer this to load balanced and we'll save that and apply the changes we've got one more change that we need to make and I should have done this first to be honest but if we go back into routing the one one monitor IP by default is set to the IP of the Gateway and that's not what we want uh so what these need to be is when we went into General setup DNS we have these rules here so we have Google's primary DNS is a 888 you can use whatever you want for these and going out of 11 one and obviously 8844 goes out as one two so keep a note of them what we're going to do we got to routing and we're going to edit our 11 one Gateway and we're going to set the monitor IP down here to 8.8.8.8 for Google's primary DNS now that's the one that's uh under our DNS told it to go out of one one so you need to make sure that your DNS that you sending through one one set that to the monitor IP in here and it's important that you do that otherwise you'll confuse PF sense with what's supposed to be where and then we'll do one two and we'll set this to what we set our secondary dns2 which is 8.8.4.4 and we'll save those and apply the changes okay now what we've done there is by monitoring um 8888 if that's unreachable for whatever reason then PF sens is going to assume one two uh 1 one is down if 8844 is unreachable for whatever reason it's going to assume one two is down and that's how we can handle the failover so um you can probably understand now why the previous video I just covered failover cuz it's easy with low balancing it gets a bit me so with that we should now go to uh dashboard we should now have our traffic lad balanced so if I go to fast.com no that's not going to go through there because I'm not using this PF sent say maruta um what we can do is if I you can see we've got our IP addresses 1921 168 10020 do it again it's changed to 10. 150101 so you can see the load balance is working because our IP address is changing in between ones um there's a couple of other options that we need to do just to get this working right it is the low balancing will work from there but there's a couple of things that you need to take into account when you're doing low balancing if we're go into system and then I choose Advanced under miscellaneous there's some options in here that we can check now low balancing is obviously related to what we're doing so use sticky connections you're going to want to tick this box more than likely so successive connections will be redirected via gateways in a round robbing manner um so we're going to set use sticky connections and what that will do is if you've got two users uh user one visits a web page and user two visits a web page it will assign all traffic from that user to a particular Gateway until the connections are closed by default this is set to zero so if you visit a website um the browser conect once it Clos once the remote browser closes a connection then if you visit it again chances are it's going to use a different IP address as we did let me Zoom this out as we did here so you can see that's changing and some websites don't like this it's usually set up for security reasons to stick to one IP address so this is what the sticky connections do so we can do use sticky connections and this Source tracking this is the important bit now imagine um you're on a website say you book in a holiday and you're filling a form out while you're filling the form out on that website um it might take you 10 or 15 minutes to actually complete that form and what you have to remember is if you visit when next when you hit submit your IP address might change so what we need to do is to set this to a reasonable value so um probably going to want to set it to at least 10 or 15 minutes or how long you assume users are to be filling forms up you might want to set it to a lot higher um so it's in seconds so you might want to set it to an hour for example you might just want to set it for 15 minutes you might want to set it for 10 um so obviously if you're going to set it for uh an hour 3,600 give the hour uh so it's really important that you take this into consideration um Gateway monitoring is another option so this option here let me just save that changes and then we'll go back up to that right okay so we've enabled this which handles the filling out of forms um this Gateway monitoring so whether you want this to kill States for when gateways are down is up to you and depends on your network and your configuration so we can do kill States when our gateways are down now if you're using if you've got VIP phones for example um they might be set to register over a long period of time for UDP so what we can do is if we do kill states which gateways are down then that will force traffic such as VIP traffic to just end the connection and reestablish the connection if you don't do that your phones might not actually realize the gateways down and try to keep the connections over over that um particular Gateway that we're going through I'm not trying to confuse you here so hopefully I'm explaining this well now if you're not using VIP phones and you set this it could be more problematic than not problematic because if you're using failover for example and Gateway and your secondary Gateway goes down yet your primary one is active then it will force your states to flush and it can just cause you problems that way so unless you're actually need it um I'd leave it on default so do not kill States on Gateway failure so skip route um if you want to send say user one through uh one one but not have access to one two if one one fails then that's what you can do with do not create rules so you can set one rule to send it through one one and then one rule to block it so that's what that's for do not add static routes for Gateway monitor IP addresses generally um you want this unticked so that that's how we set our primary DNS to go through one one and our secondary DNS to go through one two I just wanted to make you aware of them because there are situations especially if you're using vipe where you might want to um kill all states for which gateways are down I'm just going to leave that as a default we've already applied it do it again no armm so with that browsing websites now won't cause you any um any problems unless if you set the uh Source tracking where was it um if you set this to 1 hour and it takes somebody two hours to fill a form out it could cause issues um so generally set this to a sensible value uh that sensible value depends completely on you and your users Behavior if they're not filling Farms out you can leave it um but generally it's a good idea to actually put something in here so with that get to status dashboard and now if we keep doing that that's what the tracking sour states does I'll just make sure that all traffic Destin for that address from the specific user that I'm using uh the IP address of the user so all traffic from this system now we'll go through uh all traffic from the system that I'm using to that website or any other website right will'll go through um the connection that has been assigned so after an hour it'll time out but if user two has got a different IP address might send them through um it might send them through the different Gateway and do the load balancing so with that there's one other thing to keep in mind and that is how you do the load balancing so you've got your primary con connection that's uh a gig and your set secondary connections only 100 Meg 50 meg whatever it is then you might want to change the weight of the gateways so that more traffic goes through one one than one two or more traffic goes through one two then 11 one so let me just show you how to do that real quick if we go into system and we go back into routing so system routing and we've got our gateways here now if we'll go and edit any of the gateways and we go down to display Advanced we have the weight so by default the weight is one unless you change it if I change this to two for 11 one then twice as much traffic will go through 11 one as one two uh if I change it to four then four times more traffic we'll go through here then we'll go through one two um if we had this set to one and one two set to two so the weight of one two Gateway set to two then twice as much traffic would go through one two and goes through 11 one um the data payload you probably don't need to worry about um this just gives you the option to change that where sometimes it doesn't work um I'm not going to get into that just leave it as default and it should be fine uh now latency thresholds if you remember when we set the uh Gateway groups up we set it to fail on let me just go back into this I'm go to gateways Gateway groups I edit this so trigger level was packet loss or high latency and if we go back into routing gateways and I go back into here go back to display Advanced this is where these thresholds come into so you've got latency threshholds and packet loss um depending on your internet connection you might need to change these to have it working properly the defaults do usually work fine but I just wanted to make you aware this is where you configure the thresholds for fail over and so for low balancing it's not taken into account but for failover it definitely is and these are the fresh old you set so when one connection becomes unavailable um it'll switch to the other one and it's how long it takes before it comes back as well um I don't think there's much more in here that we need to set so how often ICM probes will be sent so that's checking the gateways live which is 500 um and then we've got loss interval time periods and alerting interval so there's not really much that you need to change there this option at the bottom use nonlocal Gateway some isps um have wrong Network setups and the Gateway is out of your subnet if it is you can use that to specify it um but I just wanted you to be aware of those settings as well the other thing to consider um when you're setting this up is natat so you want to make sure that your outbound KN is set right to use both of your interfaces so if you set to automatic then you won't have anything to worry about you'll see it's automatically put these rules in but if you've got it set to manual uh just be aware you need to put the N rules in for one two as well you can copy them from one one um now when I did a fast.com the traffic didn't go through my firewall cuz my system is not the Gateway is not set for this test firewall that we've set up um but we can test it with if I do ier uh Min is P2 for dual connections um let's see example.com H per three on prsd now if for got to status and dashboard you might think that it's not working most of my traffic is appearing to go through one one that is actually what we want and it's doing that because of the uh because of this option that we set so if we go into advanced miscellaneous this use sticky connections so that just makes sure that all my traffic goes through the same connection so it's not um it's all my traffic from my IP address or go through that same connection which is why it looks like the load balancing isn't working but it actually is it's just that we've got it set to 3,600 if I untick this let me zoom out this if I untick this and then I save that then we go back into status and dashboard if I do this again both of my one one and one two should work because it'll be sending uh one connection 3 one one the other 3 one two um or however it was with the weight of the gateways that we set and just to show this you can see that now both 11 one and one two are sending connections out to the internet and again if we just uh head over to system Advanced and then we scroll down and find where was it low balancing it was up here somewhere it miscellaneous and then re take this you sticky connections and it's set to one hour um you can set it to 10 minutes 15 whatever you want and then we save that you'll see when I do this again it'll either use one one or one two even though I'm using two connections they should all go through the same connection now you can see everything's going through one one and that's random it could have gone through one two uh it just picked one one and it's sending all my traffic through there so hopefully you now understand what the source tracking is under that miscellaneous option for um this one here under this use sticky connections so if I'm visiting a website I'm there for 10 minutes it's going to basically send all my connections for any website through that for an hour and then it might switch over um but it is working it's not going to send everybody it just changes an IP address um leave that on so you generally want that set oh then status dashboard so when we do this again you can see everything's going through one two this time so it has changed and it'll load balance that way um but now all my traffic is going through one two I'll do that again and you can see it will do until I change that setting um again just to cover the firewall rules and if you want it to change um if you had to change it to failover instead of low balancing we can go through uh the advanced options and wherever the Gateway is we can say it to prefer one one or whatever we want so you can set multiple rules up for multiple devices and decide how you want to do the traffic um I think we're done I can't think of anything else off the top of my head that you need to know um but I just wanted to demonstrate how to do that a lot of tutorials and things I've seen generally don't cover the sticky States or don't cover them enough to make you understand what they do with that so I hope you can see why I didn't cover load balancing and failover in the same video and they did actually need two separate videos to do it because if you're just setting up failover there's not much to consider it's easy to do if you're doing lad balancing there's a couple of things that you just need to take under consider ation before you actually do it and hopefully I've explained most of these in this video if I have missed anything please leave it in the comments if you found this video useful give us a like allow other people to find the video consider subscribing to the channel uh hit the notifications icon and you might get notified of any videos that I do thanks for watching and I'll see you in the next [Music] video [Music] [Applause] [Music] [Applause] [Music] a

Info

Channel: Sheridan Computers

Views: 2,639

Rating: undefined out of 5

Keywords: pfsense, load balancing, pfsense load balancing, pfsense dual wan load balancing, pfsense wan load balancing, pfsense load balancing 3 wan, pfsense load balancing 2 wan, pfsense failover and load balancing, pfsense dual wan load balancing and failover, load balancing pfsense, pfsense tutorial, pfsense load balancing wan, pfsense setup, pfsense firewall, pfsense dual wan basic load balancing, #load balancing, internet, pfsense router, sheridan computers, failover, pfsnse failover

Id: XITxSrU30CE

Channel Id: undefined

Length: 31min 40sec (1900 seconds)

Published: Fri Mar 15 2024