pfSense Load Balancing & Failover (easy mode)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys the nitric berg here hope you're doing well if you're new viewer welcome to the channel if you're a returning viewer welcome back happy to see you so in this video we will be looking at how to configure load balancing and failover using gateway groups on pfsense so this is going to be a fun little experiment and i think this is something that could be very useful for most small businesses medium businesses even large enterprises really but let's actually look at how we can configure this on a pf sense firewall [Music] so we're in my virtual topology this is a linux ubuntu machine that is connecting directly to my pfsense firewall and from there i've got some basic internet access setup now i just want to navigate to the pfsense and while i do that let's just actually think about what are the benefits of using load balancing and failover so these concepts are a little bit different because load balancing in essence will allow you to use multiple links at the same time effectively increasing your throughput or your bandwidth capacity so each link will still have its relevant capacity but you can use the links at the same time so this is very useful for if you have maybe like multiple fiber links or a wireless backup link and a fiber link and they're both uncapped then it's a great solution for a user like you however maybe you don't want both solutions to run at the same time maybe you want a failover scenario so that let's say your backup connection might be a capped solution like an lte or some device and you don't have unlimited bandwidth so you maybe just want to fail over to that device in the event of a failure so for that we can set up failover and the ways you go about setting this up is relatively the same but we'll start off by configuring the load balancer and then i'll just quickly walk you through some things that i think is nice to have and see when you set this up on your pfsense firewall so firstly i've just got three interfaces a wan a lan and a dmz i do have another interface which is going to be connecting to my hypervisor which you can think of as my secondary connection now this could have been an lte modem or another service provider's router or it could be something that i could be doing another poe connection on whatever it's just another interface we're going to be having internet access off of so this is going to be our second link so i just want to assign this link or add it to my interfaces it will give itself the name of opt2 and i'm just going to change this description to when to i'm going to enable the interface and the ipv4 configuration type since this is going to be the hcp based i'm going to select the http but if you were using another static connection or triple poe or something then you could have specified those details here so i'm just going to connect with dhcp i'll apply my changes and now i will have a secondary wan link which is going to be awesome but this link is effectively not going to be doing anything it's just going to be existing in my network so if i go back to my dashboard we can now see i have a when to link here and it's obtained an ip address and in theory i should be able to route traffic over it if i set that as the gateway so i go into my system routing i could in essence make this when to dhcp interface that's here now i could set this as the primary gateway and then traffic would route over it but that's not really failover and this is also a manual process to do so that i don't like i'd like this all to be as automated as possible when we want to fail over so what i recommend you do is you can set your gateway groups but before we set the gateway group since this is a dynamic interface that has been created i'm just going to edit this and i'm just going to save this as well so let's just call this when to gateway so now that that's been saved it is two actual interfaces that i have on my pfsense firewall so first thing i want to do is if i want to set up load balancing i can go to the gateway groups and you can create a gateway group to do the load balancing so i'll click on the add button and we can call this group load balance or load balancer or whatever you want to call it and now we can set some priorities now the lan gateway which is my primary wan connection my wan one i'm going to set this to tier one and this in essence will just say that this connection is going to be the first one that we're going to pick whenever it comes to any type of routing now we've got the second wan interface here as well and here's the difference between setting this as load balance or failover if you select the same tier it will be running in load balance mode and if you select a second tier or another different tier then that would in essence be failover so devices in the same tier will first run together and it will go down the list the next year the next year the next year so if you had even more wan connections maybe you had four wan connections then you could have different tiers set up for each one so that there's like a big string of failover occurring but we're just going to set both of them to tier one for the load balance and we have a trigger level and this trigger level in essence just says if some type of condition is met then it will like kick in a failover scenario like it will route traffic over another interface so this is where we get member down packet loss high latency or packet loss and high latency but i'll just leave this on member down so that if the member is picked up as being down then it can just route traffic over the alternate interface but since this load balance is going to be routing over both interfaces at the same time so let me save this now we have a load balancer or a gateway group but before anything of this will actually work properly we'll just need to head into our gateways and we need to set some monitor ips now the monitor ips allows the gateway to basically be pinging or checking if a remote site is up maybe something like a dna service address and if it picks up that it can no longer get to that dna server then it will just understand that the interface is down and then it's going to mark itself as down so let's just edit the gateway and let's set a monitor ip so for my primary wan connection i might just set the monitor ips 1.1.1.1 which is the cloudflare dns and if i click on the display advanced you can see some additional settings that you can set and tweak which relates to the if you set the trigger event to something like latency or packet loss you can tweak the settings here but the defaults are fine you shouldn't have to tweak it here so i will just click save so that this when the primary one is monitoring my cloudflare dns and the secondary wan i'm going to set that to actually monitor google's dns so 8.8.8.8. i'll save these settings so now each wan interface or gateway will in essence be pinging a certain ip to just check if it's up so i'll apply these changes and that uh we've added load balancers but it's not actually running it nothing's actually happening because we need to apply um this gateway group to any rules that we have specified but before we do that i just want to hit back in the dashboard and we're going to make some alterations just to properly see what's happening and if failover is occurring because i i kind of like to just do this just to get a good overview of what's happening on the firewall so let's tweak the dashboard a little bit i might get rid of this nate gear services support thing or nate gate services support system info we can keep and i will just leave it as that that's perfect so other thing i might do is i'll just go into the general setup and i might increase the dashboard columns to something like three just so that i can play with my widgets a little bit more properly so it's not just two big lines that i go through and if you look now we have a little bit more space and we can add some extra widgets so i'm just going to move my system information can leave our interfaces actually the interfaces i'll move to the left and now with this we're going to add some extra widgets we're going to add the gateway widget so i'll just find the gateways and i'll just drag this here and you can also tune these widgets what is being monitored by clicking on this range or spanner or whatever and then you can tweak which gateways you're monitoring or what you want to monitor so here i'm monitoring gateway ip and monitor ip so that's fine let's just leave the page and one more widget i recommend getting is your traffic so let's find traffic graphs and now this i've also actually edited already so that it will only display my two wands by default it will have all your interfaces but i've just selected this for both of my wands so i can see what the vans are doing so let's save this and now we've got a very good overview of what's happening on the firewall so we can see which interfaces are currently up if the gateways are up and what the traffic graphs look like so how are we pushing traffic over our interfaces so as a baseline test let's just quickly go to something like fast.com and it should run let me go back to this screen and here in the traffic graph we can see that my primary wan is now carrying all of the traffic it's doing 25 megabytes of traffic and i do have a 200 megabit link so this seems correct to me so this is 100 fine but our second van isn't doing anything all of the traffic is just kind of staying where it is now to get the traffic to load balance properly we will actually adjust our firewall rule so i'll go into my rules i'll find my land since this is going to be traffic that's going to be leaving from the land going to the internet and i'm just going to tweak this a little bit so i'll edit my policy and i'll scroll down i'll click on the display advance so i can see additional settings and i'm just going to specify the gateway so gateway here it's set as default and the default is just going to be my wan connection so it's this first hop but there is this gateway group that we created load balancer so i'm actually going to select that and now that i've selected that and i save this policy and i might just do the same for the icmp as well so let's just find that gateway save it so now the two policies that i have from my lan to get out to any network or the internet it will run through this gateway or gateway group and this in essence if i hover over it you can see what the wan addresses are or the gateway addresses so i'm going to apply these changes and now that the chain the changes have been applied if i actually go back to the dashboard and i initiate the same test it should actually load balance now so let's just see i see the traffic is running and if i look at the screen there we can see both links are effectively now carrying the traffic so it should in theory be going half and half or whatever the capacities are but i'm able to distribute traffic evenly between my two wan links so that you know i get the best out of my solution so that i'm not wasting my one backup link that i'm paying for and it is an active link i'm just not using it actively so this is what this is very useful for so now we have load balancing in place let's just also test the upload so i'm clicking on more info and it should do a little bit of an upload and if we scroll back we should see the upload traffic is also being load balanced so this is fantastic i'm really happy with this and this is a pretty good stock standard setup just for load balancing but let's say that secondary link was a capped solution and we didn't want it to just load balance because we might be wasting bandwidth or we'd be paying out of our ears if it's a cab solution and they're charging us some contract fees for capacity so let's just set this up in the event of failover and the process is really the same we'll go into our system our routing we'll also leave the monitor ips as is because it needs to use that monitor ip just to pull to see if the interface is up or down and we'll just create a new gateway group so the gateway group i'm going to create i'll call this failover and now we can specify our gateway priorities so i'm going to use the wan gateway again and i'll set that for tier 1 and the wan 2 which is our lte in this case i'm going to sit licked tier 2 so that this is actually a second preferred connection and this will also only happen in the event of member down so let's save this but again the trigger level can be up to your choice if you want to set it for packet loss slash latency you're welcome to do that as well so now we have a failover group i don't need to tweak anything with the gateways because we've already got the monitor eyepiece so all i really need to tweak now is my firewall policy so let's go back into the rules i'll go into the lan and i'm just going to tweak those gateways from using the load balancer to be failover i'll save this and now that this has been saved i can apply my changes and now in theory traffic should fail over in the event of one link dropping so let me just go back to the pf sense and let's run a speed test so all traffic should now just be going out over the primary wan again and there i can see it is all just going out over the one the one landing because the bottom one is doing like bites of traffic and the top one is doing 25 megabytes so that clearly shows us that the one link is being preferred to push out the traffic or get to the internet but let's actually emulate a intranet fault so what i might do is i've got this micro tick on that wan one and this is actually that's giving us internet access so i'm just going to shut this down once this micro tick has been shut down technically my wan should be down so let me just navigate back to my pf sense and we should actually see that that wan gateway goes down so let's see it's warning packet loss so it's already picked up something isn't good something wrong has occurred here so let's just see how long it takes to actually pick up that there's a big issue there we see it says it's offline there's packet loss now in that event it should now be routing the traffic over the secondary link the one two so let's run the same test again let's just refresh let me just open up a new tab for it fast.com there we go 200 megabits per second and i can see now that the traffic is routing out over the failover link without my intervention because of the load balancing or the gateways that we set up the gateway groups i should say so load balancing also offers you failover so if one of the links die in the load balancing group it doesn't matter because it will still just route traffic over the second link but again it is being utilized it's two active links whereas this type of setup that i just did now this would be an active passive type of failover solution where again it might be for your ltes that's capped perhaps all right so i think this covers how we can do load balancing and failover on pf since it's actually relatively easy and pain-free uh i hope you've enjoyed i'd like to thank my youtube and patreon members for helping the channel out and obviously you guys the viewers thank you for watching i really appreciate it and i'll catch you in the next video bye
Info
Channel: The Network Berg
Views: 37,284
Rating: undefined out of 5
Keywords: #Failover, #Load Balancing, #pfSense, network berg, pfsense traffic shaping
Id: XRijP4_0xog
Channel Id: undefined
Length: 16min 8sec (968 seconds)
Published: Tue Jun 14 2022
Related Videos
pfSense Firewall (totally) Rules! Basic rule setup...🤫
The Network Berg
139K
pfSense + snort is AWESOME, quick look at IPS/IDS (For Free)
The Network Berg
76K
pfSense Dual WAN Load Balancing & Failover Tutorial 2024
Sheridan Computers
2.6K
Things I don't like about MikroTik...
The Network Berg
26K
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
3.2M
How to use Multiple WAN on pfsense for Fail over and or Load Balancing
Lawrence Systems
58K
OPNsense Firewall Multi-WAN Failover and Load Balancing (2024)
Sheridan Computers
3.8K
pfSense WAN Failover Setup | Dual WAN Failover Tutorial 2024
Sheridan Computers
2.4K
Opnsense vs Pfsense ~ My own thoughts and concerns
The Network Berg
57K
My pfSense Setup - VLANs, VPN, Firewall, DHCP
Raid Owl
82K
How To Secure pfsense with Snort: From Tuning Rules To Understanding CPU Performance
Lawrence Systems
56K
How to protect and restrict VLAN traffic on MikroTik.
The Network Berg
15K
MikroTik FINALLY Supports BFD in v7!!! (BGP & OSPF Setup)
The Network Berg
11K
How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN
Lawrence Systems
112K
How to Setup Ubiquiti UniFi Network for a Small Business Office 🛜
Bogdan | Apex One IT
8.8K
Dual WAN Setup w/ pfSense - Trying to turn TWO TERRIBLE ISPs into ONE DECENT one.
Raid Owl
12K
Double Your Internet Speed (Really) With pfSense Load Balancing
Aron Bezzina
104K
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
114K
Mastering VLAN Configuration on MikroTik, Step-by-Step Guide
The Network Berg
66K
Secure Your OPNsense Network with Zenarmor NGFW!
apalrd's adventures
24K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.