Professional Documents
Culture Documents
php/Multi_WAN_/_Load_Balancing
Search
Personal tools
Log in
Contents
1 Caveats
2 Overview
3 Intro
4 Installation
5 Setting up your modems / routers
6 Finishing installation
7 Basic pfSense settings
8 Interfacing with modems / routers
9 Setting up load balancing and failover
9.1 Selecting a Monitor IP address
9.2 Setting up the pools
9.3 Set up useful aliases
9.4 Set up the basic firewall rules for outgoing access
9.5 Setting up DNS for Load Balancing
10 Port Forwarding and Applications
10.1 example port Forwarding follows
10.2 Supporting bittorrents
10.2.1 Summary of setup
10.2.2 bittorrent setup
10.2.3 Setup outgoing rule
10.2.4 Setup port forwarding on your modem / router
10.2.5 Setup port forwarding on pfSense
10.2.6 Turn on logging on the auto setup rule
10.2.7 Testing your configuration
10.2.8 turn off logging
Caveats
1 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
This page describes the setup using pfSense 1.1, updated to January 2007 (or later).
Important: if you are using pfSense 1.2 then use the updated documentation: MultiWanVersion1.2
For your own good, you may want to ignore most of the tutorials available, as they are either completely
confusing, or highly contradictory. The following is an attempt to very simply get you started.
Note that currently most pfSense add-on packages do NOT support multi WAN and all their traffic will use
the WAN connection.
Overview
This setup enables pfSense to load balance traffic from your LAN to multiple internet connections (WANs).
Traffic from the LAN is shared out on a round robin basis across the available WANs. pfSense monitors each
WAN connection, using an IP address you provide, and if the monitor fails, a failover configuration is used, this
typically just feeds all traffic down the other connection(s). This example sets up 2 WANs, but 3 or more can be
used.
Intro
You will probably find you have three types of traffic you need to allow for:
1. Traffic that can be load balanced with no problems (e.g. general web browsing)
2. Traffic where one connection is preferred, but it's alright to failover to the other if the first one fails (e.g.
some bank websites, games like counterstrike, other apps - like Microsoft's new web conferencing)
3. Traffic that has to go to one specific connection; if the connection is down, it will just have to wait (e.g.
SMTP mail to your ISP, which typically has to come from inside their own network)
Installation
This is a quick / simple installation guide, you can find more detailed instructions in the full Installing_pfSense
part of the Wiki.
First step, install a Video card, Keyboard, a CD-ROM drive, an IDE hard Disk drive, 128MB of ram or more and
at least three Network interfaces in your target machine. Do not install any unnecessary hardware like a modem
because Pfsense cannot use it.
The hardware setup for the installation tested was Pentium Pro 200, 128MB EDO ram, Floppy 1.4MB, Trident
VGA, 4 Realtek 8139D PCI cards, ATAPI CD_ROM 24X, 2 IDE 1GB drives. As you can see it was quite an old
system but it all still worked quite well. Pfsense was also installed on a DELL Dimension 4100 800MHz without
any problems.
Set up your BIOS to boot from the CD and then insert the CD into the drive. Reboot the machine and watch the
FreeBSD 6.2 operating system boot up your machine. Do not worry if you cannot catch everything that is
scrolling by because you can see all of it when the boot is complete by pressing the Scroll LOCK on your
keyboard and using the Page UP/DN keys. The boot process should stop and ask you to configure the network
interfaces. If you managed to make that far the rest of the installation, most likely, will be successful.
2 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Now it will ask you to select the LAN interface. This is the interface that you will attach to an Ethernet switch if
more than one computer will be accessing the pfsense to get to the internet. To select this interface use the
automatic procedure by disconnecting all interface cables from all the network interfaces of the pfsense. Follow
the instructions on the screen and then attach the computer via an Ethernet cable to the LAN port. Mark this
interface as the LAN interface.
Next it will ask you to select the WAN port. In a Dual Wan configuration the Wan port is the primary wan. If you
have not set up your DSL/CABLE modem/routers yet select an interface by specifying the name of the interface
as shown on the display. This interface can be changed later on.
Then select the OPT1 port specifying the name of the next interface as shown on the display. The OPT1 port will
become your secondary Wan port. Even if you have more interfaces to configure press enter at the next interface
request to end the configuration.
Pfsense will start to load and configure itself. With a little luck, you will pass the point where pfsense configures
the WAN interface. This is where the interrupts are tested and if your hardware is set up properly, or if you have a
newer computer, it will breeze through and arrive at the Pfsense Console Setup page. Here you will install pfsense
to your hard disk by entering 99. If you do not make it to this page you have a hardware compatibility problem
with the FreeBSD operating system.
Installation is pretty painless, tell it to format and make a new partition if you want everything cleaned off, and
once complete you'll see FreeBSD loading. The loading will take some time . This time can be used to determine
how you will connect the pfsense wan ports to the internet.
Once you have set up the modem/routers test their connectivity by accessing the internet and obtaining the Public
IP either by the modem/router web interface or using http://whatismyip.org
Finishing installation
3 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
The software installation to the hard disk should be complete by now so attach the modem/routers to the WAN
and OPT port and a computer running Internet Explorer or Firefox on the LAN port that you marked previously.
It does not matter if you do not have the modem/router in the right ports because you can tell which one is in
which port by looking at the DHCP address received by the pfsense WAN and OPT1 interfaces.
Reboot the pfsense by a three key reset. Once FreeBSD loads, it will tell you as it does so if there were any
errors. Once the reboot is complete make sure you’re your attached computer has a valid IP address in the
192.168.1.x subnet. If it does not, force a repair on the LAN connection of your computer.
Time to start the pfsense WebConfigurator, the GUI ,which lets you do many things besides setting up pfsense!
Enter http://192.168.1.1/ into your web browser.
Hostname:pfsense
Domain:private.lan
Timezone:Etc/UTC
Type:DHCP
Hostname:pfWan1
FTP Helper:checked
LAN IP Address:192.168.1.1
4 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Subnet Mask:24
On this screen we will set the Admin password which is used to access the WebGUI and SSH services.
Admin Password:admin
Click 'Reload' to reload pfSense with new changes. If you changed the password, pfSense will ask you to log
in again.
You need to make sure that DNS queries are being handled by the modem/routers. This is handled by Services:
DNS forwarder page. Check the appropriate boxes.
5 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Alright, if you've gotten this far, you can probably already surf the internet. If so, this is an excellent sign. If not,
you may find that you experience trouble that is NOT pfsense based. Make sure your cables are good, and your
internet is working on both incoming internet connections.
Interfaces:Assign
Once the pfsense interface selection is complete the MAC (00:xx:xx:xx:xx:a1) address of WAN interface rl1
needs to be made static to 192.168.0.2 in the Wan1 modem/router’s DHCP server. The Wan1 modem/router’s
web interface should be accessible through the pfsense at 192.168.0.254. In addition set the port addresses of the
Wan1 modem/router interfaces to HTTP:8080 FTP:8021 TelNet:8023.
The MAC (00:xx:xx:xx:xx:96) address of OPT1 interface rl2 also needs to be made static to 192.168.2.2 in the
Wan2 modem/router’s DHCP server. The Wan2 modem/router’s web interface should be accessible through the
pfsense at 192.168.2.254. In addition set the port addresses of the Wan2 modem/router interfaces to HTTP:8080
FTP:8021 TelNet:8023.
A reboot of both modem/routers and the pfsense is required after these changes.
The new URLs are http://192.168.0.254:8080/ for the Wan1 and http://192.168.2.254:8080/ for the Wan2
modem/router.
Bridge with:none
IP address:192.168.1.1/24
FTP Helper:checked
Description:OPT1wan2
6 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Type:DHCP
FTP Helper:checked
Hostname:pfWan2
pfSense monitor's each WAN connection by pinging the monitor address you how the various Pools and
specify. If the ping fails, the link is marked down and the appropriate filover gateways are related, and how
configuration is used (actually if the ping fails it retries a few times to be sure, they can be used}
this avoids false indications of the connection going down).
Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it is monitoring, so
don't use a popular web site as this will force all its traffic down 1 link. Better to use a router or server in your
ISP's network.
Good addresses to use are the default gateway your modem has assigned (if it responds to ping!), your ISP's DNS
server, webmail server, or a router within your ISP's network - you can find one of these by using traceroute to a
public service, be careful though, larger ISPs will have networks that dynamically adapt so a router you see now
may not be there an hour later!
Select Services:Load Balancer. You can create the pools by clicking the button then filling out the Edit Pool
page
7 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Load Balancer:Pool:Edit
Name:Wan1BalanceWan2
Behavior:Load Balancing
Interface Name:WAN
8 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Interface Name:OPT1wan2
Save
Name:Wan1FailoverWan2
Behavior:Failover
Interface Name:WAN
Interface Name:OPT1wan2
Save
Name:Wan2FailoverWan1
Behavior:Failover
Interface Name:OPT1wan2
Interface Name:WAN
Save
9 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
These pools can be used as gateways in the Outgoing Firewall Rules. To make it easier, define at least 4 aliases
under Firewall:Aliases.
10 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
11 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
12 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Once all of the active rules have been added and Applied the Dual Wan setup is complete!
Make sure that you have a DNS server from each ISP in the General Settings. This will ensure that you have DNS
service in case one ISP goes down. You will also need to setup Static Routes for each DNS server. In this example
if the DNS is on the WAN link then the static route for that DNS server will have 192.168.0.254 as the gateway.
If the DNS server is on the other ISP (ie OPT1) then the static route will have have 192.168.2.254 as the gateway.
13 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
14 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
15 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
Supporting bittorrents
bittorrents are best coped with by restricting the traffic to only use 1 WAN connection. This description locks
bittorrent to one WAN connection. With a bit more setup it would be possible to make this failover, but when it
failedover I'm not sure how long the bittorrent application would take to sort out both itself and the peers it was
connected to, so it may not be worth it anyway!
If you want to understand more about port usage and other things then use Brian's FAQ here...[1]
(http://btfaq.com/serve/cache/25.html)
Summary of setup
bittorrent uses both outgoing and incoming connections, so a number of things need to happen:
1. make sure that your bittorrent application is configured to use only a single port (does not change each time
you run bittorrent).
2. set up a rule on LAN to make sure that outgoing connections from the machine running bittorrent always
go the same way.
3. set up port forwarding on the modem router on the appropriate WAN connection to forward to pfSense.
4. set up port forwarding in pfSense to forward to the machine running bittorrent.
5. turn on logging on the auto setup rule on WAN or WAN2 to alow traffic to the bittorrent machine.
6. test your config using the bittorrent application's port forward checker.
7. turn off logging on your new rules
8. sit back and watch the data flow.
bittorrent setup
This varies depending on the bittorrent application you use. I use uTorrent.
You can use a randomly generated port on first set up, but don't change the port on
each run(unless you want to change pfSense and your modem every time as well!
You don't need to use UPnP port mapping, and you only check the firewall connection settings in
exceptions box if you are using Windows Firewall. uTorrent
This LAN rule makes sure that the connection to the tracker goes down the right pipe. Change the address
192.168.1.250 to the LAN address of your bittorrent machine.
Turn on logging when you first put the rule in, and once you know it is all working you can turn it off.
Note that I have logged uTorrent and it also outward connects to torrent peers using source ports from around
2000 upwards (each new connection increments the port number). For this reason I think the best answer is to set
up for all traffic from the bittorrent machine to be mapped to the one connection, rather than specific ports.
Maybe someone who knows can refine this.
Change the address 192.168.1.250 to the LAN address of your bittorrent machine.
16 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
If your mode / router is NATing, then you need to set it up to forward the port setup in step 1 to pfSense - 25017
in this example. You'll need to look in your modem / router documentation for this, or consult Brian's FAq as
linked at the top of this section.
Alternatively your router may allow you to forward everything to pfSense - my Linksys ADSL modem has this
facility, which makes life easy.
Now set up a matching port forward on the WAN interface to forward the port to your bittorrent machine.
Make sure you leave the box Auto add a firewall rule... at the bottom of the page checked.
Now go into Firewall - Rules and selct the tab for the interface you are using, there should be a new rule to handle
the traffic for the port forward you just set up. Turn on logging on this rule and apply the changes.
Now its time to see if it all works. Run up your torrent client and if it has a port forward. In uTorrent, there is a
button on the form Options - Speed Guide. called Test if port is forwarded properly. This launches a web
browser that will report if the port is properly configured.
Now start up a torrent, and after a few seconds go and check the Status - system logs and select the firewall tab.
You should see traffic to port 6969 from your bittorrent machine as it connects to the tracker.
Then you should see outgoing connections from your machine to many different addresses and ports as your
torrent client contacts peers.
Then you should start to see incoming connections (WAN / WAN2 interface) from some of those peers to your
machine. These should all be using the port you are configured to use in step 1.
Your torrent client should by now show lots of activity, with multiple peers connected and plenty of incoming
traffic. After a few minutes outgoing traffic should start to grow.
Assuming all is well, turn off all the logging that you set up before you sit back and enjoy the data flow
17 of 18 12/30/2009 3:44 PM
Multi WAN / Load Balancing - PFSenseDocs http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing
This page was last modified on 19 November 2009, at 22:52. This page has been accessed 72,787 times.
18 of 18 12/30/2009 3:44 PM