Você está na página 1de 13

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Multi WAN / Load Balancing


From PFSenseDocs

Contents
1 Caveats 2 Overview 3 Intro 4 Installation 5 Setting up your modems / routers 6 Finishing installation 7 Basic pfSense settings 8 Interfacing with modems / routers 9 Setting up load balancing and failover 9.1 Selecting a Monitor IP address 9.2 Setting up the pools 9.3 Set up useful aliases 9.4 Set up the basic firewall rules for outgoing access 9.5 Setting up DNS for Load Balancing 10 Port Forwarding and Applications 10.1 example port Forwarding follows 10.2 Supporting bittorrents 10.2.1 Summary of setup 10.2.2 bittorrent setup 10.2.3 Setup outgoing rule 10.2.4 Setup port forwarding on your modem / router 10.2.5 Setup port forwarding on pfSense 10.2.6 Turn on logging on the auto setup rule 10.2.7 Testing your configuration 10.2.8 turn off logging

Caveats
This page describes the setup using pfSense 1.1, updated to January 2007 (or later). Important: if you are using pfSense 1.2 then use the updated documentation: MultiWanVersion1.2 For your own good, you may want to ignore most of the tutorials available, as they are either completely confusing, or highly contradictory. The following is an attempt to very simply get you started. Note that currently most pfSense add-on packages do NOT support multi WAN and all their traffic will use the WAN connection.

Overview
This setup enables pfSense to load balance traffic from your LAN to multiple internet connections (WANs). Traffic from the LAN is shared out on a round robin basis across the available WANs. pfSense monitors each WAN connection, using an IP address you provide, and if the monitor fails, a failover configuration is used, this typically just feeds all traffic down the other connection(s). This example sets up 2 WANs, but 3 or more can be used.

Intro
1 de 13 20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

You will probably find you have three types of traffic you need to allow for: 1. Traffic that can be load balanced with no problems (e.g. general web browsing) 2. Traffic where one connection is preferred, but it's alright to failover to the other if the first one fails (e.g. some bank websites, games like counterstrike, other apps - like Microsoft's new web conferencing) 3. Traffic that has to go to one specific connection; if the connection is down, it will just have to wait (e.g. SMTP mail to your ISP, which typically has to come from inside their own network)

Installation
This is a quick / simple installation guide, you can find more detailed instructions in the full Installing_pfSense part of the Wiki. First step, install a Video card, Keyboard, a CD-ROM drive, an IDE hard Disk drive, 128MB of ram or more and at least three Network interfaces in your target machine. Do not install any unnecessary hardware like a modem because Pfsense cannot use it. The hardware setup for the installation tested was Pentium Pro 200, 128MB EDO ram, Floppy 1.4MB, Trident VGA, 4 Realtek 8139D PCI cards, ATAPI CD_ROM 24X, 2 IDE 1GB drives. As you can see it was quite an old system but it all still worked quite well. Pfsense was also installed on a DELL Dimension 4100 800MHz without any problems. Next, download the current Snapshot ISO from http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/iso/pfSense.iso.gz Once the download is complete uncompress the file and burn the CD. Set up your BIOS to boot from the CD and then insert the CD into the drive. Reboot the machine and watch the FreeBSD 6.2 operating system boot up your machine. Do not worry if you cannot catch everything that is scrolling by because you can see all of it when the boot is complete by pressing the Scroll LOCK on your keyboard and using the Page UP/DN keys. The boot process should stop and ask you to configure the network interfaces. If you managed to make that far the rest of the installation, most likely, will be successful. Answer no to the first prompt asking to setup Virtual Interface/Lan by typing n. Now it will ask you to select the LAN interface. This is the interface that you will attach to an Ethernet switch if more than one computer will be accessing the pfsense to get to the internet. To select this interface use the automatic procedure by disconnecting all interface cables from all the network interfaces of the pfsense. Follow the instructions on the screen and then attach the computer via an Ethernet cable to the LAN port. Mark this interface as the LAN interface. Next it will ask you to select the WAN port. In a Dual Wan configuration the Wan port is the primary wan. If you have not set up your DSL/CABLE modem/routers yet select an interface by specifying the name of the interface as shown on the display. This interface can be changed later on. Then select the OPT1 port specifying the name of the next interface as shown on the display. The OPT1 port will become your secondary Wan port. Even if you have more interfaces to configure press enter at the next interface request to end the configuration. Pfsense will start to load and configure itself. With a little luck, you will pass the point where pfsense configures the WAN interface. This is where the interrupts are tested and if your hardware is set up properly, or if you have a newer computer, it will breeze through and arrive at the Pfsense Console Setup page. Here you will install pfsense to your hard disk by entering 99. If you do not make it to this page you have a hardware compatibility problem with the FreeBSD operating system. Installation is pretty painless, tell it to format and make a new partition if you want everything cleaned off, and once complete you'll see FreeBSD loading. The loading will take some time . This time can be used to determine how you will connect the pfsense wan ports to the internet.

Setting up your modems / routers


If you have CABLE/DSL modems that are bridge routers you can use them in bridge or router mode. The client ID (PPPoE)
2 de 13 20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

If you have CABLE/DSL modems that are bridge routers you can use them in bridge or router mode. The client ID (PPPoE) is installed on the modem/router and the modem/router maps the Public IP it receives to a Private IP on the modem/router LAN interface. How to do this is specific to each modem/router.

WAN (Wan1) modem/router LAN IP (192.168.0.254) LAN Gateway (192.168.0.254) DNS relay (192.168.0.254) DHCP Server (192.168.0.2 -> 192.168.0.253) OPT1 (Wan2) modem/router LAN IP (192.168.2.254) LAN Gateway (192.168.2.254) DNS relay (192.168.2.254) DHCP Server (192.168.2.2 -> 192.168.2.253) Once you have set up the modem/routers test their connectivity by accessing the internet and obtaining the Public IP either by the modem/router web interface or using http://whatismyip.org

Finishing installation
The software installation to the hard disk should be complete by now so attach the modem/routers to the WAN and OPT port and a computer running Internet Explorer or Firefox on the LAN port that you marked previously. It does not matter if you do not have the modem/router in the right ports because you can tell which one is in which port by looking at the DHCP address received by the pfsense WAN and OPT1 interfaces. Reboot the pfsense by a three key reset. Once FreeBSD loads, it will tell you as it does so if there were any errors. Once the reboot is complete make sure youre your attached computer has a valid IP address in the 192.168.1.x subnet. If it does not, force a repair on the LAN connection of your computer. Time to start the pfsense WebConfigurator, the GUI ,which lets you do many things besides setting up pfsense! Enter http://192.168.1.1/ into your web browser.

Basic pfSense settings


You will be prompted to login. Use Admin as user name, and pfsense as your password. The Setup Wizard will start and guide you through the initial configuration of pfSense. Set the italicized parameters as below and leave the others as they are set. On this screen you will set the General pfSense parameters. Hostname:pfsense Domain:private.lan Primary DNS Server: Secondary DNS Server:

Please enter the time, date and time zone. Time server dns name:pool.ntp.org
3 de 13 20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Time server dns name:pool.ntp.org Timezone:Etc/UTC

On this screen we will configure the Wide Area Network information. Type:DHCP Hostname:pfWan1 FTP Helper:checked Block private networks:unchecked

On this screen we will configure the Local Area Network information. LAN IP Address:192.168.1.1 Subnet Mask:24

On this screen we will set the Admin password which is used to access the WebGUI and SSH services. Admin Password:admin Admin Password AGAIN:????????

Click 'Reload' to reload pfSense with new changes. If you changed the password, pfSense will ask you to log in again.

You need to make sure that DNS queries are being handled by the modem/routers. This is handled by Services: DNS forwarder page. Check the appropriate boxes.

4 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Alright, if you've gotten this far, you can probably already surf the internet. If so, this is an excellent sign. If not, you may find that you experience trouble that is NOT pfsense based. Make sure your cables are good, and your internet is working on both incoming internet connections.

Interfacing with modems / routers


Before continuing to configure the pfsense Web GUI make sure that the modem/routers are on the correct network interfaces. The interfaces are shown on the boot up display attached to the pfsense. Make sure that your primary Wan1 modem/router (192.168.0.x) is attached to WAN and that your secondary Wan2 modem/router (192.168.2.x) is attached to OPT1. If they are not, you can correct them by selecting the right interface using the drop down boxes under Interfaces:Assign LAN rl0 (00:xx:xx:xx:xx:bc) WAN rl1 (00:xx:xx:xx:xx::a1) OPT1wan2 rl2 (00:xx:xx:xx:xx:96) Once the pfsense interface selection is complete the MAC (00:xx:xx:xx:xx:a1) address of WAN interface rl1 needs to be made static to 192.168.0.2 in the Wan1 modem/routers DHCP server. The Wan1 modem/routers web interface should be accessible through the pfsense at 192.168.0.254. In addition set the port addresses of the Wan1 modem/router interfaces to HTTP:8080 FTP:8021 TelNet:8023. The MAC (00:xx:xx:xx:xx:96) address of OPT1 interface rl2 also needs to be made static to 192.168.2.2 in the Wan2 modem/routers DHCP server. The Wan2 modem/routers web interface should be accessible through the pfsense at 192.168.2.254. In addition set the port addresses of the Wan2 modem/router interfaces to HTTP:8080 FTP:8021 TelNet:8023. A reboot of both modem/routers and the pfsense is required after these changes. The new URLs are http://192.168.0.254:8080/ for the Wan1 and http://192.168.2.254:8080/ for the Wan2 modem/router. Now finish setting up the pfsense interfaces as follows Interfaces: LAN IP configuration Bridge with:none IP address:192.168.1.1/24 FTP Helper:checked

Interfaces: Optional 1 (OPT1wan2)

5 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Enable Optional 1 interface:checked Description:OPT1wan2 Type:DHCP FTP Helper:checked Hostname:pfWan2

Setting up load balancing and failover


It is time to set up Outgoing Load Balancing and Failover. You will not have any pools. You will create 3 pools. Wan1BalanceWan2 - used to share out all access on a round robin basis as long as both connections are available Wan1FailoverWan2 - used when Wan1 is down - all traffic will use Wan2 Wan2FailoverWan1 - used when Wan 2 is down - all traffic will use Wan1

Selecting a Monitor IP address


pfSense monitor's each WAN connection by pinging the monitor address you specify. If the ping fails, the link is marked down and the appropriate filover configuration is used (actually if the ping fails it retries a few times to be sure, this avoids false indications of the connection going down).
how the various Pools and gateways are related, and how they can be used}

Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it is monitoring, so don't use a popular web site as this will force all its traffic down 1 link. Better to use a router or server in your ISP's network. Good addresses to use are the default gateway your modem has assigned (if it responds to ping!), your ISP's DNS server, webmail server, or a router within your ISP's network - you can find one of these by using traceroute to a public service, be careful though, larger ISPs will have networks that dynamically adapt so a router you see now may not be there an hour later!

Setting up the pools


Select Services:Load Balancer. You can create the pools by clicking the button then filling out the Edit Pool page

6 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

with the following Load Balancer:Pool:Edit

Name:Wan1BalanceWan2 Behavior:Load Balancing Monitor IP:WANs Gateway Interface Name:WAN click add to pool Monitor IP:OPT1wan2s Gateway Interface Name:OPT1wan2 click add to pool Save

Create new pool Name:Wan1FailoverWan2 Behavior:Failover Monitor IP:WANs Gateway Interface Name:WAN click add to pool Monitor IP:OPT1wan2s Gateway Interface Name:OPT1wan2 click add to pool Save

7 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Create new pool

Name:Wan2FailoverWan1 Behavior:Failover Monitor IP:OPT1wan2s Gateway Interface Name:OPT1wan2 click add to pool Monitor IP:WANs Gateway Interface Name:WAN click add to pool Save You have successfully created 3 Gateways.

The results should look as follows

Set up useful aliases


These pools can be used as gateways in the Outgoing Firewall Rules. To make it easier, define at least 4 aliases under Firewall:Aliases.

8 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

HTTPsAll Ports 22, 443, 444, 3389, 8443 Secure Protocols SS6520s IPs 192.168.0.254, 192.168.2.254 Internet Routers SS6520a1 IP 192.168.0.254 Speedstream 6520 ADSL2 Wan1 Router SS6520a2 IP 192.168.2.254 Speedstream 6520 ADSL2 Wan2 Router

Set up the basic firewall rules for outgoing access


Add the following to Firewall:Rules on the LAN tab by cliking Using this page to set the rules Firewall: Rules: Edit

9 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Create the 5 Rules defined below

10 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Once all of the active rules have been added and Applied the Dual Wan setup is complete!

Setting up DNS for Load Balancing


Make sure that you have a DNS server from each ISP in the General Settings. This will ensure that you have DNS service in case one ISP goes down. You will also need to setup Static Routes for each DNS server. In this example if the DNS is on the WAN link then the static route for that DNS server will have 192.168.0.254 as the gateway. If the DNS server is on the other ISP (ie OPT1) then the static route will have have 192.168.2.254 as the gateway.

Port Forwarding and Applications


If you need to support servers on the LAN use the NAT port Forward tab to open the ports you require for both the WAN and OPT1wan2 interfaces. NAT port forwarding automatically creates Firewall rules for those ports.

example port Forwarding follows

11 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

Supporting bittorrents
bittorrents are best coped with by restricting the traffic to only use 1 WAN connection. This description locks bittorrent to one WAN connection. With a bit more setup it would be possible to make this failover, but when it failedover I'm not sure how long the bittorrent application would take to sort out both itself and the peers it was connected to, so it may not be worth it anyway!

12 de 13

20/05/2012 08:51 p.m.

Multi WAN / Load Balancing - PFSenseDocs

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

If you want to understand more about port usage and other things then use Brian's FAQ here...[1]

Summary of setup bittorrent uses both outgoing and incoming connections, so a number of things need to happen: 1. make sure that your bittorrent application is configured to use only a single port (does not change each time you run bittorrent). 2. set up a rule on LAN to make sure that outgoing connections from the machine running bittorrent always go the same way. 3. set up port forwarding on the modem router on the appropriate WAN connection to forward to pfSense. 4. set up port forwarding in pfSense to forward to the machine running bittorrent. 5. turn on logging on the auto setup rule on WAN or WAN2 to alow traffic to the bittorrent machine. 6. test your config using the bittorrent application's port forward checker. 7. turn off logging on your new rules 8. sit back and watch the data flow. bittorrent setup This varies depending on the bittorrent application you use. I use uTorrent. You can use a randomly generated port on first set up, but don't change the port on each run(unless you want to change pfSense and your modem every time as well! You don't need to use UPnP port mapping, and you only check the firewall exceptions box if you are using Windows Firewall.
connection settings in uTorrent

Setup outgoing rule This LAN rule makes sure that the connection to the tracker goes down the right pipe. Change the address 192.168.1.250 to the LAN address of your bittorrent machine.

Turn on logging when you first put the rule in, and once you know it is all working you can turn it off. Note that I have logged uTorrent and it also outward connects to torrent peers using source ports from around 2000 upwards (each new connection increments the port number). For this reason I think the best answer is to set up for all traffic from the bittorrent machine to be mapped to the one connection, rather than specific ports. Maybe someone who knows can refine this. Change the address 192.168.1.250 to the LAN address of your bittorrent machine.

Setup port forwarding on your modem / router If your mode / router is NATing, then you need to set it up to forward the port setup in step 1 to pfSense - 25017 in this example. You'll need to look in your modem / router documentation for this, or consult Brian's FAq as linked at the top of this section. Alternatively your router may allow you to forward everything to pfSense - my Linksys ADSL modem has this facility, which makes life easy.

13 de 13

20/05/2012 08:51 p.m.