Multi-WAN Version 1.2.x - PFSenseDocs                                                  Page 1 of 11Search                 ...
Multi-WAN Version 1.2.x - PFSenseDocs                                                    Page 2 of 11                ■ 7.1...
Multi-WAN Version 1.2.x - PFSenseDocs                                                    Page 3 of 11   3. DMZ 2 is going ...
Multi-WAN Version 1.2.x - PFSenseDocs                                                      Page 4 of 11Or you can wait unt...
Multi-WAN Version 1.2.x - PFSenseDocs                                                   Page 5 of 11         ■ its a good ...
Multi-WAN Version 1.2.x - PFSenseDocs                                                   Page 6 of 11      Static - assumes...
Multi-WAN Version 1.2.x - PFSenseDocs                                                          Page 7 of 11pfSense monitor...
Multi-WAN Version 1.2.x - PFSenseDocs                                                      Page 8 of 11Setting up DNS for ...
Multi-WAN Version 1.2.x - PFSenseDocs                                                         Page 9 of 11Rule loggingIt i...
Multi-WAN Version 1.2.x - PFSenseDocs                                                       Page 10 of 11Note that use of ...
Multi-WAN Version 1.2.x - PFSenseDocs                                                Page 11 of 11These rules should go in...
Upcoming SlideShare
Loading in …5

Multi wanversion1.2


Published on

Published in: Self Improvement, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Multi wanversion1.2

  1. 1. Multi-WAN Version 1.2.x - PFSenseDocs Page 1 of 11Search Submit QueryPersonal tools ■ Log inMulti-WAN Version 1.2.xFrom PFSenseDocs(Redirected from MultiWanVersion1.2)This community-contributed guide leaves out some important information and considerations. Thebest source of multi-WAN information is in the pfSense book ( .IntroductionThis setup enables pfSense to load balance traffic from your LAN to multiple internet connections(WANs).Traffic from the LAN is shared out on a round robin basis across the available WANs.pfSense monitors each WAN connection, using an IP address you provide, and if the monitor fails, afailover configuration is used, this typically just feeds all traffic down the other connection(s).This example sets up 2 WANs, but 3 or more can be used by simply extending what this pagedescribes.Note that currently most pfSense add-on packages do NOT support multi WAN and all their trafficwill use the WAN connection. Contents ■ 1 Introduction ■ 2 Overview ■ 3 Before you start ■ 3.1 Target network setup ■ 4 Finishing pfSense console setup ■ 5 Setting up your modems / routers ■ 5.1 Router mode setup ■ 5.2 Bridge mode setup ■ 6 Using the pfSense Wizard ■ 7 Initial setup for Load balancing ■ 7.1 Finishing the interfaces setup ■ 7.1.1 Setting up the OPT 1 interface 06-Jul-11
  2. 2. Multi-WAN Version 1.2.x - PFSenseDocs Page 2 of 11 ■ 7.1.2 Checking interfaces ■ 7.2 Setting up Load Balancing pools ■ 7.2.1 Overview ■ 7.2.2 Selecting a Monitor IP address ■ 7.2.3 Setting up the pools ■ 7.3 Setting up DNS for Load Balancing ■ 7.4 Sticky Connections ■ 7.5 Basic Firewall Rules ■ 7.5.1 First 3 rules ■ 7.5.2 Setting up for protocols that dont like load balancing ■ 8 Further Rules for handling outgoing traffic ■ 8.1 Setting up rules to access specific ISPsOverviewThis guide helps you setup pfSense to support a local network (theLAN) and 2 connections to the internet (WAN and WAN2). Mosttraffic is shared out between the 2 WAN connections, but specificrules are also setup for some types of traffic to only use 1connection (for example https), where load balancing can causeproblems.pfSense runs in a small system that uses 3 network interface cards Networks and computers in a(NICs), 1 for each of the WANs and 1 for the LAN. multi WAN installationpfSense can also be run in a virtual machine for testing andlightweight use, although this is not as secure or robust as a physical machine implementation.The guide also shows how to setup access from the internet to servers on the internal network, andhas guides to the setup for some specific applications.Note that if you install servers connected to DMZ1 or DMZ2, these are not protected by pfSense,and will have to be internet hardened.Before you startYou must have completed the basic pfSense installation.Target network setupThis guide assumes the following network setup; you can easily do something different, but you willneed to translate network addresses appropriately if you do. 1. Your ISPs have assigned a single IP address for each internet connection (which could be dynamic) and you are using your modem / routers in router mode (some guidance on other variants of this are included in the details below). 2. DMZ 1 is going to use the subnet This means that DMZ 1 uses IP addresses between and 06-Jul-11
  3. 3. Multi-WAN Version 1.2.x - PFSenseDocs Page 3 of 11 3. DMZ 2 is going to use the subnet This means that DMZ 2 uses IP addresses between and 4. The LAN uses subnet This means that the internal network uses IP addresses between and should pick up the 3 interface cards. Note that if you have DHCP turned off on your WAN1modem router, there will be a long pause here while pfSense tries to pick up an IP address.Finishing pfSense console setupThe console will eventually give a prompt pfSense console setup. Select option 2 and setup up theLAN interface as follows:LAN IP Address bit count 24 (for a class C space) - this will allow up 250 computers to be usedDHCP yDHCP start address end address should now be able to plug a PC into the network, and it will be allocated an IP address and youwill be able to access pfSense web interface (although not much else yet).Setting up your modems / routersRouter mode setupIf you have CABLE/DSL modems that are bridge routers you maywant to use them in router mode. The client ID (PPPoE) is installedon the modem/router and the modem/router maps the Public IP itreceives to a Private IP on the modem/router LAN interface. Howto do this is specific to each modem/router. WAN (WAN1) OPT1 (WAN2) setting Modem / router setup for load modem / router modem / router balancing in router mode LAN IP address Subnet mask DHCP on on DHCP - - address range you have set up the modem/routers you can test them by plugging a PC into their network, andaccessing your favourite web site. 06-Jul-11
  4. 4. Multi-WAN Version 1.2.x - PFSenseDocs Page 4 of 11Or you can wait until the basic pfSense configuration is in place, and test through pfSense.Note if you are *cheating* by running multiple subnets on one physical network, you must haveDHCP turned off on all but 1 subnet.Bridge mode setupIf you have a fixed IP address from your ISP you can also usebridged mode for some or all of your connections. (If you do nothave a fixed address it makes life complicated in pfSense)In bridged mode, the modem becomes a transparent (in IP terms)device, and your internet IP address is allocated to the pfSenseinterface. This makes life a bit simpler as it means there is one lessNAT going on. Modem / router setup for load balancing in bridge and routerYou can usually set up at least WAN1 to work in bridge mode (if modeyour modem / router allows it). as this connections allows PPPoE orbigpond account information to be configured in pfSense.If you do this, your ISP assigned address will replace the 192.168.x.y address (from the router modesetup above) in the later sections of the setup.Using the pfSense Wizard ■ Go to (or the address you gave pfSense if different) ■ Select System - Setup Wizard from the menuGeneral parameters screen ■ hostname ■ leave as pfsense ■ domain ■ as you like - I use me.local at home ■ Primary DNS server ■ a DNS address from WAN1 DNS list ■ Secondary DNS server ■ a DNS address from WAN2 DNS list ■ Allow DNS server list to be overridden by DHCP/PPP on WAN ■ Unchecked - if this is checked you wont see the right DNS server list when you set up load balancing pools ■ Click nextNote: it is important to use one from each (or use a public DNS service) or you will loose internetaccess when one or other connections, time and time zone screen ■ time server DNS name 06-Jul-11
  5. 5. Multi-WAN Version 1.2.x - PFSenseDocs Page 5 of 11 ■ its a good idea to select a local service - either the one your ISP provides, or a local address (for example if you are in the UK, or one in your time zone). ■ Timezone ■ pick the right entry from the time zone. Note pfSense can provide an NTP service so all your local machines pick up time from pfSense. ■ click NextWAN configurationIf have set your WAN modem router to DHCP, you can leave this set to DHCP, otherwise: ■ Selected type ■ Static ■ IP address ■ /24 (or an address in your DMZ1 subnet) ■ Gateway ■ (or the address you gave your fist modem / routerIf you are using a plain modem then you can set up your ISP account information here, I cant find awiki page about this, but there several threads in the forums that discuss this.LAN configurationThis was set up through the console so shouldnt need changingChange your password and rebootPut in a sensible password, then let pfSense reboot.After Wizard general setupThese settings make it easier to access machines on your local network - you can access them byname, and if you are running Windoze you will not suffer at the vagiaries of WINS. ■ Go into Services - DNS Forwarder, turn on ■ Register DHCP leases in DNS forwarder ■ Register DHCP static mappings in DNS forwarderInitial setup for Load balancingFinishing the interfaces setupNow it is time to finish setting up the interfaces and make sure they are setup OK.Setting up the OPT 1 interfaceFrom the pfSense menu select Interfaces - OPT1 and set up asfollows:enable Optional 1 interface checkedType 06-Jul-11
  6. 6. Multi-WAN Version 1.2.x - PFSenseDocs Page 6 of 11 Static - assumes you are not using an address assigned by your ISPMAC address and MTU do not usually need to be set - see info on screenBridge with NoneIP address /24 - or an appropriate address in DMZ 2 if you used a different subnet Optional 1 (WAN2) set up forGateway a MultiWAN configuration - or whatever address you gave modem / router 2 (or your ISP has assigned, if no routing being used)Checking interfacesFrom the pfsense menu select Interfaces - Assign and you shouldget an screen like the one of the right. Note your hex numbers (TheMAC addresses) will be different.Now to check that pfSense can see your modem routers you useDiagnostics - Ping. With WAN 1 selected, enter the IP address ofyour modem / router - if you are using the guidevalues in this document. Interfaces set up for a MultiWAN configurationIf you are using using a modem / router without NAT, the checkfirst that the WAN link is up and ping the DNS server address thatyou recorded earlier.FTP helper: Check also that FTP helper is only enabled for the LAN interface. That is it should bedisabled on all WAN interfacesSetting up Load Balancing poolsOverviewThis setup uses 3 pools 1. One pool for load balanced use when both WANS are working 2. One pool which prefers WAN 1, for use when WAN 2 has failed 3. One pool which prefers WAN 2, for use when WAN 1 has failed how the various Pools andThese pools use the 2 gateways that are already established (by the gateways are related, and how they can be usedinterfaces WAN and WAN 2) to load balance and support failoverwhen a WAN link failsSelecting a Monitor IP address 06-Jul-11
  7. 7. Multi-WAN Version 1.2.x - PFSenseDocs Page 7 of 11pfSense monitors each WAN connection by pinging the monitor address you specify. If the pingfails, the link is marked down and the appropriate failover configuration is used (actually if the pingfails it retries a few times to be sure, this avoids false indications of the connection going down).Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it ismonitoring, so dont use a popular web site as this will force all its traffic down 1 link. Better to use arouter or server in your ISPs network.Good addresses to use your ISPs DNS server (1 from each ISP). The web interface makes it easy topick these when setting up the pools later.Other good monitor addresses are the default gateway your modem has assigned (if it responds toping!), your ISPs webmail server, or a router within your ISPs network - you can find one of theseby using traceroute to a public service, be careful though, larger ISPs will have networks thatdynamically adapt so a router you see now may not be there an hour later!Setting up the poolsWe are going to set up 3 pools in Services - Load BalancerNote that each pool has 2 monitors set up, when complete the 1stpool should correspond to the screenshot on the right. Setup for the first (load balancing) pool Setting Pool 1 Pool 2 Pool 3 Pool name LoadBalance WAN1FailsToWAN2 WAN2FailsToWAN1 Round Robin load WAN 2 preferred when WAN 1 preferred when Description balancing WAN 1 fails WAN 2 fails Type Gateway Gateway Gateway Behavior Load Balancing Failover Failover Port Unused Unused Unused 1st Monitor IP DNS server 1 DNS server 2 DNS server 1 1st Interface WAN WAN2 WAN name 2nd Monitor DNS server 2 DNS server 1 DNS server 2 IP 2nd Interface WAN 2 WAN WAN2 nameThis finals screenshot shows the summary you should end up with. 06-Jul-11
  8. 8. Multi-WAN Version 1.2.x - PFSenseDocs Page 8 of 11Setting up DNS for Load Balancing 3 pools set up ready for load balancingMake sure that you have a DNS server from each ISP in theGeneral Settings. This will ensure that you have DNS service incase one ISP goes down. You will also need to setup Static Routes for each DNS server. In thisexample if the DNS is on the WAN link then the static route for that DNS server will have192.168.0.254 as the gateway. If the DNS server is on the other ISP (ie OPT1) then the static routewill have have as the gateway.Sticky ConnectionspfSense Version 1.2 introduced Sticky connections, which can be used as part of a MultiWan setup.Where Sticky connections are used, some of the firewall rules previously used are no longerrequired; this is noted in the information below. Sticky connections are a very good where thereare many active systems / users, or where your WAN connections are fast, they are not so useful forsmall number of users on slower connections (as the multiple requests involved in fetching a singleweb page will not be shared across the available connections.Basic Firewall RulesThese are the rules you need to add to support access from your LAN to the internet. Later sectionsdescribe the rules you need to support incoming access from the internet to machines on your LAN,this includes how to support peer to peer applications.First 3 rulesIf you do not need to access any of your systems from the internet, and you use sticky connections,then these are probably the only rules you will need.Set these rules up in Firewall - Rules, and then click the LAN tab. Rule Load Balance DMZ 1 DMZ 2 Position in Last Top Top(-1) rule list Action Pass Pass Pass Disabled Unchecked Unchecked Unchecked Interface LAN LAN LAN Protocol any any any Source LAN subnet LAN subnet LAN subnet Source OS any any any network: Destination any WAN2 subnet / 24 Log no yes temporarily (see below) yes temporarily (see below) Schedule none none none Gateway LoadBalance default default Everything else gets Make sure DMZ 1 traffic Make sure DMZ 2 traffic Description shared out goes to right interface goes to WAN2 DMZ 06-Jul-11
  9. 9. Multi-WAN Version 1.2.x - PFSenseDocs Page 9 of 11Rule loggingIt is always a good idea to put a new rule in with logging turned on, then check by generating someappropriate traffic, that the rule is working, then turn logging off once you know it is having the righteffect.Rule explanation - Load BalanceThis rule must always be the last rule in the rule list. It catches anything else that is not special in anyway, and load balances the traffic. Any rule that comes after this rule will never trigger, so may aswell not be there!Rule explanation - DMZ 1 and DMZ 2These rules make sure that any traffic to the modem / router, (or other machines that are connected tothis subnet if you are not using bridge mode), go down the right WAN connection. Without theserules you will find strange things happening when you try to access your modem / router.These rules should always be top of the rule list as you do not want earlier rules to route this trafficelsewhere.Testing these rulesTesting the DMZ rules Use a web browser to access the administration interface on your modem / router. Then use Status - System Logs, Firewall tab to check if the rule has fired.Testing the load balancing rule Access any site on the internet, then check the firewall log (as above) to see if the rule fired.Dont forget to turn off logging on the rules once you have checked them.Testing failoverNow you should make sure that failover is working. ■ Switch off (or unplug) one modem / router ■ Check the pfSense Load balancer status screen (Status - Load Balancer) it should show (within a few seconds) that one link has failed. ■ if it shows that both links have failed, it probably means you have your monitor IPs the wrong way round. Use a trace route from PC on the LAN to trace the route to each monitor IP address and if it is using the wrong WAN link, re-setup the WAN links the right way round. ■ Now try accessing a internet site, it should appear without any problems. If it fails, then check the load balancer status (see above). If one link is still marked up, check that it is not a DNS failureSetting up for protocols that dont like load balancingSome sites (for example banking sites) get upset when requests from a single session come fromdifferent IP addresses. To avoid this, protocols that are likely to suffer from load balancing are setupto favour 1 connection. 06-Jul-11
  10. 10. Multi-WAN Version 1.2.x - PFSenseDocs Page 10 of 11Note that use of the sticky bit (see above) should avoid this issue. If you are not using sticky bit, youdefinitely need this.For each protocol that needs to be handled this way you need a rule on the LAN interface; thesample below is for https (port 443). The values marked in bold are the ones that change fordifferent protocols.These rules need to be above the final load balancing rule, and below the rules for DMZ access. Parameter Value Action Pass Disabled unchecked Interface LAN Protocol TCP Source: not unchecked Source: type LAN subnet Source OS Any Destination: not unchecked Destination: type anyDestination port range HTTPS Log checked initially; uncheck when known to be working Gateway WAN1FailsToWAN2 - or WAN2FailsToWAN1 as you prefer Description Route https through one working connectionOther entries you are likely to need are SSH and POP3. For these just replace HTTPS in bold abovewith the protocol you requre, and amend the description.Further Rules for handling outgoing trafficDepending on usage there are likely to be other rules you will need for outgoing traffic.Setting up rules to access specific ISPsIf you send traffic to hosts on a specific ISP (such as SMTP email) you may have to make sure thattraffic goes to the right ISPs WAN connection. ISPs block mail being sent if it does not come fromone of their customers lines, so if you try to send mail through the wrong connection it will berejected. If your WAN connections are from different ISPs and you send mail using SMTP you willneed to do this. If you only use webmail (your email interface is a web browser, such as hotmail),you do not need this.The simplest way to handle this is to route all SMTP traffic to one ISP - of course if you send SMTPmail through both ISPs you will need to handle this a different way.For this type of use, the rule is setup to use only 1 WAN connection. This means that if theconnection goes down, the traffic cannot pass, but as it would fail if it picked up the other connectionthis is the right behaviour.The example below is for SMTP, change the bold parameters for other traffic 06-Jul-11
  11. 11. Multi-WAN Version 1.2.x - PFSenseDocs Page 11 of 11These rules should go in above both DMZ and preferred traffic rules Parameter Value Action Pass Disabled unchecked Interface LAN Protocol TCP usually Source: not unchecked Source: type LAN subnet Source OS Any Destination: not unchecked Destination: type any Destination port SMTP range Log checked initially; uncheck when known to be working or or the appropriate gateway address for this Gateway traffic Description Route SMTP to the ISP that handles it This article is part of the HOWTO series.Retrieved from ""Categories: Howto | Multi-WAN Privacy policy About PFSenseDocs Disclaimers This page was last modified on 23 November 2009, at 18:14. This page has been accessed 156,863 times. 06-Jul-11