Dual WAN With Pfsense

Dual WAN with pfsense
www.TomSchaefer.org
A Tech Blog for Geeks
About
● Search for: Search
TomSchaefer.org RSS
●
❍ New things happening

By Thomas | March 6, 2009
❍ WebServer
❍ Team Speak
❍ Services
❍ Media Sharing Back online
❍ CS:S Server
❍ Game Server Page
❍ Site now restored
❍ SubDomains for tomschaefer.org
pfsense is a FreeBSD router OS that can be installed on embedded systems or PC/Server PC ❍ Forum Updates
hardware. Its a free, open source customized distro based off of FreeBSD 7 specifically tailored for
use as a firewall and router. Its one of the most secure router OS’s out there. Large corporation and
universities use this router OS because of the stability, failover, and stacking capabilities. If you have ● Blogroll
heard of M0n0wall or IPCop then you should have an idea what pfsense is. ❍ Ash Blog
❍ Jason Kimball
For my use I used the same exact hardware that I used to build the IPCop router that I reported on 3 ❍ SysAdminBlog
http://www.tomschaefer.org/web/wordpress/?p=538 (1 of 20) [2/20/2010 10:49:57 AM]

posts ago. ❍ WithinWindows
List of Features
● Archives
Firewall ❍ February 2010
❍ December 2009
State Table ❍ November 2009
❍ October 2009
NAT ❍ September 2009
❍ August 2009
Redundancy
❍ July 2009
❍ June 2009
Load Balancing
❍ May 2009
VPN ❍ March 2009

❍ February 2009
IPsec ❍ January 2009
❍ December 2008
RDD Graphs ❍ November 2008
❍ October 2008
And More. For a full listing see the complete features site ❍ September 2008
❍ August 2008
I will show you how to enable Load Balancing with Dual WAN on your pfsense router. Some may ask
❍ July 2008
why would you need Dual WAN. Failover, incase you have mission critical data that needs to be
❍ June 2008
accessed at all times like off site backup and for load balancing. Load balancing will balance the load
❍ May 2008
(or bandwidth use) between your Internet links. Many companies do this to decrease latency and to
❍ March 2008
get more bandwidth for many users while saving money.
❍ February 2008
❍ January 2008
I will assume you have pfsense loaded and you have already setup two WAN connections on your
firewall.
● TopPosts
● Once this is complete visit services -> load balancer
❍ How to revive a dead Video Card (10281)
❍ Funny comic (7327)
❍ Dual WAN with pfsense (6294)
❍ Netbooks and how to maximize preformance with
Windows (1402)
● Delete any pools that are there that do not work ❍ Build an IPCop router with Supermicro - Part 1 (1341)
● Click to enter a new pool.

● Enter a pool name and description
●
● Set the type to gateway
Unique Visits Today: 7
Unique Total Visits: 20653
Your OS: Windows XP

Your Browser: Internet Explorer 7
● Pages
❍ About
Now we need to add a monitor IP for the router to monitor the link status of the pool.
● Categories
● For the Monitor IP select WAN Gateway
❍ Deployment
● In the Interface Name field choose WAN and click Add to Pool
❍ Hardware
❍ MISC
❍ Netbooks
❍ Secuirty
❍ Uncategorized
❍ Web Design
❍ Web Secuirty
❍ Wifi
● Now Go back to Monitor IP and Select your OPT1’s Gateway

● In the Interface Name Field choose OPT1 and click Add to Pool ● Blogroll
❍ Ash Blog
❍ Jason Kimball
❍ SysAdminBlog
❍ WithinWindows
● RSS Feeds
❍ All posts
❍ All comments

You should see that the WAN gateway has a different gateway address then the OPT1 gateway. If not
then pfsense will not work correctly. You will have to put a bridge between that interface to ensure ● Meta
pfsense has two different gateways. If you have trouble with this please contact me. Basically pfsense ❍ Log in
does not support the same gateway on multiple networks right now.
● Click Save
Now go to Status -> Load Balancer to see if everything is working fine. It should report Online.
If you followed my directions and it does not show online after 15 minutes then that gateway may not
respond to ICMP traffic. For your monitor IP use 4.2.2.1 which is an any cast DNS Server.
We must create NAT rules now.
● Go to Firewall -> Nat -> Outbound

● Enable AON
You should have a rule in there for the WAN to any Gateway already. This is automatically created.
Now you need to enter one for OPT1
● Click Add and Copy the WAN setup but the Interface will now be OPT1
● Apply the Changes.

From here it may work but you may need to make one more change.
● Go to Firewall -> Rules -> LAN

● Edit your existing LAN net entry. Modify the gateway from default to the Load Balancer
It should look like
Your Done! What you can do to check to see if Load Balancing if working properly is try to go online.
If you can get to Google then your Connection is working properly. Go to http://www.ipaddressworld.
com/ip.php and click refresh a couple of times. Your Public IP should switch back and forth. This
means that load balancing if working. The reason your public IP should change is because the Load
Balancing Feature works in a Round Robin fashion. Every new session is will oscillate between
gateways. This also means that if you test your Internet Connection speed on www.speedtest.net you
will not see the combined speed of both networks. You will see the combined speed when you use
applications that use multiple sessions like peer to peer applications.
EDIT: if you have problems with the pools being uneven and you cannot figure it out even after
deleting the pool and starting over flowing my directions then please see Greg’s comments below. He
used Google and Yahoo as the Ping IP and configured the Pool using the “other” option.
This entry was posted in Hardware, Secuirty. Bookmark the permalink. Post a comment or leave a trackback:
Trackback URL.
« 17 Great Tools for Web Development Computer Repair Kit »
38 Comments

Meng
Posted May 16, 2009 at 13:02 | Permalink
Hi, very nice guide and i like it but somehow i’m having a bit trouble setting up OPT1-WAN2 to
connect to the internet. If you don’t mind me requesting for your help on how to setup a second WAN
and also some rules recommendation for WAN2 and LAN2. Thanks i hope to hear from you soon.
2.
Tom
Posted May 22, 2009 at 14:24 | Permalink
Hey,
No Problem. I am on the road right now. Send me an email. You can find my email around the site.
You could also jump on my forum and we can have a topic started just for you. I would love you get
your setup up and running as soon as possible.
Start a new topic on the forum, this will work best because I’m still on the road.
3.
Scott
Posted June 2, 2009 at 17:32 | Permalink
Nice guide, it’s about time someone simplified this, a lot of the info regarding this is a little vague.
One thing could you clarify the bridging solution to elimate the problem of both wans being on the
same gateway, I assume this is only a problem with dynamic ip’s as with static ip’s couldn’t you use
the ip itself as a monitor. I have two dynamically assigned ip’s on the same gateway
am I right in thinking by a bridge you mean a cheap nat router between one of the wans and the
pfsense box.
Many thanks for all your fine work

4.
Tom
Hey Thanks for the Comment. One thing to note is that pfsense cannot currently support the same
gateway on mulitple interfaces. There is an on going bounty that is currently working to fix this. We
may see it in pfsense 2.0, but I don’t expect to see it any time soon.
You could use any responsive IP as a monitor. That will work, however this is a seperate issue than
gateway homage. Check out the forum on pfsense.org.
To answer you sec0nd question, yes a small bridge would be a cheap NAT device. This is the only
option that the pfsense moderators and devs offer to overcome the one gateway one interface
limitation, untill a solution is developed. I used and old Linksys router with NAT enable and SPI
disabled. I even put the NAT IP in the DMZ to ensure port forwarding remains simple and secure.
Feel free to email me at any time if you want to chat. I am also on MSN and Yahoo Messeger almost
all day. You can find my email around my site, check my forum.
5.
Greg
My Wan gateway address is the same as the OPT1 gateway. I have two DSL lines from the same ISP.
What is the trick to setup the bridge for this? By the way, the best and clear guide I’ve seen. Thank
you in advance for your help.
6.
Tom
Hey Greg! Thank you for the compliment. The trick is to put a simple gateway between Opt1 and your
second cable modem. Specifically I used an old Linksys Router.

I assigned the old router a 10.0.0.0 address (something like 10.0.0.1) and enabled DHCP on it so that
OPT1 address would be 10.0.0.2. Disable the firware and put 10.0.0.2 or your OPT1 address in the
DMZ (let pfsense handle your port forwading).
When you configure the Gateway for OPT1 just use the 10.0.0.1 address because the old linksys
device is between the connection of your OPT1 and your Cable modem. That is the easiest and most
secure way.
Hopefully pfsense will support the same gateway in the future. Please reply to my email if you want
furthur details. Take care.
7.
Greg
Hi Tom! Ok, it has been about twelve days since my changes to the load balance and is working just
fine with one exception. I’ve notice that the load is uneven. Like, 3 to 1 ratio. For every 100mb on the
WAN, the OPT1 is 25mb. Both NIC cards are the same and my ISP provider is the same company and
I don’t have currently another choice. Also, both modems are the same model and connection speed.
I have looked at pfSense forum readings and have yet to find a solution that works. I read someone’s
comment to add one gateway more than once to the pool and that should take care of it, but the true
is that it didn’t work. My assumption is that I must be missing some other configuration. Any
thoughts?
8.
Tom
It could be two different things. I have experianced what you just described before and I fixed it by
forcing the ratio. Check out http://forum.pfsense.org/index.php/topic,14333.0.html
Even if the connections are the same you can still force the ratio so that you can get a balanced load.
The other thing is it could be a miss configured firewall rule. I woult d also check your Outbound
NAT, AON. Make sure the second interface is added.

If it still doesn’t work, delete the pool and start over, try http://www.netlife.co.za/content/
view/34/34/
Good luck, let me know if you need anything else. Sorry I couldn’t give you a more specific answer but
it could a couple things. Let me know if you get it working.
9.
Greg
Actually this link http://forum.pfsense.org/index.php/topic,14333.0.html is the one I’ve tried. The

other link I’ve read too, but they are using TCP for Monitor IP and the only way I can use it is, if I
change from Gateway to Server. What is the difference? My problem with pfSense is the lack of
comments or help for every settings and sometimes I have to guess. I am not a firewall expert by any
means. By the way, I have deleted the pool and started over few times already. If you need
screenshots, I’ll be glad to email them to you. Thank you!
10.
Thomas
Humm. Well I don’t have a pfsense box here with me know, just moved to TX, so I will have to refer
you to the pfsense forums.
To tell you the truth you will get a better answer there. Sorry, I don’t mean to push you to the forums
but that’s where I believe you will get the best answer. Let me know what happens, that way I can
warn other users of the issue on this post as well. Thank you Greg.
11.

Greg
Posted July 2, 2009 at 03:52 | Permalink
Hi Tom! I finally figured out why the load balance was uneven. I removed WAN and OPT1 from the
pool and added them back with the “other” option and used the yahoo.com ip address for the WAN
and the goggle.com ip address for the OPT1. Now is balanced to the penny. It appeared that it worked
before but intermittent when using the gateway addresses. Remember, I had a router in-between the
modems and pfSense. I hope this brief makes sense. Thank you very much for your ealier help too!
12.
izwan
Hi Tom.. great guide. i able to do the balancer. i think.. but my problem is the internet access is
running very-very slow. To complete the cnn.com it takes me about 3-5 minutes.. and at some places i
even cannot access because the timed-out.
my wan is using dhcp, opt1 also is dhcp. TQ
13.
Tom
hmmm. Is your internet connection that slow when you are not using dual WAN? Also do a speed test
at http://www.speedtest.net and try it three times. Tell me what you get all three times.
14.
Luke

Ok, so pfsense doesn’t support the same gateway on multiple interfaces. I have three external if’s and
they all need to have the same gateway. Complcated, I know, but I am using a STUPID ATT UVERSE
modem which doesn’t allow to assign more than one ip to the same interface. Therefore, to utilize
more than one static IP, you need a FW that has multiple external interfaces. Obviously, each of these
interfaces will need to have the same gateway. I don’t know of anyway to get around this. You
mentioned “bridging” in your article. If I bridge the OPT if’s with the WAN if, would that do the trick?
I am going to experiment with that! Let me know if you have some thoughts. Thanks!
15.
Tom
Luke,
Not brigding with pfsense but using a linksys router as a bridge between each interface.
For example you have Three interfaces. Two of those interfaces will need to have a different gateway
address than the first. So what pfsense developers suggest is putting a linksys router in between your
other interfaces to NAT the gateway to a different address.
if 1: Gateway and address from ISP DHCP
if 2: Gateway and address from linksys router, linksys router gets gateway from ISP
if 3: same thing as two.
There will be a fix for multiple gateways on pfsense in the future but that functionality is not here yet.
Check out this link: http://forum.pfsense.org/index.php/topic,10069.0.html
and for more information on your NAT devices check out: http://forum.pfsense.org/index.php/
topic,17425.msg90259.html#msg90259
16.
Luke

Well, I did a work around with a couple cheap routers. Feels “hacked together” but it works…
17.
Tom
Yep. Its the only way around right now. Hopefully we will see a better fix soon.
18.
Mike
Posted August 12, 2009 at 02:55 | Permalink
Hi,
I’ve been searching for answers in a couple of days now but seems to have no luck. I have a problem
in WAN failover, I am trying to do what is on the guide and some other HowTo’s but it never worked
for me or something might have miss on the config.
I follow this guide to setup my 2 WAN and everything runs smoothly, when I tried to simulate a
downtime on my WAN by disconnecting the LAN cable, my OPT1(WAN2) didn’t respond and it is sill
“Offline”. When I put it back on, both are running online. Does OPT1 depends on WAN?
Have you guys experience like this? Please, i need help.
Thanks.
19.
Tom
I’m wondering Mike, what you have under your AON rules. Also search http://forum.pfsense.org/
index.php?board=36.0 for your answer. You can also post there and someone will, I’m sure, help you.
I haven’t fully been able to replicate your problem so there must be a missconfiguration somewhere.
20.
Mike
Thanks Tom.
21.
neowarcic
I have problems to, with opt1 i can not add ips to work i try everithing but it wont ping opt1 gataway.
Regards
22.
Tom
Neowarcic,
Double check your firewall settings on both interfaces. Also do you have AoN enabled? When I
cannot get a config working, I always start over. Let me know if you get it.

neowarcic
actually i cant ping internet from opt1, I try to change ethernet device but nothing .
24.
neowarcic
First try was to load 2 modems with same subnets, after that i was use mikrotik on some p3 comp to
make a router and i have got difrent subnet.
I have to say that i burn 2 modem trying to make that all I dont know what i need to make in
firewall because when i put ip on wan and turn on dhcp on opt1, do i need to have output ping?
25.
kumar
Posted September 19, 2009 at 11:06 | Permalink
Hai
I have set up one pfsense box with 2 WAN inetrfacess(different ISPs) and one LAN interface for
internal distribution. While one ISP is on a DHCP..the second icomes with a static ip. I am unable to
add this static ip based ISP to the pfsense box..any hep will be apprciated
26.
Tom
Posted September 21, 2009 at 07:11 | Permalink

Hey Kumar, sorry for the wait.

Have you assigned the static to one if and tried DHCP on the other? What happens when you manage
the IF and change it to static?
27.
rd
Posted November 18, 2009 at 22:00 | Permalink
Nice Guide.
So if I just want a backup of my WAN connection without Loadbalancing, what should be the pool
monitor status ?
thnks
28.
Kevin
Posted November 30, 2009 at 01:10 | Permalink
Hi, I have three identical modems from the same ISP and they all have the same speed. I know about
the problems of having the same gateway so modems 2 and 3 both have a router in between them and
pfsense. My problem is that during failover, the load balancer status screen correctly shows which
modems are offline but sometimes I can’t surf the Internet even one modem is online and sometimes
it does work.
My monitor ip addresses are 4.2.2.1, 4.2.2.2, and 4.2.2.3, respectively.
What could be the problem with this?
29.

Kevin
Posted December 3, 2009 at 21:17 | Permalink
Anyone please reply?
30.
Tom
Posted December 4, 2009 at 15:31 | Permalink
Hey Kevin,
sorry for the late reply. I am out on a military exercise thousands of miles from my home so I was not
able to reply right away. I don’t have much time right now to sit down and think about your issue.
Right now I would suggest getting on the pfsense forums until I can get back and work with you on
this. If you figure out the issue before I get back, comment about it and I will put the fix in the post.
Thank you.
31.
Kevin
Posted January 16, 2010 at 21:18 | Permalink
Hi Tom. Unfortunately, the pfsense forum is not of much help for me either. I hope you can
personally help me in setting up my 3-WAN (same ISP) pfsense setup. I hope you are done with the
military exercise by now.
Thanks mate.
32.
jo dumars

Hi all,
I followed all the steps above and works like a charm. Thank you for the guide!!
33.
Mike
Hey, anyone know how to get dual WAN working with pfsense 2.0? Chris has changed everything
around and now the “LoadBalancer” option is for server load balancing not connection balancing so
the “Pools” do not work the way they are described in here. I think “Pools” in 2.0 are “Gateway” or
“Gateway Groups” Not too sure. Like the rest, for an open source community, the PFSense forum falls
flat on its face for any sort of help.
34.
Tom
What is the benefit of running 2.0? 2.0 is based on an old freeBSD build 1.2.3 is based on a newer
build. If you want security and stability I would recommend going to 1.2.3, 2.0 is still experimental
and is going through a complete rewrite.
35.
psd_steve
I played with 2.0 (to include the 24 Jan Build) It is definitely still beta. Lots of things simply do not
work. Using this guild I got my 1.2.3 rocking on multi-wan with the load balancer. Great guild, thank
you
Steve
36.
Tasis
Posted February 7, 2010 at 05:04 | Permalink
Hi Mike, Tom,
I have a question following up an earlier comment by Mike and it concerns fail-over of incoming
connections (outgoing connections work fine every time via load-balancing gateways).
We have a simple pfSense ver. 1.2.3 setup with two outgoing interfaces WAN and WAN2|OPT1. We
also offer NAT port mapped services from the inside (over the pfSense LAN interface) like HTTP and
IMAP.
Our concern is that these internal services should be available either through WAN or WAN2, if
either one goes down.
However, in our tests when we bring WAN down, WAN2 ceases to respond. It appears that pfSense is
missing its default gateway (since WAN is down) and fails to respond to any incoming requests over
WAN2.
This assumption is further supported by doing the following test:
- bring WAN down

- cannot ping WAN2 from IP 1.2.3.4
- add static route to pfSense with gateway WAN2 for IP 1.2.3.4
- pinging WAN2 from IP 1.2.3.4 now works!
(WAN interface is still down)
Is there anyway to have multiple default gateways in pfSense? Or would you recommend any other
solution?
Thank you, Tasis
37.
german
Muchas gracias fue de mucha ayuda sus instrucciones
38.
Obsergybubnug
Anyway i was looking at this www page and find it to be quite useful. I would greatly be thankful for
any assistance.
Just lately, Louisville has came about as a major gathering place for the health care and healthcare
sciences industries. Louisville has been key to developments in heart and hand surgical procedure as
well as cancer therapy. Quite a few of the first man made cardiovascular system transplants were
conducted in Louisville. Louisville’s booming downtown medical research university includes the
brand-new $Eighty-eight thousand rehabilitation facility, and a health sciences research and
commercialization park which, in relationship with the University of Louisville, has lured nearly
Seventy top rated people and researchers. Louisville is usually also house to Humana, one of the
nation’s premier health insurance coverage businesses.
Louisville is home to various major firms and organizations.
Post a Comment
Your email is never published nor shared. Required fields are marked *
Name * Website
Email *
Comment
Post Comment
www.mot.is-a-geek.com | www.TomSchaefer.org

Dual WAN With Pfsense - Tutorial

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Dual WAN With Pfsense - Tutorial

Hochgeladen von

Copyright:

Verfügbare Formate

● Search for: Search

❍ New things happening

http://www.tomschaefer.org/web/wordpress/?p=538 (1 of 20) [2/20/2010 10:49:57 AM]

posts ago. ❍ WithinWindows

VPN ❍ March 2009

● Click to enter a new pool.

Your OS: Windows XP

● Now Go back to Monitor IP and Select your OPT1’s Gateway

http://www.tomschaefer.org/web/wordpress/?p=538 (3 of 20) [2/20/2010 10:49:57 AM]

We must create NAT rules now.

● Go to Firewall -> Nat -> Outbound

● Apply the Changes.

http://www.tomschaefer.org/web/wordpress/?p=538 (4 of 20) [2/20/2010 10:49:57 AM]

● Go to Firewall -> Rules -> LAN

It should look like

« 17 Great Tools for Web Development Computer Repair Kit »

http://www.tomschaefer.org/web/wordpress/?p=538 (5 of 20) [2/20/2010 10:49:57 AM]

http://www.tomschaefer.org/web/wordpress/?p=538 (6 of 20) [2/20/2010 10:49:57 AM]

second cable modem. Specifically I used an old Linksys Router.

NAT, AON. Make sure the second interface is added.

Actually this link http://forum.pfsense.org/index.php/topic,14333.0.html is the one I’ve tried. The

http://www.tomschaefer.org/web/wordpress/?p=538 (9 of 20) [2/20/2010 10:49:57 AM]

http://www.tomschaefer.org/web/wordpress/?p=538 (10 of 20) [2/20/2010 10:49:57 AM]

if 3: same thing as two.

http://www.tomschaefer.org/web/wordpress/?p=538 (11 of 20) [2/20/2010 10:49:57 AM]

Have you guys experience like this? Please, i need help.

http://www.tomschaefer.org/web/wordpress/?p=538 (13 of 20) [2/20/2010 10:49:57 AM]

http://www.tomschaefer.org/web/wordpress/?p=538 (14 of 20) [2/20/2010 10:49:57 AM]

Hey Kumar, sorry for the wait.

My monitor ip addresses are 4.2.2.1, 4.2.2.2, and 4.2.2.3, respectively.

What could be the problem with this?

http://www.tomschaefer.org/web/wordpress/?p=538 (15 of 20) [2/20/2010 10:49:57 AM]

Anyone please reply?

http://www.tomschaefer.org/web/wordpress/?p=538 (16 of 20) [2/20/2010 10:49:57 AM]

Posted January 18, 2010 at 06:03 | Permalink

This assumption is further supported by doing the following test:

- bring WAN down

Thank you, Tasis

Muchas gracias fue de mucha ayuda sus instrucciones

Louisville is home to various major firms and organizations.

http://www.tomschaefer.org/web/wordpress/?p=538 (20 of 20) [2/20/2010 10:49:57 AM]

Das könnte Ihnen auch gefallen