Question pfSense: Setup loadbalancing and Failover

supermanu15

Distinguished
I just want to ask the community, we have 2 fiber connections and I loadbalanced them, is there a way to setup if 1 link fails, from loadbalancing automatically set it to failover?

Let's say:

if (fiber1 == ok && fiber2 == ok)
then loadbalance
if (fiber1 !=ok && fiber2 == ok)
then failover(fiber1>>fiber2)
if (fiber1 ==ok && fiber2 != ok)
then failover(fiber2>>fiber1)

Is there a way to set that up in gateway groups? Or in rules? Thanks in advance!
 
Load Balance = both lines are used when available. if one is missing the other will carry all the traffic.

Failover = only one line works at a time and carries the full load. if the first one fails, the second one takes over until the first one is available again.
 

Didn't I used all approved EIA IEEE certified terminology? :D

I was interested of setting up pfsense for fair use, LAN users, everybody in the house get a fair share of the Internet pipe, but instead when I went into LOAD BALANCING, a feature of pfsense, I didn't see a way of doing this, I clicked the HELP button and what I read suggested this is for inbound traffic.

INBOUND TRAFFIC as in, I am hosting, say a web server at home, but I have multiple ISP and I want to use those ISP to provide extra bandwidth for my customers, and FAILSAFE also means if one of my ISP fails, the customer can still get into my site wo missing a beat.
 
  • Like
Reactions: supermanu15

Wanna share it with the community?

So you have a pfsense box with 2 WAN and 1 LAN and you used what methods exactly? Don't need step by step, just give me the 30 ft, 2 paragraphs max enough.
 
  • Like
Reactions: supermanu15

supermanu15

Distinguished


We started with a normal system unit and installed PCI(long time ago) and PCI-E LAN cards, then backed up the firewall's configurations and bought a barebone appliance(with an 64 m.2 ssd) with the same size as a normal sandiwch and uploaded the config there and that appliance became our new firewall, low profile and power efficient. Putting it in load-balanced mode created under gateway groups merged the 2 wans together as long as you set them to the same "Tier", setting WAN1 to tier1 and WAN2 to tier2 means its a failover configuration, WAN2 remains idle until WAN1 fails and it automatically routes the traffic there. :)

pfSense is a great firewall solution indeed, it simplifies almost everything, well until you get to the commandline part in case the WEB UI stops working.
 
Great to hear it's working out for you.

I really need to upgrade my now obsolete SonicWall with something more modern, and can't decide whether to go with another Internet appliance or DIY pfsense. Plus for pfsense is, try before buy, minus is, so far, the rules are not the same Allow/Denied as am used to.... still playing with it.
 

supermanu15

Distinguished


You can basically turn any old system unit and turn it into a pfsense box :) that way you can cut on cost in the company's expense. It took a long while before we moved to using an appliance though the main problem being that the old system unit's hardware components seem to act up which is understandable since we have it up 24/7 :) Plus its routing so it needs less processing power, heck, even a dual core atom is more than sufficient.
 

Mhhh... that doesn't bode well. In my old SonicWall, the rules would sort themselves out automatically in a logical manner.

I.e. Obviously

SOURCE specific LAN IP - DESTINATION Wan - DENY

has precedent over

SOURCE * (all) -- DESTINATION * (all) -- DENY

and SonicWall would put 'em in their correct order wo user intervention.


I know a FW needs (relatively) little horsepower and am testing it with my old Pentium-3 box, but that dang thing is sucking 55 watts all day 24x7 whereas I can buy a 2-10 watt tinny thing. I know the math tells me it will take a few years to recoup the expense but that just seems wrong for the environment.
 


By default you have deny, any, all which is clearly unusable, no dns etc etc, as long as subsequent rules are placed above you are ok. The ordering helps with traffic shaping and bandwidth controls. not just between lan and wan but different subnets on the lan and vlans. Its very powerful.
 

supermanu15

Distinguished
Which was why we moved to a smaller appliance to make it power efficient and low profile :) I dont find the fw rules odd actually, i like it a lot and its easy to understand and use, I like it with user-intervention because in my use-case I specify things and want A over B or B over C but not over A etc etc
 

supermanu15

Distinguished


We started with a normal system unit and installed PCI(long time ago) and PCI-E LAN cards, then backed up the firewall's configurations and bought a barebone appliance(with an 64 m.2 ssd) with the same size as a normal sandiwch and uploaded the config there and that appliance became our new firewall, low profile and power efficient. Putting it in load-balanced mode created under gateway groups merged the 2 wans together as long as you set them to the same "Tier", setting WAN1 to tier1 and WAN2 to tier2 means its a failover configuration, WAN2 remains idle until WAN1 fails and it automatically routes the traffic there. :)

pfSense is a great firewall solution indeed, it simplifies almost everything, well until you get to the commandline part in case the WEB UI stops working.

Sorry for the necro, cleaning out my threads and marking solved to those I haven't marked out yet.
My solution was not presented as clearly as I read it now, so to make sure in case someone might run into this in the future and use this as reference.

***Created 2 gateway groups, LoadBalance, FailOver1, created "Tiers" in them.
-> "LoadBalance" has fiber1 and fiber2 both in Tier 1
-> "FailOver1" has fiber1 as Tier1 and fiber2 as Tier2

These gateway groups I then added at the firewall>>rules section, and stacked them on each other. So if load balancing fails, it failovers, depending on which link(fiber1 or fiber2) fails. If fiber1 fails it toggles the "FailOver1" gateway group and throws the connection to fiber2, if fiber2 fails, seeing that fiber1 is tier1 in the gateway group, it'll just throw the connection there by default.