Dual Wan Router: How to Load Balance Using pfSense
Purchasing a dual wan router can easily set you back several hundred bucks. Besides the high prices many of the models on the market lack many features. So instead of shelling out cash for a router with limited features you can recycle some old hardware and build one yourself. By utilizing the popular open source router/firewall platform pfSense you can create a very powerful and feature rich router. Plus you'll have a sense of accomplishment knowing you created it yourself.
Why setup a dual wan router?
- Increase your internet bandwidth - If you have multiple internet connections you can load balance them to provide more bandwidth to the computers on your home or office network. This can be very useful for downloading torrents and playing online games at the same time.
- Provide backup internet connectivity - Another popular use is providing redundancy or failover in the event one internet connection goes offline. In this case its important to make sure your using two different ISP's. For example one cable , and one DSL connection.
If you want to hear more about pfSense before getting started check out my hub, Introduction to pfSense. I'm going to assume the readers of this hub have some basic network knowledge and are familiar with setting up a router. If you have a question or would like more details just let me know.
Updates for pfSense version 2.0
I have updated this hub to include instructions for pfSense version 2.0, I'm planning on leaving the portion of the hub covering version 1.2.3 up for a while since many people still use it. If you haven't done so already I highly recommend upgrading to version 2.0. Not only does version 2.0 have much better support for multi wan connections but it offers several other great features.
What you'll need to get started
- An old computer - For this type of application I would recommend a minimum processor speed of 1GHz with at least 256Mb of ram. The computer will also need a hard drive (or CF card), and a CD-ROM. If you don't have an old machine lying around check Craigslist or a garage sale. You should be able to pick something up for free or very cheap.
- Three network cards - The computer you use will need to have three network interfaces. One for the LAN port and two for the WAN ports. I recommend using at least 100Mb cards to prevent a bottleneck. Onboard network connections work fine, if you don't have an onboard NIC you can just use three PCI or PCIe network cards. You can salvage the network cards from old computers or purchase new network cards at a low cost.
- Two internet connections - Cable, DSL, T1, FIOS, etc. You can use two connections from the same provider if you want or use two different ISP's.
- The pfSense software - You will need to download the live CD from one of the mirrors and burn it to a disc. Visit www.pfsense.org and click on downloads. I recommend using pfSense version 2.0 since it includes better multi wan support. The free 7-Zip program can uncompressed that gz file for you.
Setting everything up
If you already have a functional pfSense router keep reading for the details on how to configure dual wan connections. If you don't check out the pfsense install guide then continue with the rest of the instructions on this hub.
Interfaces Configuration for Version 1.2.X
These steps will be completed using the pfSense web GUI.
I'm assuming during your initial pfSense setup you configured a LAN and one WAN interface already.
To configure the second WAN interface select OPT1 from the Interfaces menu. Click the check box to enable the interface and set the type to either DHCP or Static depending on what you need, then hit Save.
Next open the Load Balancer page found under Services. Click the + sign to create a new pool. Choose a name like 'LoadBalance' for example, then set the type to Gateway. Choose a behavior of either Load Balancing or Failover depending on what your trying to accomplish. Set the Monitor IP to WAN's Gateway. Then select the WAN interface from the drop down menu and click add to pool. You will see WAN show up in the list below. Then change the Monitor IP to OPT1's gateway, select OPT1 from the interface list and click add to pool. Your configuration should be similar to what you see in the screen shot. Click save when your finished, and apply changes on the next page.
Note that pfSense will act strange if you have the same gateway for each interface. You can get around the issue by setting up a bridge between one of the interfaces but its best to avoid having to do this.
To check if your configuration is working goto Load Balancer under the status menu. They should both report that they are online and report the latency of their monitor IP's.
If the interfaces don't show up as online verify that your monitor IP will respond to ICMP pings. If it doesn't you need to choose different monitor IP's such as a DNS server. You may also need to double check the IP configuration of each interface on the Status\Interfaces menu. If the WAN/OPT1 interfaces are configured for DHCP you may need to release/renew the addresses.
If the load balancer status looked green then your ready to activate it. On the firewall menu click on rules, then select the LAN tab. You'll need to edit the default rule and change the gateway from default to LoadBalance. This will send all outbound traffic to the load balancer.
Configuration for version 2.0
These steps will be completed using the pfSense web GUI.
The first thing you'll need to do is assign a second wan interface. If you already configured one you can skip this step. Click on assign in the interfaces menu. Then click the plus symbol labeled add and select the mac address of the interface you want to use. If there is only one unassigned interface it will be automatically selected. By default the interface will be named OPT1. Your configuration should look like the screen shot on the right.
After you have assigned the interface you need to enable it. Click on the interfaces menu then select the name of the second wan interface (OPT1). Check the box to enable the interface then select DHCP or static as the type. It's important to note that if your gateway does not respond to ICMP pings then you should set an alternate monitor IP such as google dns (188.8.131.52).
Next click on routing found in the system menu. Verify that each of your WAN interfaces has a gateway assigned. If OPT1 doesn't have a gateway check the DHCP or static ip configuration before moving on.
Adding a Gateway Group
If both of the gateways look good you can click on the gateway groups tab and create a new group by clicking the plus symbol. Assign a priority of tier 1 to both WAN, and OPT1. Set the trigger to be 'member down'.
Make sure the gateway group is online
At this point you should check the status of the gateway group you have created to make sure that status of both interfaces are online. If one of the members in the group shows as offline then make sure either the gateway responds to ICMP pings or enter an alternate monitor IP. In some cases you might just need to reboot the router in order for both members to activate.
Edit the default LAN rule
The final step is to edit the default LAN rule so outbound traffic will pass through the load balancer. To do this click on rules under the firewall menu. Then edit the rule with a source of 'LAN net', change the gateway to LoadBalance, or the name you assigned the gateway group earlier.
To test if everything is working use a speed test site that supports multiple
threads such as the one on www.speakeasy.net. Torrents and Usenet will
also benefit greatly from load balancing. You can also monitor the bandwidth of each interface under the Status\Traffic Graph menu.
The pfSense load balancer uses a round robin algorithm to determine which interface to send traffic out. You can enable sticky connections in the System\Advanced menu which will send successive connections to the same IP out the same interface. Some SSL connections can act strange if the source IP changes during a connection.
If you are using two cable modems or other connections that use a shared physical infrastructure go to System\Advanced and enable the setting "Shared Physical Network". This will prevent your system logs from filling up with duplicate ARP messages.
If you setup a failover configuration the best way to test it is by pulling unplugging the WAN or OPT1 cables and seeing if the internet still works.
You could easily adapt these instructions to a triple or even quad wan router if you want. The limit is really how many network cards you can get into a single computer. I plan on updating this hub once pfSense 2.0 is released. If you would like me to add more detail to any of the sections just let me know.
If you found this hub useful please take a moment to rate it or leave a comment below.