Pfsense Dual WAN Load Balacing and Failover

In this tutorial I will be show you how to configure a WAN Load Balancing and Failover server using Pf sense 2.xx

My Network Diagram:

Requirements: PFsense v2 with 4 network adapter, 2 Internet Connection

 

1.    Load Balancing Configuration

Configuring the network Interfaces. Go to Interfaces> click WAN and change the WAN name to WAN1, then set the IP address to 172.16.1.1/24

Make sure you set a gateway on this interface
To add a gateway on WAN1, below on IP Address there is a small
“add new one” click on it, and set your gateway to 172.16.1.254 which is the IP address of your Modem1
Do the same thing to WAN2
Set the IP Address to 172.16.10.1/24
Gateway 172.16.10.254
For LAN, set the IP address to 192.168.1.1/24 and note: in this case do not set any gateway
Make sure to uncheck the “block private networks” and “block bogon networks”
For  Wireless Interface
Set IP Address to 192.168.10.1
Also no gateway on this interface
Now we need to add two different DNS server, one pointing to WAN1 and the other one to WAN2, in our example below we use google DNS for WAN1 and open DNS to WAN2
Go to System > General Setup
 Next we need to edit the monitor IP address for each gateway
Go to System > Routing
 On WAN1 set the Monitor IP to Google DNS – 8.8.8.8
 On WAN2 set the Monitor IP to open DNS – 208.67.222.222
Monitor IP is the “always up” server from the internet that allow to response ICMP packet
Next we need to create a group for each connection
Go to System > Routing > Groups
Click the (+) button, set the group name to “Load Balance”
Also set the gateway priority to same tier, just select “Tier1” to each gateway, on Trigger Level set to “Packet Loss or High Latency” and you can set the description anything you want. Press Save to save our configuration.
Next we need to create another group call “Failover1” if WAN1 fail then it will go automatically to WAN2
Set the group name to “Failover1” also set the gateway priority to different tier, select “Tier1” for gateway1, and “Tier2” for gateway2, on Trigger Level set to “Packet Loss” and again you can set the description anything you want. Press Save to save our configuration.

Again, we need to create another group call “Failover2” in this case if WAN2 fail then it will go automatically to WAN1
Set the group name to “Failover2” also set the gateway priority to different tier, select “Tier2” for gateway1, and “Tier1” for gateway2, on Trigger Level set to “Packet Loss” and again you can set the description anything you want. Press Save to save our configuration.

The configuration should look like this

To make all this configuration work, we need to apply it to our firewall rule
Go to Firewall > Rules
Select LAN tab, click on (+) button to add a new rule
Set Protocol to – Any
Source to – LAN Sub net
Description to – Anything you want
Leave the other settings to default
And in the “Advance features” set the Gateway to – Load Balance, that is the group we just created
Just click Save to save the configuration
Next we need to create another rule for “Failover1” and “Failover2”
“Failover1”

 
 “Failover2”
 Now it’s done, to test the fail over unplug your modem1 it should automatically redirect to your second connection.
Note:
Below Rules are optional if you want to add WiFi router separately with separate ip and subnet.  

On Wireless rule we do the same configuration, just go to “Wireless” 
Tab
Wireless Load Balance Rule


 Wireless Failover1 Rule


Wireless Failover2 Rule repeat same step as failover2 in gateway.
Now we will configure the DHCP server for LAN and Wireless adapter
Go to Services > DHCP server
Click on “LAN” Tab
Set the IP range from 192.168.1.101 to 192.168.1.130 this range allow 30 dhcp users in LAN network
                                             DHCP range for LAN

Do the same thing on the “Wireless” Tab

We also need to configure the DHCP forwarder.
Go to Services > DHCP forwarder
 
 Note: You need to disable DHCP server on your wireless access point in order to user our DHCP
   pfSense is a FreeBSD LINUX distribution that has been customized to be used as a firewall and router. It’s a pretty powerful firewall that has many of the same features found in commercial firewalls but is supported by the open source community under the General Public License (GPL) which makes it Free to all to use. As with many LINUX distribution, pfSense does not take much to run. The minimum hardware requirements to use pfSense is a computer with the following:
CPU – 100 MHz Pentium
RAM – 128 MB
CD-ROM for initial installation
10 GB hard drive
Two Network Interface Cards
This blog posting will serve as a basic tutorial for a use as a guide to install pfSense as a basic firewall to be used on yours or your client network.
Get pfSense
1. Download the latest version of pfSense (Version 2.0.1 was used for this tutorial)
 http://www.pfSense.org/index.php?option=com_content&task=view&id=58&Itemid=46
2 .Using your favorite CD burning software, burn the pfSense ISO to CD.

 Install pfSense
1. Boot your chosen PC with the pfSense CD. You will be present with the following “Welcome to pfSense!” screen. For our basic install of pfSense, you can press [Enter] for the default option.
pfsense1
2. Press the I key to invoke the installer.
PFsense2
3.  If you can see the “Configure Console” screen, chances are there aren’t any changes you need to make to the console. Press the Down arrow on your keyboard to highlight the “<Accept these Setting>” option and press [Enter].
  PFSense3
4. On the “Select Task” window, select the “<Quick/Easy Install>” and press [Enter].
PFSense4
5. At the “Are you SURE?” screen, confirm your decision to install pfSense by highlighting the “< OK >”  option and pressing [Enter]. Any data currently on the first hard drive of the system will be destroyed in order to install pfSense.
PFSense5
6. Take a break :) – It can take up to 10 minutes for pfSense to finish this stage of the install depending on your hardware. pfSense is formatting your drive and copying the software to your system.
PFSense6
7. At the “Install Kernel(s)” screen, ensure “< Symmetric multiprocessing kernel (more than one processor) >” is highlighted and press [Enter].
PFsense7
8. At the “Reboot” screen, remove the pfSense CD and ensure that “< Reboot >” is highlighted and press [Enter].
PFSense8
9. After the system reboots, you will be presented with the initial “Welcome to pfSense!” menu. Press [Enter] to select the default.
Note: This is the default action of pfSense and if now key is press before the pause timer reaches 0, the default boot profile will be used. 
PFSense9
10. During the boot phase of pfSense, the detected network interface cards will be display which can be used by pfSense.  
Note: If you do not see all your network card listed, press the [CTRL – C] keys to end the setup script and then select option “6” (Halt system). After system shuts down, confirm that your network interface cards a properly seated and/or working. After you have remediated the issue with the network interface cards, boot pfSense and repeat step 9 and forward of this tutorial.
PFSense10
11. Since this is a basic setup of pfSense, we will not be configuring a “VLAN” so type “n” and press [Enter].
PFSense11
12. From the list of valid interfaces found by pfSense, type the name of the network interface card that will be connected directly to the Internet (cable modem, dsl, etc)
PFSense12
13. From the list of valid interfaces found by pfSense, type the name of the network interface card that will be connected to your internal network. This will serve as your “LAN” interface. Repeat this step for each additional network interface card listed as a valid interface by pfSense and will be use by the firewall i.e. wireless, DMZ, etc. Once you are finished, press the [Enter] to select nothing and move to the next step of the setup.
PFSense13
14. Confirm that you have selected the correct network interface cards for each interface on your firewall and type “y” and press [Enter].
PFSense14
15. Once you are complete this initial setup, you will be presented with the pfSense console menu. Your firewall is now up and running. We have finished all configuration steps required to be done from the pfSense console. You can actually disconnect the monitor and keyboard from the system (as an added security precaution) for all other configuration will be done via the web console. (See The “webConfigurator” – pfSense basic setup part 2 )
PFSense15
Mikrotik Scripts Mikrotik

Traffic Shapper – Mikrotik

Published by:
I am discussing about the traffic shapper.
In this scenario you can increase browsing speed limit (HTTP & HTTPS Traffic) and little up p2p traffic
use scr-address as per your local ip address

 /ip firewall mangle
#### HTTP TRAFFIC ####
add action=mark-connection chain=prerouting comment=”Mark HTTP” dst-port=80 \
new-connection-mark=HTTP-Conn protocol=tcp sec-address=192.168.88.0/24
add action=mark-packet chain=prerouting connection-mark=HTTP-Conn \
new-packet-mark=HTTP-Marked passthrough=no
#### HTTPS TRAFFIC ####
/ip firewall mangle
add action=mark-connection chain=prerouting comment=”Mark HTTPS” dst-port=80 \
new-connection-mark=HTTPS-Conn protocol=tcp src-address=192.168.88.0/24
add action=mark-packet chain=prerouting connection-mark=HTTP-Conn \
new-packet-mark=HTTPS-Marked passthrough=no

 #### P2P TRAFFIC ####
/ip firewall mangle
add action=mark-connection chain=prerouting comment=”Mark P2P” P2P=all-p2p \
new-connection-mark=p2p-Conn protocol=tcp src-address=192.168.88.0/24
add action=mark-packet chain=prerouting connection-mark=p2p-Conn \
new-packet-mark=p2p-Marked passthrough=no

 /queue tree
add name=”HTTP-Queue” packet-mark=HTTP-Marked parent=global-out priority=2 queue=default max-limit=4m
add name=”HTTPS-Queue” packet-mark=HTTPS-Marked parent=global-out priority=1 queue=default max-limit=4m
add name=”P2P-Queue” packet-mark=p2p-Marked parent=global-out priority=8 queue=default max-limit=2m

Comments

Post a Comment

Popular posts from this blog

DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released

Image
DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released  Filed under: Radius Manager — Tags: dmasoftlab radius manager new version , radius manager 4.1 — Waseem Anjum Meo @ 10:47 AM             5 Votes Finally DMA has released its new version for Radius Manager Billing System. Complete info can be found here. http://www.dmasoftlab.com/cont/revision   *** v 4.1.0 *** 2013-10-23 *** NEW FEATURES: ↓ -enhanced SMTP mailer with authentication and freely configurable port -SMS alert indicating the account is going to expire ** This was most DEMANDED   , Jz -support for BulkSMS HTTP->SMS gateway ** This was most DEMANDED   , Jz -alert type is selectable in user preferences (ACP / UCP) ** This was most DEMANDED   , Jz -enable traffic report per user in ACP even if global traffic report is disabled -service change is allowed for Hotspot MAC accounts -auto logout expired ACP sessions -FreeRadius 2.2.0 support -DOCSIS u
Read more

How To Configure Nano Station M2 As Access point

Image
Web Configuration Now that the hardware has been completely installed, it's time to configure the Bullet to act as a WiFi Access Point. Configuration is performed using your web browser by typing in  https://192.168.1.20 . You'll get a warning pop up stating that the device has presented an invalid SSL certificate due to the certificate being self-signed and not issued by a CA. This is normal so just hit accept/continue. You'll then need to log in with the default username and password of "ubnt". Configure the Wireless tab The first step is to configure the Wireless tab so the Bullet acts as a WiFi Access Point. Change the settings according to the below picture. Be sure to set the device up with WPA2 security and an appropriate WiFi password here. You can also use this tab to adjust the power output should you wish to cover a smaller area. The default channel bandwidth is 40MHz, but some older devices such as wireless printers and mobile phones cannot o
Read more