pfSense Multi-WAN Configuration: Part Four

pfSense multi-WAN

Setting up multi-WAN load balancing with failover in pfSense 2.2.4

The load balancing functionality in pfSense allows you to distribute traffic over multiple WAN connections in a round-robin fashion. This is done on a per-connection basis. A monitoring IP is configured for each connection, which pfSense will ping, if the pings fail, the interface is marked as down and removed from all pools until the pings succeed again.

pfSense Multi-WAN: Load Balancing 

In pfSense 2.0 and above, Services -> Load Balancer is not used to configure load balancing with a multi-WAN setup. Instead, we use Gateway Groups by navigating to System -> Routing and clicking on the Groups tab. Click the plus button to add a new gateway group.

In the Group Name field, you can enter a group name. The Gateway Priority section is where you configure load balancing. The Tier field determines the link priority in the failover group. Lower-numbered tiers have priority over higher-numbered tiers. Multiple links of the same priority will balance connections until all links at that level are exhausted. If all links in a priority level are exhausted, pfSense will use the next available link in the next priority level.

To illustrate how this works, I created three gateways: WAN, WAN1 and WAN2, as can be seen in the screen capture. Let’s assume that the WAN gateway is my main Internet connection (e.g. a cable modem). Assume that the WAN1 and WAN2 gateways are for my backup Internet connections (e.g. DSL). We want WAN to provide our primary connection to the Internet. When WAN is down, we want our Internet connectivity to be load balanced across WAN1 and WAN2. Therefore, we set WAN to Tier 1 and both WAN1 and WAN2 to Tier 2. Thus, when the higher priority WAN is down, the failover will user WAN1 and WAN2. If either WAN1 or WAN2 go down, pfSense will use the remaining functioning gateway, so that even if two of the gateways are down, we should have some Internet connectivity, albeit with limited bandwidth.

The next field in the table, Virtual IP, allows you to select what virtual IP should be used when the gateway group applies to a local Dynamic DNS, IPsec or OpenVPN endpoint. In my example, since I was not setting up the gateway group to be used in any such scenario, I left this field unchanged.

The next field, Trigger Level, allows you to choose which events trigger exclusion of a gateway. The choices are Member Down, Packet Loss, High Latency, and Packet Loss or High Latency. I chose Packet Loss as the trigger. You can enter a brief Description, and press the Save button. On the next page, you’ll need to press the Apply Changes button.

Next, you need to redirect your firewall traffic to the new gateway. Navigate to Firewall -> Rules, and click on the tab of the interface whose traffic you want to redirect (e.g. LAN). Press the plus button to add a new rule. The default settings can be kept for most settings (Source and Destination should both be set to any). Scroll down to Advanced features, and press the Advanced button in the Gateway section. Select the gateway set up in the previous step in the dropdown box. Enter a brief Description, and press the Save button. On the next page, press the Apply Changes button. If you need to redirect traffic on other interfaces, you will have to set up firewall rules for those interfaces as well.

Finally, you need to navigate to System -> General Setup and make sure you have at least one DNS server for each ISP. This ensures that you still have DNS service if one or more gateways goes down. You may need to set up static routes for your DNS servers; part two of this series went into some detail on how to do this.

Once the gateway groups and firewall rules are configured, your multi-WAN load balancing setup should be complete.

External Links:

Network Load Balancing on Wikipedia

pfSense Multi-WAN Configuration: Part Two

pfSense multi WAN

Configuring the DNS forwarder in pfSense 2.2.4.

In the first article, we covered some basic considerations with a multi-WAN setup. in this article, we will cover multi-WAN configuration.

First, the WAN interfaces need to be configured. You should set up the primary WAN the same way you would in a single WAN setup. Then for the OPT WAN interfaces, select either DHCP or static, depending on your Internet connection type. For static iP conncections, you will need to fill in the IP address and gateway.

Next, you need to configure pfSense with DNS servers from each WAN connection to ensure it is always able to resolve DNS. This is important, especially if your network uses pfSense’s DNS forwarder for DNS resolution. If you only use one ISP’s DNS servers, an outage of that WAN connection will result in a complete Internet outage regardless of your policy routing configuration.


pfSense uses its routing table to reach the configured DNS servers. This means without any static routes configured, it will use only the primary WAN interface to reach DNS servers. Static routes must be configured for any DNS server on an OPT WAN interface to reach that DNS server. Static routes must be configured for any DNS server on an OPT WAN interface, so pfSense uses the correct WAN interface to reach that DNS server.

This is required for two reasons. [1] Most ISPs prohibit recursive queries from hosts outside their network. Thus, you must use the correct WAN interface to access that ISP’s DNS server. [2] If you lose your primary WAN interface and do not have a static route defined for one of your other DNS servers, you will lose all DNS resultion ability in pfSense, since all DNS servers will be unreachable when the system’s default gateway is unreachable. If you are using pfSense as your DNS server, this will result in a complete failure of DNS for your network.

pfSense Multi-WAN: Static IPs vs. Dynamic IPs

A setup that has all static IPs on the WAN interfaces is easy to handle, as each WAN has a gateway IP that will not change. Dynamic IP WAN interfaces, on the other had, pose difficulties because their gateway is subject to change and static routes in pfSense must point to a static IP address. This usually is not a major problem, since only the IP address changes while the gateway remains the same. If your OPT WAN public IP changes subnets (and therefore gateways) frequently, use of the DNS forwarder in pfSense is not an acceptable solution for redundant DNS servcies; you will still have no reliable means of reaching a DNS server over anything other than the WAN interface.

pfSense multi-WAN

Configuring DNS servers with multiple WAN interfaces in pfSense 2.2.4.

With dynamic IP WANs, you have two alternatives. Because traffic from the inside networks is policy routed by your firewall rules, it is not subject the the limitation of requiring static routes. You can either use DNS servers on the Internet on all your internal systems, or use a DNS server or forwarder on your internal network. As long as DNS requests are initiated from inside your network and not on the firewall itself (as it is in the case of the DNS forwarder), static routes are not required and have no effect on traffic initiated inside your network when using policy routing.

A second option to consider is using one of your DNS server IPs from each Internet connection as the monitor IP for that connection. This will automatically add the appropriate static routes for each DNS server.

If you have a mix of statically and dynamically addressed WAN interfaces, then the primary WAN should be one of your dynamic IP WANs, as static routes are not required for DNS servers on the primary WAN interface.

The image on the right shows separate DNS servers with a multi-WAN setup in pfSense. In System -> General Setup, you can enter the DNS servers, and you can select the gateway used with the selected DNS server in the dropdown box on the right. As you can see, I have selected different WAN interfaces for each of the DNS servers, so the two WAN interfaces (WAN and WAN1) are not dependent on the same DNS server.


 

External Links:

Network Load Balancing on Wikipedia

Configuring Dynamic DNS in pfSense

pfSense DDNS

Adding a domain name at the Duck DNS website.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames and/or addresses. The term is used to describe two separate concepts. The first is dynamic DNS updating, which refers to systems that are used to update traditional DNS records without manual editing; this mechanism is described in RFC 2136. The second permits lightweight and immediate updates, often using an update client. These clients provide a persistent addressing method for devices that change their location or IP addresses.

Most internet users who have consumer-grade internet access have a dynamic IP address, most likely assigned by their Internet service provider’s (ISP) DHCP server. These types of IP addresses pose a problem if the user wants to provide a service to other users on the Internet (e.g. a file server). DDNS provides a solution to this problem by providing a means of mapping a potentially rapidly changing IP address to a domain name without suffering the delay which it usually takes for a DNS change to propagate through the hierarchy of DNS servers.


Over the years, several companies and organizations have provided dynamic DNS capabilities. One such company, Dyndns (now called Dyn), provided a free domain name. In 2014, Dyn discontinued their free domain name service. They now charge $40 a year, which I still consider to be a reasonable price. But why pay for domain names when you can still get them for free? Duck DNS provides up to 5 free domain names (all subdomains of duckdns.org; e.g. mydomainname.duckdns.org) and is easy to configure with pfSense. In this article, I will outline the process.

Configuring Dynamic DNS: Creating a Duck DNS Domain Name

First, create a free account on Duck DNS. Once you have done this, scroll down to the domains section of the page. There will be an edit box for entering your domain name and a green add domain button. Enter a domain and press this button; if your domain isn’t taken already, you should see a page similar to the one shown in the screen capture in which your new domain is listed.

Next you need to install the Duck DNS client on your computer. The Windows version of the client can be downloaded from www.etx.ca and installed easily. The Linux version can be installed even more easily. You will need to install zenity, cron and curl first. Cron comes with most if not all Linux distros; zenity and curl can be installed with the apt-get command. There is a script you can download and execute which provides the same functionality as the Windows Duck DNS client. You will need to enter the domain you created in the first step in the Domain field and in the Token field you need to enter the token generated by Duck DNS for your domain. [This token can be found in the as part of the Update URL provided in the pfSense installation instructions on the Duck DNS website. The token is the part between token= and the ampersand.]

Configuring Dynamic DNS: Adding a DynDns Entry in pfSense

pfSense DDNS

Adding a DynDns entry in pfSense 2.2.4.

With Duck DNS configured and the client installed, now we can log into our pfSense box and configure DynDNS. From the pfSense menu, navigate to Services -> Dynamic DNS. There will be two tabs on the page: DynDns and RFC2136; select DynDns if it is not already selected. Press the plus button to the right of the table to add a new entry. For Service type, select Custom from the dropdown box. The Username and Password fields can be left blank. For the Update URL, you need to copy and paste the URL provided in the pfSense installation instructions on the Duck DNS webside. [You can find this instructions page by clicking on install on the menu at the top and then clicking on pfSense in the Routers section.] For Results Match, enter OK. Once these settings are entered, click on Save to save the changes.

Now the dynamic DNS configuration is complete, but since the whole point of setting up DDNS is to make services on your home network available to others, you are probably going to want to add an entry to the Network Address Translation (NAT) table to redirect incoming traffic to the node providing the service. You also need a corresponding firewall rule to allow the traffic through (NAT can create such a rule automatically). This is assuming that you didn’t already alter the NAT/firewall rules for the service you want to make available. One potential issue is that your ISP may block port 80 traffic, so if you want to set up your own web server, you may have to use a different port. [You can use NAT to redirect traffic from the port you selected to port 80.] If you cannot access the service you are trying to make available from the WAN side, you might want to try a different port and see if it works.


External Links:

Dynamic DNS on Wikipedia

Duck DNS website

 

Video: Configuring Dynamic DNS with pfSense

You may want to set up a domain name for your home or SOHO WAN IP. This video demonstrates how to do this. In this video I cover:

  • What DDNS is, why you might want to use it, and different methods of implementing DDNS
  • Configuring Duck DNS on the Duck DNS web site; downloading and installing the Duck DNS client
  • Configuring DDNS in pfSense and setting up NAT so we can access an Apache web server behind the firewall
  • Accessing a web site using the domain name I set up in the previous steps

IPsec VPN Configuration in pfSense: Part One

IPsec VPN

Phase 1 IPsec configuration in pfSense 2.2.4.

In the previous article, we covered how to set up a PPTP VPN connection in pfSense, and how to connect to it in Mint Linux. Since PPTP relies on MS-CHAPv2, which has been compromised, we probably want to use another method if security is paramount. In this article, we will cover setting up an IPsec tunnel with pfSense and connecting to it with Mint Linux.

IPsec VPN Configuration: Phase 1

First we need to set up the IPsec tunnel in pfSense. Navigate to VPN -> IPsec and click on the plus button on on the lower right to add a new tunnel. Under General information, there is an entry for Interface, where we select the interface for the local endpoint of the tunnel. Since our end user will be connecting remotely, the local endpoint should be WAN. The next entry is Remote Gateway, where we enter the IP address or host name of the remote gateway. Enter a brief description and scroll down to the Phase 1 proposal (Authentication) section. At Pre-Shared Key, you need to enter a key (PSK), which will essentially be the tunnel’s password. Whether you alter the Phase 1 proposal (Algorithms) settings or not, take note of the settings, as we will need them for future reference. Press the save button at the bottom to save the Phase 1 configuration. On the next page, press the Apply changes button to commit changes.

IPsec VPN

Phase 2 IPsec configuration.

IPsec VPN Configuration: Phase 2

Now there should be a new entry in the IPsec table for the new Phase 1 configuration. Click on the big plus button underneath the entry you just created to initiate Phase 2 configuration. This section should expand, revealing an empty table for Phase 2 settings. Click on the (smaller) plus button to the right of the table to bring up the Phase 2 settings page. For Mode, you can select whichever method you prefer, but note that whoever connects will have to use the same method. For Local Network, enter the network or address to which you want to give the VPN user access (probably LAN net). For Remote Network, enter the address of the remote end of the VPN tunnel. Enter a brief description. In the Phase 2 proposal section (SA/Key Exchange), set the protocol and encryption options, again taking note of them for future reference (AES-256 is the commonly used standard). When you are done, press the Save button at the bottom of the page. Press the Apply changes button on the next page to commit changes. Finally, check the Enable IPsec check box on the main IPsec page and press the Save button.


Now that Phase 1 and Phase 2 configuration are complete, all that remains is to create a firewall rule for IPsec traffic. Navigate to Firewall -> Rules. There should be a new tab for IPsec; click on it. There may already be a rule there allowing traffic to pass to whatever network or address you specified in the Phase 2 configuration. If not, then create one now by pressing the one of the plus buttons on this page. Most of the default settings can be kept, but set Destination to the network or address specified in Local Network in the Phase 2 configuration. For Destination port range, specify any. Add a brief description, and press the Save button. On the next page, press the Apply changes button to commit these changes.

In part two of this article, we will cover connecting to the VPN tunnel from the remote node.

External Links:

IPsec on Wikipedia

pfSense IPsec configuration information from the official pfSense site

PPTP VPN Configuration in pfSense

PPTP VPN

Configuring the PPTP VPN settings in pfSense 2.2.4.

A virtual private network is a means of extending a private network across a public network. The public network is most commonly the Internet, although not always. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network. A VPN establishes a virtual point-to-point connection to the destination network. Major implementations of VPNs inclue OpenVPN, IPsec, L2TP and PPTP.

pfSense makes it easy to set up a VPN connection, with support for all four of the abovementioned VPN protocols. [m0n0wall, which I used prior to making pfSense my primary firewall, supported IPsec and PPTP.] In this article, I will demonstrate how to configure a PPTP connection with pfSense, and connect to it with a Mint Linux system.


PPTP VPN Configuration: Configuring the PPTP Server

After logging into your pfSense firewall, navigate to VPN -> PPTP. From the Configuration tab, select the Enable PPTP server radio button. For Server address, you should enter an IP address on an unused subnet. For Remote address range, you should specify the starting address for VPN users (presumably on the same subnet as the server address). Scroll to the bottom and check the Require 128-bit encryption check box. Press the Save button at the bottom of the page.


Now PPTP is enabled, but we still have to create users and a firewall rule. Click on the Users tab and press the Plus button to add a user. Enter a username and password (you have to enter it twice). If you want to assign a specific IP address to this user, you can do it here. Press the Save button when you’re done.

PPTP VPN

Creating an firewall rule to allow traffic to pass from the VPN to the LAN.

Now all we have to do is add a firewall rule. Navigate to Firewall -> Rules. You will see that in addition to tabs for all your interfaces (LAN, WAN, DMZ/OPT1, etc.) there is a tab for PPTP. Click on that tab, and click on the Plus button to the right of the table to add a rule. For Destination, select LAN net (to allow access to the LAN network from our VPN), and for Destination port range, select any. Add a brief Description (e.g. “Allow PPTP to LAN”) and press the Save button. [All other settings can be kept at the default values.] Once the rule is saved, press the Apply changes button on the next page to force a reload of the firewall rules.


PPTP VPN Configuration: Testing the Connection in Linux Mint

Our setup of the pfSense firewall for VPN is complete; now we need to test it. Your mileage may vary depending on what operating system you use. I used Mint Linux to connect. In Linux Mint, click on the connection icon in the system notification area of the toolbar. A box with various networking options should appear. In this box, click on Network Connections. This should open the Network Connections dialog box. [You can also reach this dialog box by navigating to Preferences -> Network Connections on the Mint Linux menu, also accessible from the toolbar.] In this dialog box, click on the Add button. This will launch the Choose a Connection Type dialog box, choose Point-to-Point Tunneling Protocol (PPTP) and press the Create button. At Gateway (on the VPN tab), enter the WAN IP address of your pfSense firewall (or the domain name of your WAN gateway, if you have one). For User name and Password, enter the username and password you created when you were setting up PPTP on your pfSense box. Press the Advanced button and check the Use Point-to-Point encryption (MPPE) check box. This will enable the Security dropdown box, select 128-bit (most secure. Check the Allow stateful encryption check box. Press the OK button to save these settings. Next, click on the IPv4 Settings tab and for Method, select Automatic (VPN) addresses only from the dropdown box. Click on the Save button at the bottom of the dialog box to save the VPN connection settings.

PPTP VPN

Configuring the advanced settings in Mint Linux for our VPN connection.

Now, the VPN connection settings are saved and you should be able to connect. Again click on the connection icon in the system notification tray. In the box that appears, there should be a new section called VPN Connections. Click on the VPN connection you just created (most likely, VPN connection 1), when you do, Linux Mint will try to establish a VPN connection. If it works, you should be connected to the VPN.

If it doesn’t work, there can be several reasons. If the connection attempt fails without even connecting to your pfSense box, then you should make sure that the WAN interface of your pfSense box is reachable from your network. If, however, Mint Linux is able to connect to your pfSense box but the connection still fails (the more likely scenario), your VPN connection settings may be incorrect. In particular, you should check to make sure the security settings are correct (you must choose 128-bit encryption and allow stateful encryption). If you double-check the settings and everything seems to be right and you still cannot connect, then the mistake may have been how you configured PPTP in pfSense, so you probably should double-check those settings. If you are now connected to the VPN, you should be able to access LAN resources the same as a local LAN user would be able to access them.

One final note is that we should be mindful of the fact that VPN connections are encrypted, and encrypting data requires additional CPU power. One user connecting via VPN shouldn’t create an appreciable strain on the CPU, but 50 VPN users surely will. There is specialized hardware that you can purchase; Soekris is the most prominent manufacturer of such hardware, and installing them in your pfSense box will relieve the CPU of the computing-intensive tasks of encryption and compression. In most cases, however, the cheaper option is to just buy a faster CPU. In any case, you will probably want to consider VPN usage when you develop the specifications for your pfSense box.



External Links:

Virtual private network on Wikipedia.

Product page for vpn 14×1 products on the Soekris website.

 

Video: Setting Up VLANs in pfSense

A single layer 2 network can be partitioned into two or more broadcast domains so we don’t have to add switches every time we want to add another network. This video shows how to set up 802.1Q VLANs with pfSense.

Video: Demonstration of Squid Overriding Firewall Rules in pfSense

One phenomenon I initially didn’t understand is the fact that once Squid is enabled in an interface, it overrides any firewall rules you might have for ports that are controlled by Squid (80 and, if you enable the SSL proxy, 443). This is important to understand if you already have firewall rules in place. This video demonstrates this in practice.

Video: Installing and Configuring Squid3 in pfSense

In this video, I demonstrate how to install and configure the Squid3 package in pfSense. Although the older version of Squid is generally considered more stable, Squid 3.0 incorporates a number of features not included in the older Squid, including the ability to act as a proxy for SSL traffic. See the release notes for more information. As demonstrated in this video, installation and configuration of Squid3 is almost as easy as it is for the original Squid.

Video: pfSense Rule Advanced Options

In this video, I use advanced firewall rule options to create a rule that only applies to Windows systems.

© 2013 David Zientara. All rights reserved. Privacy Policy