pfSense Load Balancing: Part One

pfSense Load Balancing

Configuring OPT1 as WAN2 so we can set up a gateway group later on.

In computer networking, load balancing is a method for distributing workloads across multiple computers or a computer cluster, network links, CPUs, storage devices, or other resources. When load balancing is employed, we are looking not just to distribute workloads but to optimize resource use, maximize throughput, minimize response time, and avoid overhead. Using multiple components with load balancing instead of a single company can also increase reliability through redundancy. Load balancing has implicit failover capabilities, since load balancing software is capable of detecting when a resource (e.g. network interface, hard drive) is down and excludes it from the group. Load balancing is usually provided by dedicated software or hardware, such as a multilayer switch or a Domain Name System process, or, as we shall soon see, through pfSense. In this article, I will begin our look at pfSense load balancing.


pfSense Load Balancing: Gateway Configuration

As an example, let’s assume we want to set up multiple WAN interfaces and use load balancing on the group. A default WAN gateway was already created when pfSense was set up. In this example, we will use OPT1 as an additional gateway, and then add both the default interface and OPT1 to a newly-created gateway group, which will employ pfSense load balancing to distribute the workload in round-robin fashion.

The first part of our configuration follows the steps outlined in my <a href=”http://pfsensesetup.com/pfsense-gateways/”>article on gateways</a>. In order to set up our second gateway, first browse to System -> Routing. Click on the “Gateway” tab, if it is not already selected. Click on the “plus” button to add a new gateway. At “Interface”, select OPT1 in the drop-down box. At “Name”, type a name, such as “WAN2”. At “Gateway”, type in the IP address of the network interface (in this case, 192.168.3.1). Check “Default Gateway”, and at “Description”, add a description. Then press the “Save” button to save changes, and, if necessary, press the “Apply changes” button on the next screen.


Next, we will make some changes to the WAN interface (the one described as “Interface WAN Dynamic Gateway”). From the Gateways tab, click on the “edit” button. We can leave “Interface and Name” unchanged, but at “Gateway” we will type an IP address (in this case, 192.168.3.11). Click on “Default Gateway” and change the description to something appropriate (e.g. “WAN gateway). Then press the “Save” button to save the changes, and press the “Apply Changes” button if necessary.

Now we have the two interfaces configured correctly. In part two of this series on pfSense load balancing, we will take our newly-configured WAN interfaces and add them to a gateway group, and configure load balancing for the group.

Erratum: The Original Instructions I Posted Contained an Error, and Here’s Why

It occurred to me when composing Part Two of this article that I made a mistake. I set the WAN gateway to 192.168.4.1 originally; however, since WAN2 is on the 192.168.3.0 subnet, and both WAN gateways will likely be connecting to the same network, they should be on the same subnet. Therefore, I amended the instructions for Part One so that WAN is set to 192.168.3.11. I apologize for any confusion I may have caused.

Other Articles in This Series

pfSense Load Balancing: Part Two

pfSense Load Balancing: Part Three (Web Server Failover)

External Links:

Load Balancing at Wikipedia

Setup Incoming pfSense Load Balancing at doc.pfsense.org

Multi-WAN Load Balancing at pfsensesolution.blogspot.com

pfSense Gateways Explained

pfSense Gateways

Adding and configuring a gateway in pfSense 2.0.

pfSense gateways are relatively easy to add and configure, and pfSense also supports gateway groups, which I will briefly discuss in this article (a more detailed explanation, however, will be the subject of a future article). A gateway is a router interface connected to the local network that sends packets out of the local network. It has both a physical and a logical address. Since it is involved in sending packets to other networks, it operates at the network layer of the OSI Model. When packets are sent over a network, the destination IP address is examined. If the destination IP is within the network, the router can use the Address Resolution Protocol (ARP) table to find the MAC address of the target host and send the packets.


If the destination IP is outside of the network, however, then will not be able to find the MAC address of the target host in its ARP table. The packet will go to the gateway for transmission outside of the network. In this case, the frame header will add the gateway’s MAC address (the gateway operates on the data link layer of the OSI model as well). The gateway is on the same network as host devices and must have the same subnet mask as host devices. Each host on the network uses the same gateway.

Adding pfSense Gateways

pfSense Gateways

Now that we have added our gateway, it shows up on the list.

Unless you are configuring a gateway group, pfSense gateways should not take long to set up. To add a gateway, navigate to System -> Routing. Click the “Gateways” tab if it is not already selected and click the “plus” button to add a new gateway. At “Interface“, select a network interface for the new gateway. At “Name“, specify a name for the gateway (no spaces). At “Gateway“, specify the IP address for the gateway (it must be a valid IP address on the interface). Check the “Default Gateway” checkbox to make this the default gateway. The next checkbox is “Disable Gateway Monitoring“; check this if you want to disable monitoring so pfSense will consider this gateway as always being up. At “Monitor IP“, you can assign an an alternative address to be used to monitor the link. It will be used for the quality Round Robin Database (RRD) graphs as well as the load balancer entries. Leave it blank to use the gateway’s IP address by default. At “Description“, add a description if desired. Finally, press “Save” to save the changes and “Apply Changes” to apply the changes if necessary. Now the new gateway should appear on the list of pfSense gateways at the “Gateways” tab.

There are a number of advanced options for pfSense gateways you can view by clicking the “Advanced” button just below the “Alternative monitor IP” edit box. The “Weight” drop-down box allows you to assign a weight for the gateway when used in a gateway group. Gateway groups are just what their name implies. They group together gateways to act in a coordinated fashion. Increasing the weight of the gateway increases the likelihood it will be used. “Latency thresholds” defines the low and high water marks for latency in milliseconds. Once latency exceeds the high water mark, the gateway will go down. The default latency thresholds are 10 ms and 50 ms. “Packet Loss Thresholds” define the low and high water mark for packet loss in percentage. Again, once packet loss exceeds the high water mark, the gateway goes down. The defaults are 1% and 5%. “Frequency Probe” defines in seconds how often an ICMP probe will be sent. The default is 1 second. “Down” defines the number of bad probes before the alarm will be sent. The default is 10.

Now that the OPT1 is configured as the gateway, packets whose destination is outside of the network will be forwarded to OPT1. There, the frame will be stripped off the packets, leaving the IP packets with the IP address of the destination host. The gateway interface will then wrap the IP packets in whatever type of frame the outgoing connection needs, and sends them toward the target host.


External Links:

Settings for pfSense Gateways at doc.pfsense.org

How to set up a pfSense firewall when the default gateway is on a different subnet

pfSense Gateway Grouping

DHCP Server Configuration in pfSense

DHCP

pfSense’s DHCP configuration page in the web GUI.

In the first four parts, I covered installation and setup from the LiveCD, general configurations in the web GUI, WAN and LAN configuration, and setting up a DMZ. In this part, I cover setting up a DHCP server within pfSense. In many scenarios, you will want your pfSense router to also act as a DHCP server. In this case, pfSense’s DHCP service will assign an IP address to any client who requests one.

To configure the DHCP server, go to Services -> DHCP Server. Choose the interface on which the DHCP Server will be active (in this case, I chose LAN). Check “Enable DHCP server on LAN interface“. The next option is “Deny Unknown Clients“. Enabling this option ensures that only clients with static DHCP mappings will receive an IP address. DHCP requests from all other clients will be ignored. If you enable this option, you will have to enter the static DHCP mappings at the bottom of the settings page. Static DHCP mappings will be covered in the next article.


Next, at “Range“, choose a range of IP addresses for DHCP clients to use. THe range must be contiguous and within the available range listed above “Range“.

The next setting is “WINS Servers“. WINS stands for Windows Internet Name Service, which is used to map NetBIOS names to IP addresses on Windows-based systems. Unless you are running a WINS server, you can leave this field blank. Next is “DNS Servers“. Here you can specify any DNS server to be automaticaly assigned to your DHCP clients. If left blank, pfSense will automatically assign DNS servers to your clients on one of the following two ways:

  • If DNS Forwarder is enabled, then the IP address of the interface is used. This is because the DNS Forwarder turns the pfSense machine into a DNS server, so the IP of the pfSense machine is assigned to each client.
  • If DNS Forwarder is not enabled, then the DNS servers entered on the “General Setup” page are used. And if “Allow DNS server list to be overridden by DHCP/PPP on WAN” is enabled in “General Setup”, then the DNS servers obtained through the WAN will be used instead.

The next option is “Gateway“. The interface gateway will be provided to clients by default (the static IP of the interface), but it can be overridden here if necessary.The domain name specified in the General Setup is used by default, but you can specify an alternative under “Domain Name”.

An alternative lease time can be specified under “Default Lease Time” for clients who do not request a specific expiration time. For those who request a specific expiration time, you can set an alternative under “Maximum Lease Time“.


CARP-configured systems can specify a fail-over IP address under “Failover Peer IP“. Enabling “Static ARP” will only allow clients with DHCP mappings to communicate with the firewall on this interface. Unknown clients will still receive an IP address from the DHCP server, but communication to the firewall will be blocked. [This differs from “Deny Unknown Clients“, where unknown clients won’t get an IP address.]

Dynamic DNS” enables clients to automatically register with the Dynamic DNS domain specified. Under “Additional BOOTP/DHCP Options” allows you to enter custom DHCP options.

Press the “Save” button to save the changes, and press the “Apply” button to apply changes, if necessary.

By now, your DHCP server should be up and running and ready to accept clients. In the next article, I will cover static DHCP mappings.

DHCP Configuration External Links:

DHCP server documentation at pfsense.org
BOOTP/DHCP options

© 2013 David Zientara. All rights reserved. Privacy Policy