pfSense Multi-WAN Configuration: Part One

pfSense multi-WANpfSense incorporates the ability to set up multiple WAN interfaces (multi-WAN), which allows you to utilize multiple WAN connections. This in turn enables you to achieve higher uptime and greater throughput capacity (for example, if the user has one 1.5 Mbps connection and a second 2.5 Mbps connection, their total bandwidth using a multi-WAN setup would be 4 Mbps). It has been reported that some pfSense deployments have used as many as 12 WAN connections, and pfSense may scale even higher than that with the right hardware.

Any additional WAN interfaces are referred to as OPT WAN interfaces. References to WAN refer to the primary WAN interfaces, and OPT WAN to any additional WAN interfaces.

There are several factors to consider in a multi-WAN deployment. First, you’re going to want to use different cabling paths, so that multiple Internet connections are not subject to the same cable cut. If you have one connection coming in over a copper pair, you probably want to choose a secondary connection utilizing a different type and path of cabling. IN most cases, you cannot rely upon two or more connections of the same type to provide redundancy. Additional connections from the same provider are typically a solution only for additional bandwidth; the redundancy provided is minimal at best.

Another consideraton is the path from your connection to the Internet. With larger providers, two different types of connections will traverse significantly different networks until reaching core parts of the network. These core network components are generally designed with high redundancy and problems are addressed quickly, as they have widespread effects.

Whether an interface is marked as down or not is determined by the following ping command:

ping -t 5 -oqc 5 -i 0.7 [IP ADDRESS]

In other words, pfSense sends 5 pings (-c 5) to your monitor IP, waiting 0.7 seconds between each ping. it waits up to 5 seconds (-t 5) for a resoibsem and exits successfully if one reply is received (-o). It detects nearly all failures, and is not overly sensitive. Since it is successful with 80 percent packet loss, it is possible your connection could be experiencing so much packet loss that it is unusable but not marked as down. Making the ping settings more strict, however, would result in false posiitives and flapping. Some of the ping options are configurable in pfSense 2.2.4.

In the next article, we’ll cover WAN interface configuration in a multi-WAN setup.


External Links:

Network Load Balancing on Wikipedia

Arping with pfSense: Installation and Use

Arping

Arping in action under pfSense 2.1.3.

Arping is a computer software tool that is used to discover hosts on a computer network, and is available as a package for pfSense. The program tests whether a given IP address is in use on the local network, and it can get additional information about the device using that address. The utility is similar to the ping utility, which has been discussed on this site in an earlier posting. Whereas ping probes hosts using the Internet Control Message Protocol (a routable protocol that operates on the network layer of the OSI model), arping operates entirely on the data link layer.

There are two popular arping implementations. One of them, part of the Linux iputils suite, cannot resolve MAC addresses to IP addresses. However, the version of this utility that is available as a package for pfSense was written by Thomas Habets and can ping hosts by MAC address as well as by IP address.


Installing Arping

Installing this utility is easy. In the pfSense web GUI, navigate to System -> Packages and click on the “Available Packages” tab. Arping should be on the list. Scroll down to arping and click on the “plus” button on the right side to install arping. The pfSense package installer will ask you to confirm that you want to install arping; press the “Confirm” button. The package installer status window will provide information about the installation and let you know when installation is complete. once it is, arping should appear on the “Installed Packages” tab.

Using Arping

Once arping is installed, you can access arping by navigating to Services -> Arping. From there, you can enter a host ip or MAc address and press the “ARPing” button to ARP ping.

What is it good for, given that the utility essentially replicates the functionality of ping? One case where arping is helpful is when the host you want to ping is firewalled and will not respond to a ping request. Even a firewalled host will respond to ARP.

Another case is when you do not have network layer (layer 3) connectivity to the host you wish to ping (possibly because you want to find out if an IP is taken), but you have data link layer (layer 2) connectivity. Without network layer connectivity, you won’t be able to ping a host, but you can use ARP (since ARP is a data link layer protocol), albeit only for hosts on the local subnet. One note of caution is that on networks employing repeaters that use proxy ARP, the ARP response may be coming from a proxy host and not from the probed target.


External Links:

Arping website for Thomas Habets’ arping

Arping on Wikipedia

Ping Utility in pfSense

The Ping Utility Explained

Ping

Using the Ping utility in pfSense.

Ping is a computer network administration utility used to test the reachability of a host on an IP network and to measure the round-trip time for messages sent from the originating host to a destination host. It operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP response. In the process it measures the time from transmission to reception and records any packet loss.


RFC 1122, which defines communication layer requirements for Internet hosts, says the following about Echo Requests and Replies:

Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes.

An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.

DISCUSSION:

This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms.

The echo request (“ping”) is an ICMP message whose data is to be received back in an echo reply (“pong”). The host must respond to all echo requests with an echo reply containing the exact data received in the request message. The echo reply is an ICMP message generated in response to an echo request, and is mandatory for all hosts and routers.


Using the Ping Utility in pfSense

To use the pfSense ping utility, first navigate to Diagnostics -> Ping. Then at “Host”, set the host to the IP address or hostname of the host we are trying to ping. At “Interface”, choose the interface from which to initiate the ping (WAN for remote hosts, LAN for local hosts). At “Count”, use the dropdown set the number of ping requests (anywhere from 1 to 10; the default of 3 is usually sufficient). Then press the “Ping” button to invoke the utility. Sending out ICMP echo requests is often a useful diagnostic tool; however, multi-WAN is not supported with this utility.

External Links:

Ping at Wikipedia

RFC 1122 (which mandates that Internet hosts reply to ICMP echo requests)

© 2013 David Zientara. All rights reserved. Privacy Policy