Netgate m1n1wall

Author Topic: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?  (Read 4820 times)

0 Members and 1 Guest are viewing this topic.

Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
One of the great new features of pfSense v2 is supposed to be support for local services to take advantage of Multi WAN.
Thus allowing Round Robin balancing and failover for outbound connections initiated by such services as squid.

Having read http://doc.pfsense.org/index.php/Multi-WAN_2.0
there is the only mention of local services and that says to look in the forums.

I have found information relating specifically to squid but I was looking for a more generalised document that would explain
how local services can be used or should be configured to take advantage of Multi WAN v2. I would also like some general
explanation of the process used to offer policy based routing to any given traffic in terms of how the NAT and Firewall rules
work (and in which order!) to bend the default routing used by the network stack.

I have seen many posts from users who have struggled with implementing Multi-WAN for Local Services, which in general end
up with comments like "I have tried all the suggestions but still all my traffic goes via the default gateway".

This suggests to me that some hard facts on how it works would help us all see though the cloud of smoke and mirrors that surrounds this feature.

I hope some kind soul can point me in the correct direction?
Thanks, in advance, Richard

Signatures are a sign of having signatures.

Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
No replies, so it looks like its all still a mystery!

In the meantime, I've pulled together all the testing and reading I've done and put it here;

http://www.communig8.com/articles/64-open-source/137-pfsense-multi-wan-how-to-really-make-it-work

If you are interested, please have a read and let me know what I got wrong!

Thanks, Richard
Signatures are a sign of having signatures.

Offline Kyushu

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
The article is very nice ! :)

I am somehow a bit lost regarding the floating rule, some guides use the first WAN Addresses as the source however I saw that you use "ANY" in the source. Could you please explain this ?

Many thanks !

Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
Kyushu

I've updated the article on my site with some additional explanation on the floating rule.
Could you have a look and see if it answers your question?

Thanks, Richard
Signatures are a sign of having signatures.

Offline Kyushu

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
It did answer my question. Your article is really very good and will definitely help a lot of PFsense+Squid+Multiwan users.

Thanks so much !

--
Although somehow, I still can't figure out why our Pfsense is acting weird on its failover, traffic redirection and sometimes browsing freeze while the squid is running in it. For the meantime, we put squid on a different machine for PFsense to work properly.


Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #5 on: February 16, 2013, 01:27:34 am »
it didn't work for me.  ???

Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #6 on: February 16, 2013, 02:08:19 am »
it didn't work for me.  ???

What didn't? Any details? What have you tried?
Signatures are a sign of having signatures.

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #7 on: February 16, 2013, 07:18:14 pm »
I am using 2.0.3 PreRelease and I think you can load balance directly with transparent squid even without adding the first 6 LAN rules.
All you have to do is add the floating rule and the last LAN rule in your HowTo.
Of course you need to setup squid as stated by your procedures.

But my network requirement is that I need to use three gateway groups. LoadBalance, FailOver1 and FailOver2. LoadBalance is a fail over already but there are some LAN clients that I want to use FailOver ONLY and use ISP1 as their primary WAN and same with FailOver2.

LoadBalance = ISP1 (tier1) and ISP2 (tier1)
FailOver1 = ISP1 (tier1) and ISP2 (tier2)
FailOver2 = ISP1 (tier2) and ISP2 (tier1)

Inside my LAN, i have three groups like LAN1, LAN2 and LAN3. LAN1 will use LoadBalance as GW, LAN2 for FailOver1 and LAN3 for FailOver2.

I created three floating rules for each gateway group.
Under LAN tab, i assigned the specific gateway group.

The problem is, whatever the last rule in the Floating tab, it will be followed by the other gateway groups. For example, if the last rule is the LoadBalance, all my LAN groups will use LoadBalance even if I specify them to use FailOver1 or FailOver2.


Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #8 on: February 17, 2013, 06:22:47 am »
I am using 2.0.3 PreRelease and I think you can load balance directly with transparent squid even without adding the first 6 LAN rules.
All you have to do is add the floating rule and the last LAN rule in your HowTo.
Of course you need to setup squid as stated by your procedures.

But my network requirement is that I need to use three gateway groups. LoadBalance, FailOver1 and FailOver2. LoadBalance is a fail over already but there are some LAN clients that I want to use FailOver ONLY and use ISP1 as their primary WAN and same with FailOver2.

LoadBalance = ISP1 (tier1) and ISP2 (tier1)
FailOver1 = ISP1 (tier1) and ISP2 (tier2)
FailOver2 = ISP1 (tier2) and ISP2 (tier1)

Inside my LAN, i have three groups like LAN1, LAN2 and LAN3. LAN1 will use LoadBalance as GW, LAN2 for FailOver1 and LAN3 for FailOver2.

I created three floating rules for each gateway group.
Under LAN tab, i assigned the specific gateway group.

The problem is, whatever the last rule in the Floating tab, it will be followed by the other gateway groups. For example, if the last rule is the LoadBalance, all my LAN groups will use LoadBalance even if I specify them to use FailOver1 or FailOver2.



jikjik101

The rules I used in the article were required to support the environment that I described, which was more than just outboard WAN Load Balancing.
The first 6 rules provide the environment for PINGs for testing, DNS forwarder, NTP, direct (not transparent) squid usage and access to the pfSense GUI.
All the sort of stuff you need to do in a real implementation.

It's important to understand that the floating rule is there to balance requests that go via squid.
The source IP of HTTP requests, when using the configuration I documented, will be 127.0.0.1
regardless of the LAN interface they originated from. Because of this you cannot build rules that handle
traffic from different LAN interfaces in different ways with squid intercepting the requests.

If, however, you do not use squid and allow the LAN requests to flow directly through pfSense, you can
add rules for each LAN interface that balance or failover as required.

Richard
Signatures are a sign of having signatures.

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #9 on: February 17, 2013, 07:50:02 pm »
Hi Richard,

I understand you put the 6 rules because that is the requirement of your network, but unlike mine, I am more "flexible": http://forum.pfsense.org/index.php/topic,57606.msg316361.html#msg316361

Can we skip for the first 6 rules because I am more interested with the Multiwan Squid?

If you can see in my floating rule, HTTP for LoadBalance is at the bottom. No matter what gateway group I assign in my LAN, they will still use the LoadBalance gateway and this puzzles me.

If you want more details, I can give it to you. You don't know how desperate I am to run MultiWan Squid. ;D

Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #10 on: February 18, 2013, 02:01:28 am »
It looks like you may not have fully read my last post.
Signatures are a sign of having signatures.

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #11 on: February 18, 2013, 03:05:30 am »
It looks like you may not have fully read my last post.
i read but i don't quite understand  ;D


It's important to understand that the floating rule is there to balance requests that go via squid.
The source IP of HTTP requests, when using the configuration I documented, will be 127.0.0.1
regardless of the LAN interface they originated from. Because of this you cannot build rules that handle
traffic from different LAN interfaces in different ways with squid intercepting the requests.
As I said, i need three different gateway groups for my network, not just LoadBalance or FailOver but LoadBalance, FailOver1 and FailOver2.
I tried your HowTo and it works for one gateway group only. Have you tried adding only the floating rule and the tcp_outgoing_address on squid? I believe it will yield to same results as your HowTo.

it didn't work for me.  ???
I will change this to: even if there is no special setup, all you have to do is add a floating rule, assign it to a gateway group, add the tcp_outgoing_address on squid then squid will use that floating rule. this is for http traffic only.

Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #12 on: February 18, 2013, 04:00:20 am »
As I said "You cannot build rules that handle traffic from different LAN interfaces in different ways with squid intercepting the requests."
Signatures are a sign of having signatures.

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #13 on: February 18, 2013, 06:03:29 pm »
how about from single LAN interface? still cannot?

Offline communig8

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • Twitter
    • View Profile
    • CommuniG8 Limited
Re: Multi WAN v2 how to use with Local Services, DNS, NTP, SYSLOG, Squid etc?
« Reply #14 on: February 19, 2013, 02:32:49 am »
Any traffic handled by squid is handled by squid wherever it comes from.
So you cannot build rules that handle different parts of the address range on the LAN
for the same reason as you cannot do it for different interfaces.
Signatures are a sign of having signatures.