Awesome tutorial, got two gigabit links at my house and so far i've been using them standalone with their own wifi networks... will try this once the new hardware arrives 🙌
You should also mention about keeping ongoing sessions on the same gateway with the "sticky" option. That will prevent unwanted behaviors from some application that are receiving packets from a different gateways to crash or not work properly. That was apparent on your first bandwidth test that was load balancing a single stream on both of your gateways and you probably don't want that as application are not made to handle that properly.
Yes, i experience this when using loadbalancing in mikrotik and pfsense. like when you browsing bank websites, it will automatically log you out in the session because of different source ip.
I really appreciated your tutorial. It was the best one I've seen yet. I definitely wish that I had found yours before I did my setup! One thing that none of the tutorials explains, however, is what this setup actually does. I had thought, before getting mine setup and tested that is, that everything would be split between the connections, including downloads. Meaning, that part of a download, (A Linux ISO for example), would be downloaded through WAN1 and another part would come in through WAN2 to make the effective speed higher. My testing however has taught me that that is not how this works at all. If I start downloading that Linus ISO, it will download on say WAN1. If I start another download, it will come in through WAN2. It doesn't aggregate the speeds together, but it lessens the load on each connection when downloading from two or more sources at once. Hope this helps anyone that might be thinking the same I did and couldn't figure out why a test download was only using one connection.
This is an excellent tutorial on the subject - each concept is well explained, and the presentation is not rushed. Congratulations on the result of your efforts!
Great video. I'm about to setup pfsense for my two fiber connections. This was very helpful. Now I need to figure out how to get xcp-ng with xen orchestra installed and pfsense on my n5105 router box that just came in
i have done the same settings as you shown in this video but in failover when the WAN 1goes down it is switching to WAN 2 but when WAN1comes up it is not switching back to wan1 and also link status is showing unknown or sometimes pending
Thank you for your nice procidure that you have prepared for Load Balancing it was awsome, I have a question how to setup two public IP addresses with same gateway on pfsense, each public IP address should give web and ssh access to each server, also each server should have communications Locally , your feedback is highly apperciated.
Nice video TNB. This is out to peeps that have been running PfSense for a long time. I have 2 different setups of PfSense where their failover connection is running from an LTE device. I have email alerts watching primary and secondary connections. What I find common with using LTE connections is that they drop out intermittently early hours of the morning. One can also say off peak hours. Would like to know if anyone else is experiencing this as well?
Not just LTE connections actually. The fact of the matter is that most maintenance windows would be scheduled for off-hours and this applies to fixed lines as well. That said, there's also a chance that the LTE connection has a maximum lease time (maybe 24 hours?) so you see the link get re-established around the same time everyday.
Great Tuorial, i have made the same Configuration. But if ich change the Gateway in Advanced in "Balanced", my internal Servers (Nextcloud, Bookstack) are unreachable (mapped per Port Forwarding long time ago). If i change it so default it works again. Someone know the Problem? Thanks.
How about failing back? Let say my wan 1 is faster by 90 percent it goes down failover to wan 2 with just 10 percent of the speed, wan 1 goes up again will it failback? Edit: Failover and load balance works on untunneled network but not in wireguard. Is there a solution for that?
hello , i have question , i want to set mikrotik as load balancer as port forwarding service , is it easy ? to load balance as port forwarding system to connect vpn servers .
Why can't we just change the default gateway instead after creating the group? is there a significant difference when changing it compare to going to Firewall Rules and changing every LAN rule's gateways? I hope someone could answer.
Hi, I know this is an old video but maybe somebody will be able to help me out? I work at a small company (around 20 people) and for reliability sake we want to have a secondary WAN connection. We're still discussing wether to make it a load balancing configuration or a failover one. My main concern with load balancing is that we have a bunch of self-hosted services that rely on a dynamic DNS (desec), since we don't have a static IP, a custom script updates our DNS anytime the public IP changes. Would there be any way to make that setup work with a load balancer? since the traffic is constantly switching between gateways. To me, failover would be easier since the moment the new gateway kicks in the dns is updated and that's it... but would be kind of "wasteful" if it's not being used while both providers are up. Thanks in advance to anyone that may help me out!
What happens when the primary line comes back online again? In my home setup, the failover doesnt make the primary WAN the defauly gateway again, even when the primary WAN is back online. Any way to tell pfSense to force the primary gateway back to the primary WAN once its back online again?
I am using a USB modem with t-mobile. Exactly same thing happens, when primary WAN comes back online, gateway does not switch back. Did you find a solution?Thank you.
@@bartoszchucherko9621 I never did, i just turned on Round Robin instead, that way it will just try them all continuously, but is not a good solution for limited 4G connections etc
I do not run any pfSense hardware, all instances I have used has been as Virtual machines. I would suggest reaching out to a distributor and telling them what your needs are and they can advise you what the correct specs should be. Though most small SOHO tend to use something like a Netgate 1100 or Netgate 2100
Does anyone know the advantages or disadvantages in using LAGG in Failover mode versus using Gateway Groups and Load Balancing to achieve a similar result? I've been having a difficult time making a decision on which one to implement, and I think I'm just going to go with Load Balancing as demonstrated in this video because it seems to offer more specific control over when and how to trigger a failover event. Are there circumstances where LAGG Failover is preferable?
These operate at different Layers. LAGG operates at Layer-1/2 whilst Gateway Load-balancing/ Failover operates at Layer-3. These are not mutually exclusive technologies either. So in essence, if you had a single WAN link with an ISP CPE (Modem/ ONT/ router etc), you could only do LAGG failover to cater for failure of ports/ interfaces/ cables. However, if you have 2 WAN links, then you do need to have gateway failover/ balancing groups because both WAN links are Layer-3 gateways. Each LAGG dependent interface has one IP and that IP is specific to that particular WAN link so you couldn't exactly just physically failover to the 2nd WAN link and expect it to work - it's technically possible with pure DHCP client interfaces and without PPP but you would only have one WAN link active at a given time. That said, you could 'bond' 2 physical links to each CPE from pfSense to enable the Layer-3 link to survive a cable/ port failure for each of the WAN links - this is where they are not mutually exclusive. As long as you have multiple layer-3 gateways, you should always use gateway groups. You don't necessarily have to have only one gateway group though. E.g. I have 2 x 1Gbps WAN from different ISP but have 2 different gateway groups using failover - one group favours WAN1 failover to WAN2, the other is in reverse. This allows me to use Group 1 for internal trusted devices networks, and Group 2 for untrusted networks (IOT/ Guest etc.). This lets me leverage on both links (get what you pay for) whilst providing service availability to all the networks.
Just pinning this comment with some suggestions and reference material: Docs: docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html !!!NB!!! Similar to issues you may face when using ECMP/PCC on a MikroTik or other routers, many sites like banks that are security minded might freak out if you are sending multiple sessions from different source IPs. IE you log into your bank site on one session from one WAN IP, and then you are on the internet banking services on another session from a different WAN address. This sometimes tends to break the connection. It is recommended to create a rule for these security minded sites to rather connect using a Failover Group instead of a Load Balance group if you still want redundancy, alternatively you could just use the default connection to still get there. This way the sessions will be coming from a single source IP and should not cause issues. More details in the reference materials.
Hmmmmm you know, both are REALLY flexible. There are additional packages that you can download for your pfSense to meet your requirements. Heck if you were a good coder you could probably create some packages yourself. On the other hand, Mikrotik has scripting functionality and if you know the language then you could probably also script whatever requirement you have. So if you were really a decent scripter you could probably do whatever the pfSense can, but then again those are not features that are native to ROS. So really a hard question to answer hehehe. I really like both though, but from a pure firewalling stance and ease of use initially I think I would pick the pfSense.
I’ve been told that Mikrotik is just a better router. I know ISPs that pulled Cisco stuff just to use Mikrotik. For mainly natting .. I’ve been using pfsense for routing and mikrotik crs3xx series switches for the core. If I knew more about mikrotik I would use it more for routing . A great video would be a mikrotik router. Natting and pfsense behind doing the firewall work. Never quite understood how to make that happen
Awesome explanation, and exactly what I needed to have fiber and an unlimited cell ISP backup for my home network.
Awesome tutorial, got two gigabit links at my house and so far i've been using them standalone with their own wifi networks... will try this once the new hardware arrives 🙌
This is really an excellent tutorial, thanks you so much for vivid explanation.
You should also mention about keeping ongoing sessions on the same gateway with the "sticky" option. That will prevent unwanted behaviors from some application that are receiving packets from a different gateways to crash or not work properly. That was apparent on your first bandwidth test that was load balancing a single stream on both of your gateways and you probably don't want that as application are not made to handle that properly.
Yes, i experience this when using loadbalancing in mikrotik and pfsense. like when you browsing bank websites, it will automatically log you out in the session because of different source ip.
This should be applied when using VPN, since this needs an active connection..
Where is this stickiness option? I didn't see it in hes video
I really appreciated your tutorial. It was the best one I've seen yet. I definitely wish that I had found yours before I did my setup! One thing that none of the tutorials explains, however, is what this setup actually does. I had thought, before getting mine setup and tested that is, that everything would be split between the connections, including downloads. Meaning, that part of a download, (A Linux ISO for example), would be downloaded through WAN1 and another part would come in through WAN2 to make the effective speed higher. My testing however has taught me that that is not how this works at all. If I start downloading that Linus ISO, it will download on say WAN1. If I start another download, it will come in through WAN2. It doesn't aggregate the speeds together, but it lessens the load on each connection when downloading from two or more sources at once. Hope this helps anyone that might be thinking the same I did and couldn't figure out why a test download was only using one connection.
This is an excellent tutorial on the subject - each concept is well explained, and the presentation is not rushed. Congratulations on the result of your efforts!
Thank you very much for feedback Eric, I honestly appreciate it!
Great video. I'm about to setup pfsense for my two fiber connections. This was very helpful. Now I need to figure out how to get xcp-ng with xen orchestra installed and pfsense on my n5105 router box that just came in
Exactly what I was looking for. Thank you!
Great to hear!
i have done the same settings as you shown in this video but in failover when the WAN 1goes down it is switching to WAN 2 but when WAN1comes up it is not switching back to wan1 and also link status is showing unknown or sometimes pending
Since Windows has no load balancer anymore, I just installed pfsense on hyperV with low vHardware, now I can load balanced
Can I do Load Balancing & Failover in the same time (double filter Rule load balancing & failover)?
Thank you for your nice procidure that you have prepared for Load Balancing it was awsome,
I have a question how to setup two public IP addresses with same gateway on pfsense, each public IP address should give web and ssh access to each server, also each server should have communications Locally , your feedback is highly apperciated.
I will be very happy if you talking about hotspot in mikrotik. I see a lot of video a bout it but non of them was realy helpful.
great video thanks
Nice video TNB. This is out to peeps that have been running PfSense for a long time. I have 2 different setups of PfSense where their failover connection is running from an LTE device. I have email alerts watching primary and secondary connections. What I find common with using LTE connections is that they drop out intermittently early hours of the morning. One can also say off peak hours. Would like to know if anyone else is experiencing this as well?
Not just LTE connections actually. The fact of the matter is that most maintenance windows would be scheduled for off-hours and this applies to fixed lines as well.
That said, there's also a chance that the LTE connection has a maximum lease time (maybe 24 hours?) so you see the link get re-established around the same time everyday.
Thank you very much for making this, wonderful.
This is an excellent tutorial , but when some one on lan playing online it will be balanced or assigned to one of the 2 wan's
Thank you, nice job!
Great Tuorial, i have made the same Configuration. But if ich change the Gateway in Advanced in "Balanced", my internal Servers (Nextcloud, Bookstack) are unreachable (mapped per Port Forwarding long time ago). If i change it so default it works again. Someone know the Problem? Thanks.
Sick tutorial
can i do load balancing and failover active at the same time?
Plz make a video on BGP configuration in pfsense thank so much
Can you make a video where you compare fortigate and pfsense, which is better
Thank you.
How about failing back? Let say my wan 1 is faster by 90 percent it goes down failover to wan 2 with just 10 percent of the speed, wan 1 goes up again will it failback?
Edit:
Failover and load balance works on untunneled network but not in wireguard. Is there a solution for that?
hello , i have question , i want to set mikrotik as load balancer as port forwarding service , is it easy ? to load balance as port forwarding system to connect vpn servers .
How do you actually load balance incoming VPN connection? Is it possible to do failover of wan and be able to reach on prem services somehow?
i want to configure dual-wan without load-balancing and failover, can you help me ?
Why can't we just change the default gateway instead after creating the group? is there a significant difference when changing it compare to going to Firewall Rules and changing every LAN rule's gateways? I hope someone could answer.
Hi, I know this is an old video but maybe somebody will be able to help me out?
I work at a small company (around 20 people) and for reliability sake we want to have a secondary WAN connection. We're still discussing wether to make it a load balancing configuration or a failover one. My main concern with load balancing is that we have a bunch of self-hosted services that rely on a dynamic DNS (desec), since we don't have a static IP, a custom script updates our DNS anytime the public IP changes. Would there be any way to make that setup work with a load balancer? since the traffic is constantly switching between gateways. To me, failover would be easier since the moment the new gateway kicks in the dns is updated and that's it... but would be kind of "wasteful" if it's not being used while both providers are up. Thanks in advance to anyone that may help me out!
Thanks 🙏
What happens when the primary line comes back online again? In my home setup, the failover doesnt make the primary WAN the defauly gateway again, even when the primary WAN is back online.
Any way to tell pfSense to force the primary gateway back to the primary WAN once its back online again?
I am using a USB modem with t-mobile. Exactly same thing happens, when primary WAN comes back online, gateway does not switch back. Did you find a solution?Thank you.
@@bartoszchucherko9621 I never did, i just turned on Round Robin instead, that way it will just try them all continuously, but is not a good solution for limited 4G connections etc
Thank you for reply.
Anyone with solution to this
What pfsense hardware are you using not sure what is best to get
I do not run any pfSense hardware, all instances I have used has been as Virtual machines. I would suggest reaching out to a distributor and telling them what your needs are and they can advise you what the correct specs should be. Though most small SOHO tend to use something like a Netgate 1100 or Netgate 2100
@@TheNetworkBerg thanks for your reply I appreciate it
Thanks Bro
Does anyone know the advantages or disadvantages in using LAGG in Failover mode versus using Gateway Groups and Load Balancing to achieve a similar result? I've been having a difficult time making a decision on which one to implement, and I think I'm just going to go with Load Balancing as demonstrated in this video because it seems to offer more specific control over when and how to trigger a failover event. Are there circumstances where LAGG Failover is preferable?
These operate at different Layers. LAGG operates at Layer-1/2 whilst Gateway Load-balancing/ Failover operates at Layer-3. These are not mutually exclusive technologies either.
So in essence, if you had a single WAN link with an ISP CPE (Modem/ ONT/ router etc), you could only do LAGG failover to cater for failure of ports/ interfaces/ cables.
However, if you have 2 WAN links, then you do need to have gateway failover/ balancing groups because both WAN links are Layer-3 gateways.
Each LAGG dependent interface has one IP and that IP is specific to that particular WAN link so you couldn't exactly just physically failover to the 2nd WAN link and expect it to work - it's technically possible with pure DHCP client interfaces and without PPP but you would only have one WAN link active at a given time.
That said, you could 'bond' 2 physical links to each CPE from pfSense to enable the Layer-3 link to survive a cable/ port failure for each of the WAN links - this is where they are not mutually exclusive.
As long as you have multiple layer-3 gateways, you should always use gateway groups. You don't necessarily have to have only one gateway group though.
E.g.
I have 2 x 1Gbps WAN from different ISP but have 2 different gateway groups using failover - one group favours WAN1 failover to WAN2, the other is in reverse.
This allows me to use Group 1 for internal trusted devices networks, and Group 2 for untrusted networks (IOT/ Guest etc.). This lets me leverage on both links (get what you pay for) whilst providing service availability to all the networks.
@@BigBenAdv thank you for the extremely thorough response, so much appreciated. Much respect!
Just pinning this comment with some suggestions and reference material:
Docs:
docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html
!!!NB!!!
Similar to issues you may face when using ECMP/PCC on a MikroTik or other routers, many sites like banks that are security minded might freak out if you are sending multiple sessions from different source IPs. IE you log into your bank site on one session from one WAN IP, and then you are on the internet banking services on another session from a different WAN address. This sometimes tends to break the connection. It is recommended to create a rule for these security minded sites to rather connect using a Failover Group instead of a Load Balance group if you still want redundancy, alternatively you could just use the default connection to still get there. This way the sessions will be coming from a single source IP and should not cause issues. More details in the reference materials.
Comparing to mikrotik which is more flexible
Hmmmmm you know, both are REALLY flexible. There are additional packages that you can download for your pfSense to meet your requirements. Heck if you were a good coder you could probably create some packages yourself. On the other hand, Mikrotik has scripting functionality and if you know the language then you could probably also script whatever requirement you have. So if you were really a decent scripter you could probably do whatever the pfSense can, but then again those are not features that are native to ROS. So really a hard question to answer hehehe. I really like both though, but from a pure firewalling stance and ease of use initially I think I would pick the pfSense.
I’ve been told that Mikrotik is just a better router. I know ISPs that pulled Cisco stuff just to use Mikrotik. For mainly natting .. I’ve been using pfsense for routing and mikrotik crs3xx series switches for the core. If I knew more about mikrotik I would use it more for routing .
A great video would be a mikrotik router. Natting and pfsense behind doing the firewall work. Never quite understood how to make that happen