Load Balancing & Failover
Now we are going to set up load balancing and failover. Let's look at the diagram from the pfSense tutorial again, and gather our required parameters before we begin.
Figure 12: pfSense block diagram
We need our interface IP gateway addresses and the address for a ISP DNS server used on the corresponding interface. We will be using the DNS address as the monitor address, to verify the interface is up and running via a simple ping to that address. The values in Table 2 are actual addresses I used for Cerberus. Your values may be different.
|Interface||IP address||DNS address|
|Gateway Primary ISP
Gateway Secondary ISP (OPT1)
Table 2: IP address assignment
There are five steps to setting up failover and load balancing, one of which we have already accomplished.
- Set up Multi-WAN Configuration – done in Part 2.
- Set up Required Values – List DNS Servers, Turn on Sticky Sessions
- Define Failover Gateways – One for each WAN connection
- Set Up Load Balancing Gateway – Handles Round Robin Traffic Assignment
- Define Rules for LAN Traffic – Direct LAN Traffic to Load Balancer
We will also need to test load balancing and failover and write a rule for outbound HTTPS traffic. This rule will serve as an example of traffic that needs to bypass the load balancer and travel directly out a single selected ISP interface.
Since we have already set up Cerberus for multi-WAN, we'll jump to step two, setting values. We need to do two things here; the first is make sure the two DNS addresses we are going to be using (188.8.131.52, 184.108.40.206) are listed under General Setup.
Figure 13: DNS address assignment
In Advanced Setup, we want to turn on sticky connections, so traffic started on a particular ISP WAN interface stays there, preventing sites that use your IP Address, such as your bank, from getting confused.
Figure 14: Enable Sticky Connections
I also recommend editing your Snort Whitelist (Services->Snort), ensuring DNS servers are automatically added. Depending on your ISP, DNS irregularities may cause Snort to block them, giving you a false failure.
Figure 15: Snort Whitelist auto-add DNS servers
The next step is setting up the failover gateways in the Load Balancer (Services->Load Balancer). Each failover gateway has a pool of interfaces, each with a monitoring IP. We have two pairs of Interface and Monitor IPs that need to be added to each pool. The only difference between the two gateways is the order of these pairs.
Pair One is the Primary ISP, and the WAN DNS Server: [ WAN, 220.127.116.11 ]
Pair Two is the Secondary ISP, and the OPT1 DNS Server: [ OPT1, 18.104.22.168 ]
The first pair in each gateway is the opposing interface, the one that it fails over to. The second is its own Interface. So the pools look like:
Figure 16: Failover gateway address pool
Here is the pool setup for the Primary ISP, note the the Secondary ISP Failover gateway only differs in pair order:
Figure 17: Primary Failover pool IP setup
With the failover gateways up, we can define the load balancer gateway – this looks just like our 2ndWanFailover gateway, except the behavior is Load Balancing instead of Failover.
Figure 18: Load Balancer gateway setup
With that, we have completed our Gateway setup: