On 8 Sep 2014, at 18:07, Joe Laffey <[email protected]> wrote: > Anyone using Load Balancing for a triple WAN setup? This work OK in pfSense? > What about older 1.2.3 systems?
I have a triple WAN setup at home, which worked fine in 2.0 and likewise now in 2.1. There are limitations in 1.2.3 that complicate things slightly - inability to choose which gateway a DNS server uses is the big one, especially if your WANs come from different service providers with DNS locked down to only allow access from their IP ranges. I also have several quad WAN setups in managed office buildings where short tenancy agreements prevent the occupants from signing up to 3 year fibre leased line contracts. As a general rule, you’re (in my experience) better off not doing simple round robin load balancing. RR is done on a connection basis, so it’s still possible for one client machine to saturate all 3 WANs, thus reducing quality of service for other users. This is especially problematic if you have clients you don’t control (i.e. where you don’t have administrative veto over the crap they install on them) - it’s quite easy for someone to install a P2P app, or simply have malware that tries to propagate itself by creating lots of outbound connections. I tend to work on the principle of sending your ‘I care about latency’ traffic down one connection: SIP, mail, SSH and various streaming protocols are the ones I normally separate - you may have others to consider. I then create a gateway group for the other two connections in a standard round robin load balance. If you can easily separate your clients out on the LAN side, you can go a step further: in one of the offices we supply, floor 1 is balanced across WANs 1 and 3; floor 2 is balanced across WANs 2 and 4. These methods are all to prevent one single client saturating the connectivity into a building. You’ll have to do some experimentation to find out what works best in your environment. One final word of advice: send HTTPS connections down a single WAN. Many ‘secure’ sites will expire sessions if connections come from different IPs and your clients will get upset very quickly if they’re having to re-login to online services every few minutes. Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
