On 8 Sep 2014, at 18:07, Joe Laffey j...@laffey.tv wrote:
Anyone using Load Balancing for a triple WAN setup? This work OK in pfSense?
What about older 1.2.3 systems?
I have a triple WAN setup at home, which worked fine in 2.0 and likewise now in
2.1. There are limitations in 1.2.3 that complicate things slightly - inability
to choose which gateway a DNS server uses is the big one, especially if your
WANs come from different service providers with DNS locked down to only allow
access from their IP ranges.
I also have several quad WAN setups in managed office buildings where short
tenancy agreements prevent the occupants from signing up to 3 year fibre leased
line contracts.
As a general rule, you’re (in my experience) better off not doing simple round
robin load balancing. RR is done on a connection basis, so it’s still possible
for one client machine to saturate all 3 WANs, thus reducing quality of service
for other users. This is especially problematic if you have clients you don’t
control (i.e. where you don’t have administrative veto over the crap they
install on them) - it’s quite easy for someone to install a P2P app, or simply
have malware that tries to propagate itself by creating lots of outbound
connections.
I tend to work on the principle of sending your ‘I care about latency’ traffic
down one connection: SIP, mail, SSH and various streaming protocols are the
ones I normally separate - you may have others to consider. I then create a
gateway group for the other two connections in a standard round robin load
balance.
If you can easily separate your clients out on the LAN side, you can go a step
further: in one of the offices we supply, floor 1 is balanced across WANs 1 and
3; floor 2 is balanced across WANs 2 and 4.
These methods are all to prevent one single client saturating the connectivity
into a building. You’ll have to do some experimentation to find out what works
best in your environment.
One final word of advice: send HTTPS connections down a single WAN. Many
‘secure’ sites will expire sessions if connections come from different IPs and
your clients will get upset very quickly if they’re having to re-login to
online services every few minutes.
Kind regards,
Chris
--
C.M. Bagnall
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list