You are on page 1of 25

1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

nixCraft
Linux and Unix tutorials for new and seasoned sysadmin

How to con gure pfSense as multi


wan (DUAL WAN) load balance
failover router
last updated August 4, 2016 in FreeBSD, Hardware, UNIX

H ow do I setup a multi-WAN load balancing and failover on pfSense router


with two ADSL or cable or leased-line or FTTH (Fiber to the home)
connections?

In this tutorial you will learn how to con gure pfSense to load balance and fail over traf c from
a LAN to multiple Internet connections (WANs) i.e. dual wan.

Why and how to setup a dual wan router?

A dual wan setup allows you to increase your internet bandwidth. You can load balance traf c
as per your needs. You can get internet connection redundancy and failover. If one connection
goes down your traf c will be routed automatically to a backup connection.

Requirements

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 1/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Two internet connections from two different ISPs. You can mix-match ADSL/FTTH/4G
LTE/Cable/T1/FIOS connection as per your needs.

1. pfSense router with three network ports (NICS).


2. Two ISP modems with network port (NIC)
3. Static or dynamic IPs from ISPs
4. Monitor IP # 1 for ISP # 1 – 8.8.8.8 (google dns IP)
5. Monitor IP # 2 for ISP # 2 – 208.69.38.205 (opendns IP)

Our sample setup

Fig.01: What you’ll need to get started with this setup

1. I have two ISP modems+routers with dynamic IP address assigned.


2. You need to connect each modem with pfsense using an Ethernet connection.
3. You need to connect a network switch to pfsense using an Ethernet connection.
4. All systems/servers/printers/wi on LAN uses 172.16.1.254/24 subnet with 172.16.1.254 as a
default gateway.

Con guration

Before starting, make sure all of the WAN-type interfaces are enabled with static IP WANs and
with a gateway set as described above.

Step 1: Con gure pfsense LAN interface


https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 2/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Open pfSense web interface using http://172.16.1.254/ > Interfaces > LAN and set it as follows as
per ( g.01):

Fig.02: LAN interface settings

Step 2: Con gure pfsense wan01 interface (ADSL ISP #1)

Open pfSense web interface using http://172.16.1.254/ > Interfaces > WAN 01 and set it as follows
as per ( g.01):

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 3/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.02: Wan 01 (ADSL ISP 1) interface settings

Now the rst WAN interface con gured with a Static IP from the Interfaces menu. If you want
you can set type to DHCP depending on your ISP 1 modem settings. Next make sure the
gateway IP responds to ping to con rm that WAN 1 is actually online and working before
proceeding. You can do this from pfSense itself by visiting Diagnostics > Ping:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 4/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Make sure the ISP #1 gateway responds to ping to con rm that each WAN 1 is actually
online

Step 3: Con gure pfsense wan02 interface (ADSL ISP #2)

Open pfSense web interface using http://172.16.1.254/ > Interfaces > WAN 02 and set it as follows
as per ( g.01):

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 5/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.03: Wan 02 (ADSL ISP 2) interface settings

Now the second WAN interface con gured with a Static IP from the Interfaces menu. If you
want you can set type to DHCP depending on your ISP 2 modem settings. Next make sure the
gateway IP responds to ping to con rm that WAN 2 is actually online and working before
proceeding. You can do this from pfSense itself by visiting Diagnostics > Ping:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 6/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Make sure the ISP #2 gateway responds to ping to con rm that each WAN 2 is
actually online

Step 4: Con rm both gateways are online

Once both gateways have been de ned, visit Status > Gateways:

Fig.04: Wan gateways status must be green

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 7/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

If they’re green, the connection to the gateway is OK and you need to con gure monitor IP.

Step 5: Con gure monitor IP for each gateway

Visit System > Routing > Select Gateways tab and you will see a screen as follows with private
IP set as monitor IP for each gateway:

Fig.05: Ensure a gateway entry exists for each WAN interface

Click on edit gateway icon (button) for wan_adsl2_l1GW (default) and set monitor IP to 8.8.8.8:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 8/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.06: Set monitor IP for WAN 1 (ADSL ISP # 1)

Next, click on edit gateway icon (button) for WAN_ADSL2_L2 (ADSL ISP # 2) and set monitor IP
to 208.69.38.205:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 9/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.07: Set monitor IP for WAN 2 (ADSL ISP # 2)

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 10/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

The gateway con guration has been changed. The changes must be applied for them to take
effect. So click on the Apply Changes button.

Step 6: Con guring dual WAN link load balancer

Finally, you are ready to con gure the pfSense as a Load Balancer by visiting System > Routing
> Select the Gateway Groups > Click the “Add” button:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 11/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.08: Dual wan load balancer con g

Where,

Set Group Name to “WanLoadBalancer“.


Set Gateway Priority for both gateways to “Tier 1“. Please note that when two gateways are
on the same tier (e.g. Tier 1), they will load balance. This means that on a per-connection
basis, connections are routed over each WAN in a round-robin manner. If any gateway on
the same tier goes down, it is removed from use and the other gateways on the tier
continue to operate normally.
Set Trigger Level to “Memberdown“.
Set Description to “My Dual ADSL Wan Link Load Balancer“
Finally click the “Save” > “Apply Changes” button.

Step 7: Con guring link fail over

Next, con gure the pfSense as a failover for wan connections by visiting System > Routing >
Select the Gateway Groups > Click the “Add” button:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 12/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.09: Link failover for ADSL link 1 (wan1/isp1)

When two gateways are on different tiers, the lower tier gateway(s) are preferred. If a lower tier
gateway goes down, it is removed from use and the next highest tier gateway is used. This is
how failover works on pfSense. So to set link failover for ADSL 1:

Set Group Name to “ADSLLinkFailover2“


Set Gateway Priority wan_adsl2_l1GW (ISP 1) to “Tier 1“
Set Gateway Priority wan_adsl2_l2GW (ISP 2) to “Tier 2“
Set Trigger Level to “Member down“
Set Description to “Link failover for ADSL 1“

Set link failover for ADSL 2 as follows and swap Gateway Priority:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 13/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.10: Link failover for ADSL link 2 (wan2/isp2)

Finally click the “Save” > “Apply Changes” button to nish the LB and failover gateway
con guration.

Step 7: Con guring the rewall rules for load balancer

You need to pass traf c to these LBs using the Gateway setting on rewall rules. Click on
Firewall > Rules > Lan > Add and set it as follows:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 14/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.11: LB rewall rule

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 15/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Click on the “Display advanced” button > scroll down > nd Gateway option and set it to
WanLoadBalancer:

Set gateway to WanLoadBalancer

Click the “Save” > “Apply Changes” button to save rewall rules.

Step 8: Con guring the rewall rules for failover

You need to pass traf c to these failover gateways using the Gateway setting on rewall rules.
Click on Firewall > Rules > Lan > Add and set it as follows:

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 16/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Fig.12: Failover rewall rule for ISP 1 /ADSL 1 link

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 17/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Click on the “Display advanced†button > scroll down > nd Gateway option and set it to
ADSLLinkFailover1:

Set gateway to ADSLLinkFailover1

Click the “Save” > “Apply Changes” button to save rewall rules. Repeat the rewall rule for
ADSLLinkFailover2.

Step 9: Client con guration

Make sure you assign all the IP addresses in the following range to your client computers:

Network: 172.16.1.254/24
IP ranges: 172.16.1.1 to 172.16.1.253
Default gateway: 172.16.1.254
DNS server: 172.16.1.254 (or 8.8.8.8/8.8.4.4)

Test it as follows from client system (I’m using OpenBSD):

$ ifconfig vio0
$ netstat -nr -f inet
$ ping -c 2 google.com
$ host cyberciti.biz 172.16.1.254

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 18/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Sample outputs:

Fig.13: Testing your pfSense LB/Failover router

You can run a speed test using fast.com or speedtest.net. You will notice and use both internet
connection when using Torrents and downloading a large le from load balancing. You can
use the speedtest-cli as follows to verify that bandwidth is doubled from a client computer:

$ python speedtest-cli

If one internet connections goes down, you will be still connected via failover.

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 19/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

What next?

You will get the wan (internet) connection redundancy and load balancing but not the router
redundancy. Your internet connection will go down, if your pfSense router failed due to
hardware problems. This draw back can be addressed using router redundancy setup.

SHARE ON Facebook Twitter

Posted by: Vivek Gite


The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the
Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and
open source topics via RSS/XML feed or weekly email newsletter.

19 comment

thiagoc August 3, 2016 at 10:19 pm

“tire” -> “tier”

Vivek Gite August 4, 2016 at 3:53 am

Thanks for the heads up!

ewhy Tech August 4, 2016 at 9:39 am

It’s important to note that the setup, above, should have a Static IP address assigned, by the
ISP. Most business accounts will include a few Static IPs (anywhere from 3 – 16 addresses), as
part of the service agreement.

However, if you’re trying this on a private ISP connection, you’ll either have to ask your ISP for
as Static IP address. Or you’ll have to con g your WAN interface to grab an address via DHCP,
rst. And, then, either use ‘as-is’.

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 20/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Or, recon gure the WAN interface to use the DHCP address as a static address.

[NOTE: Grabbing an IP via DHCP, then entering it as a ‘Static IP’, will BREAK your con guration,
in the event that your ISP updates their network, or there is a long-term power outage…. or just
anything that may cause your ISP Modem (or pfSens) to refresh the DHCP Lease.]

Alex August 5, 2016 at 12:58 am

How does this setup handles nat? If there is a web server or ftp server working within the
internal network will it continue to work if one of the ISPs goes down? Is there a speci c way to
con gure nat/rules if the user wants to host email or web services behind that router?

Mark August 5, 2016 at 12:33 pm

Can we add as many WAN connections as we want( within hardware limits)?

Martin May 26, 2017 at 12:35 pm

Yes. Just add new gateway groups and rewall rules for each of the conditions in which you
would want to operate the rewall.

For example if you had three ISP connections –


Gateway group – runs all three connections
Gateway group – isp1 fails
Gateway group – isp2 fails
Gateway group – isp3 fails
Gateway group – isp1 & isp2 fails
Gateway group – isp1 & isp3 fails
Gateway group – isp2 & isp3 fails

Francisco Gonzalez August 5, 2016 at 1:21 pm

Nice tutorial! just one thing, the SSL traf c, I’ve noticed problems with apps like banking and
CPanel, last one complains “same session with 2 differents IPs” and you get to the login page
again, personally I separate the SSL traf c from HTTP using source port in the rewall rules
and using failover rules like you show us for SSL only.

Again very nice tutorial!

Francisco
https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 21/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

Etienne November 25, 2016 at 11:44 am

Hi !
I believe “failover” is useless on the latest pfsense version
if load balance have only two WANs.
can you con rm ?
Also, some servers may generate problems if using two different IP when accessing them.
Do you know some solution else than the “stick to ip” on the general options ?

Zoltan December 6, 2016 at 12:40 pm

I have now 3 gateway groups, one load balancer and two failover.
I’m about to con gure the rewall rules.
What should be the order of these rules, or is it optional??
Thanks! :)

jaomadn January 25, 2017 at 1:00 am

hi,
May i ask also if i need a wan load balancer if i want to separate a browsing traf c from other
traf c. like gaming..

Vivek Gite January 25, 2017 at 7:29 am

Noop. You just need to set rewall rules.

benjamin February 10, 2017 at 6:26 pm

Hi after setting everything it seems to work, but if for example I disconnect my wan1 cable I
cannot browse anything from the lan via my wan2, if I do a ping disgnistic on the second wan
it will send the packets ok, am I missing soemthing?

Regards

benjamin February 10, 2017 at 6:41 pm

For anyone having this issue I resolved it by going to rewall > lan > edited the lan rule and
added on gateway Wanloadbalancer

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 22/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

benjamin February 10, 2017 at 6:44 pm

Sorry this did not x anything I am still having trouble to browse from the lan, and this
only made a combine of the 2 ISPs having dif culties since Ip changes a lot.

metty April 3, 2017 at 9:28 am

thank you for this nice tutorial! Helped me a lot! In Step 7 and 8 there are two different Firewall
> Rules > Lan > Add. One “Add” adds on top, the other on the bottom. As I remarked, the
position is also important. Mabye you could add a screenshot in the end whith the positions of
the rewall rules.

shawnw May 14, 2017 at 5:54 pm

would like to know how i should add rewall rukles with this setup i have a email server on the
lan network and i have a dyndns running to to auto update to the best external ip at the time
how can i setup the rewall tio send and receive the email ports over this load balance rule?

Shahriar May 21, 2017 at 12:24 pm

Hi
Can you update this tutoriul for connect 3g modem? Please

Jorge May 23, 2017 at 1:52 pm

Sometimes the WAN connections aren’t of the same bandwidth. so in this case the WEIGHT
option is useful (System->Routing->Gateway) edit the gateway and in Advanced Option set a
Weight.

K T YEO October 6, 2017 at 2:00 am

Hi Vivek Gite,
Good Day,
May I know?
Can pfsense :
1. give me bandwidth BONDING or AGGREGATION OR ADD bandwidth
eg.
If I have 8 dynamic ip WAN that is asymmetrical with such speeds of : upstream = 50Mbps ,

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 23/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

downstream = 100Mbps
this is the maximum link speed that I can subscribe at my current location.
I have 100+ cpu/windows PC for gaming purposes
location = malaysia post code 75450
meaning will pfsense give me 400Mbps upstream bandwidth and 800Mbps downstream
bandwidth?
thus provides 4Mbps for each PC of upstream speed/bandwidth
this is my primary router
I may face a challenge of getting 8 PCI Ethernet card slots PC to work on pfsense.
does pfsense works with usb/lan adapter to use as wan?

Is there a hardware appliance, pfsense with 8 WAN?

can I also con gure in same network a backup router (secondary) with dedicate 4 WAN of
similar specs above so when any of the 1st pfsense WAN fails or its router fails, 2nd router with
separate WAN will take over.

can I also con gure pfsense secondary router to return to primary router as soon as the outage
at primary router is restored?

which linux avour works best with pfsense?

i hope you can assist me. (newbies)

thank you so very much.


best regards,
/kt yeo

    Still, have a question? Get help on our forum!

Tagged as: Advanced

@2000-2019 nixCraft. All rights reserved.

PRIVACY

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 24/25
1/7/2019 How to configure pfSense as multi wan (DUAL WAN) load balance failover router - nixCraft

TERM OF SERVICE

CONTACT/EMAIL

DONATIONS

SEARCH

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/ 25/25

You might also like