This is really an excellent tutorial, thanks you so much for vivid explanation.
@johnknightiii13512 жыл бұрын
Great video. I'm about to setup pfsense for my two fiber connections. This was very helpful. Now I need to figure out how to get xcp-ng with xen orchestra installed and pfsense on my n5105 router box that just came in
@EdFromOhio Жыл бұрын
Awesome explanation, and exactly what I needed to have fiber and an unlimited cell ISP backup for my home network.
@ericapperley7411 Жыл бұрын
This is an excellent tutorial on the subject - each concept is well explained, and the presentation is not rushed. Congratulations on the result of your efforts!
@TheNetworkBerg
Жыл бұрын
Thank you very much for feedback Eric, I honestly appreciate it!
@humwerthuz4 ай бұрын
Awesome tutorial, got two gigabit links at my house and so far i've been using them standalone with their own wifi networks... will try this once the new hardware arrives 🙌
@Viking88882 жыл бұрын
I really appreciated your tutorial. It was the best one I've seen yet. I definitely wish that I had found yours before I did my setup! One thing that none of the tutorials explains, however, is what this setup actually does. I had thought, before getting mine setup and tested that is, that everything would be split between the connections, including downloads. Meaning, that part of a download, (A Linux ISO for example), would be downloaded through WAN1 and another part would come in through WAN2 to make the effective speed higher. My testing however has taught me that that is not how this works at all. If I start downloading that Linus ISO, it will download on say WAN1. If I start another download, it will come in through WAN2. It doesn't aggregate the speeds together, but it lessens the load on each connection when downloading from two or more sources at once. Hope this helps anyone that might be thinking the same I did and couldn't figure out why a test download was only using one connection.
@tom_hengst8 ай бұрын
Exactly what I was looking for. Thank you!
@TheNetworkBerg
8 ай бұрын
Great to hear!
@techwildlife1 Жыл бұрын
Thank you, nice job!
@kittyman106gaming Жыл бұрын
Sick tutorial
@chrisgardner4144 Жыл бұрын
Thank you.
@ryzenforce Жыл бұрын
You should also mention about keeping ongoing sessions on the same gateway with the "sticky" option. That will prevent unwanted behaviors from some application that are receiving packets from a different gateways to crash or not work properly. That was apparent on your first bandwidth test that was load balancing a single stream on both of your gateways and you probably don't want that as application are not made to handle that properly.
@starryblue4
Жыл бұрын
Yes, i experience this when using loadbalancing in mikrotik and pfsense. like when you browsing bank websites, it will automatically log you out in the session because of different source ip.
@meisterchecho
Жыл бұрын
This should be applied when using VPN, since this needs an active connection..
@sebkeccu4546
5 ай бұрын
Where is this stickiness option? I didn't see it in hes video
@SherawCairo Жыл бұрын
Thanks 🙏
@alimibrahem81202 жыл бұрын
I will be very happy if you talking about hotspot in mikrotik. I see a lot of video a bout it but non of them was realy helpful.
@earnwithatr-atrksaathpaise Жыл бұрын
Thanks Bro
@nageshachar155 Жыл бұрын
i have done the same settings as you shown in this video but in failover when the WAN 1goes down it is switching to WAN 2 but when WAN1comes up it is not switching back to wan1 and also link status is showing unknown or sometimes pending
@ruilechomeur Жыл бұрын
Since Windows has no load balancer anymore, I just installed pfsense on hyperV with low vHardware, now I can load balanced
@fayazhamraz Жыл бұрын
Thank you for your nice procidure that you have prepared for Load Balancing it was awsome, I have a question how to setup two public IP addresses with same gateway on pfsense, each public IP address should give web and ssh access to each server, also each server should have communications Locally , your feedback is highly apperciated.
@3079shahid2 жыл бұрын
Plz make a video on BGP configuration in pfsense thank so much
@brandonbrand23382 жыл бұрын
Nice video TNB. This is out to peeps that have been running PfSense for a long time. I have 2 different setups of PfSense where their failover connection is running from an LTE device. I have email alerts watching primary and secondary connections. What I find common with using LTE connections is that they drop out intermittently early hours of the morning. One can also say off peak hours. Would like to know if anyone else is experiencing this as well?
@BigBenAdv
Жыл бұрын
Not just LTE connections actually. The fact of the matter is that most maintenance windows would be scheduled for off-hours and this applies to fixed lines as well. That said, there's also a chance that the LTE connection has a maximum lease time (maybe 24 hours?) so you see the link get re-established around the same time everyday.
@john09728 Жыл бұрын
can i do load balancing and failover active at the same time?
@wijayadika3192 Жыл бұрын
Can I do Load Balancing & Failover in the same time (double filter Rule load balancing & failover)?
@gintarasp22 жыл бұрын
How do you actually load balance incoming VPN connection? Is it possible to do failover of wan and be able to reach on prem services somehow?
@raimundweiss9 ай бұрын
Great Tuorial, i have made the same Configuration. But if ich change the Gateway in Advanced in "Balanced", my internal Servers (Nextcloud, Bookstack) are unreachable (mapped per Port Forwarding long time ago). If i change it so default it works again. Someone know the Problem? Thanks.
@hamzababovic73222 жыл бұрын
Can you make a video where you compare fortigate and pfsense, which is better
@parsecloudiz Жыл бұрын
hello , i have question , i want to set mikrotik as load balancer as port forwarding service , is it easy ? to load balance as port forwarding system to connect vpn servers .
@saironergeable Жыл бұрын
Why can't we just change the default gateway instead after creating the group? is there a significant difference when changing it compare to going to Firewall Rules and changing every LAN rule's gateways? I hope someone could answer.
@itsmehamza468211 ай бұрын
i want to configure dual-wan without load-balancing and failover, can you help me ?
@muhamadkhalaf655610 ай бұрын
This is an excellent tutorial , but when some one on lan playing online it will be balanced or assigned to one of the 2 wan's
@cyphersproject3 ай бұрын
Hi, I know this is an old video but maybe somebody will be able to help me out? I work at a small company (around 20 people) and for reliability sake we want to have a secondary WAN connection. We're still discussing wether to make it a load balancing configuration or a failover one. My main concern with load balancing is that we have a bunch of self-hosted services that rely on a dynamic DNS (desec), since we don't have a static IP, a custom script updates our DNS anytime the public IP changes. Would there be any way to make that setup work with a load balancer? since the traffic is constantly switching between gateways. To me, failover would be easier since the moment the new gateway kicks in the dns is updated and that's it... but would be kind of "wasteful" if it's not being used while both providers are up. Thanks in advance to anyone that may help me out!
@kylelaker53910 ай бұрын
How about failing back? Let say my wan 1 is faster by 90 percent it goes down failover to wan 2 with just 10 percent of the speed, wan 1 goes up again will it failback? Edit: Failover and load balance works on untunneled network but not in wireguard. Is there a solution for that?
@JoerBrando2 жыл бұрын
What happens when the primary line comes back online again? In my home setup, the failover doesnt make the primary WAN the defauly gateway again, even when the primary WAN is back online. Any way to tell pfSense to force the primary gateway back to the primary WAN once its back online again?
@bartoszchucherko9621
Жыл бұрын
I am using a USB modem with t-mobile. Exactly same thing happens, when primary WAN comes back online, gateway does not switch back. Did you find a solution?Thank you.
@JoerBrando
Жыл бұрын
@@bartoszchucherko9621 I never did, i just turned on Round Robin instead, that way it will just try them all continuously, but is not a good solution for limited 4G connections etc
@bartoszchucherko9621
Жыл бұрын
Thank you for reply.
@owobogbenga8185
Жыл бұрын
Anyone with solution to this
@TylerStraub Жыл бұрын
Does anyone know the advantages or disadvantages in using LAGG in Failover mode versus using Gateway Groups and Load Balancing to achieve a similar result? I've been having a difficult time making a decision on which one to implement, and I think I'm just going to go with Load Balancing as demonstrated in this video because it seems to offer more specific control over when and how to trigger a failover event. Are there circumstances where LAGG Failover is preferable?
@BigBenAdv
Жыл бұрын
These operate at different Layers. LAGG operates at Layer-1/2 whilst Gateway Load-balancing/ Failover operates at Layer-3. These are not mutually exclusive technologies either. So in essence, if you had a single WAN link with an ISP CPE (Modem/ ONT/ router etc), you could only do LAGG failover to cater for failure of ports/ interfaces/ cables. However, if you have 2 WAN links, then you do need to have gateway failover/ balancing groups because both WAN links are Layer-3 gateways. Each LAGG dependent interface has one IP and that IP is specific to that particular WAN link so you couldn't exactly just physically failover to the 2nd WAN link and expect it to work - it's technically possible with pure DHCP client interfaces and without PPP but you would only have one WAN link active at a given time. That said, you could 'bond' 2 physical links to each CPE from pfSense to enable the Layer-3 link to survive a cable/ port failure for each of the WAN links - this is where they are not mutually exclusive. As long as you have multiple layer-3 gateways, you should always use gateway groups. You don't necessarily have to have only one gateway group though. E.g. I have 2 x 1Gbps WAN from different ISP but have 2 different gateway groups using failover - one group favours WAN1 failover to WAN2, the other is in reverse. This allows me to use Group 1 for internal trusted devices networks, and Group 2 for untrusted networks (IOT/ Guest etc.). This lets me leverage on both links (get what you pay for) whilst providing service availability to all the networks.
@TylerStraub
Жыл бұрын
@@BigBenAdv thank you for the extremely thorough response, so much appreciated. Much respect!
@Fawkes-ent Жыл бұрын
What pfsense hardware are you using not sure what is best to get
@TheNetworkBerg
Жыл бұрын
I do not run any pfSense hardware, all instances I have used has been as Virtual machines. I would suggest reaching out to a distributor and telling them what your needs are and they can advise you what the correct specs should be. Though most small SOHO tend to use something like a Netgate 1100 or Netgate 2100
@Fawkes-ent
Жыл бұрын
@@TheNetworkBerg thanks for your reply I appreciate it
@TheNetworkBerg2 жыл бұрын
Just pinning this comment with some suggestions and reference material: Docs: docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html !!!NB!!! Similar to issues you may face when using ECMP/PCC on a MikroTik or other routers, many sites like banks that are security minded might freak out if you are sending multiple sessions from different source IPs. IE you log into your bank site on one session from one WAN IP, and then you are on the internet banking services on another session from a different WAN address. This sometimes tends to break the connection. It is recommended to create a rule for these security minded sites to rather connect using a Failover Group instead of a Load Balance group if you still want redundancy, alternatively you could just use the default connection to still get there. This way the sessions will be coming from a single source IP and should not cause issues. More details in the reference materials.
@netspotcyber24952 жыл бұрын
Comparing to mikrotik which is more flexible
@TheNetworkBerg
2 жыл бұрын
Hmmmmm you know, both are REALLY flexible. There are additional packages that you can download for your pfSense to meet your requirements. Heck if you were a good coder you could probably create some packages yourself. On the other hand, Mikrotik has scripting functionality and if you know the language then you could probably also script whatever requirement you have. So if you were really a decent scripter you could probably do whatever the pfSense can, but then again those are not features that are native to ROS. So really a hard question to answer hehehe. I really like both though, but from a pure firewalling stance and ease of use initially I think I would pick the pfSense.
@Joshv918
2 жыл бұрын
I’ve been told that Mikrotik is just a better router. I know ISPs that pulled Cisco stuff just to use Mikrotik. For mainly natting .. I’ve been using pfsense for routing and mikrotik crs3xx series switches for the core. If I knew more about mikrotik I would use it more for routing . A great video would be a mikrotik router. Natting and pfsense behind doing the firewall work. Never quite understood how to make that happen
Пікірлер: 53
Thank you very much for making this, wonderful.
This is really an excellent tutorial, thanks you so much for vivid explanation.
Great video. I'm about to setup pfsense for my two fiber connections. This was very helpful. Now I need to figure out how to get xcp-ng with xen orchestra installed and pfsense on my n5105 router box that just came in
Awesome explanation, and exactly what I needed to have fiber and an unlimited cell ISP backup for my home network.
This is an excellent tutorial on the subject - each concept is well explained, and the presentation is not rushed. Congratulations on the result of your efforts!
@TheNetworkBerg
Жыл бұрын
Thank you very much for feedback Eric, I honestly appreciate it!
Awesome tutorial, got two gigabit links at my house and so far i've been using them standalone with their own wifi networks... will try this once the new hardware arrives 🙌
I really appreciated your tutorial. It was the best one I've seen yet. I definitely wish that I had found yours before I did my setup! One thing that none of the tutorials explains, however, is what this setup actually does. I had thought, before getting mine setup and tested that is, that everything would be split between the connections, including downloads. Meaning, that part of a download, (A Linux ISO for example), would be downloaded through WAN1 and another part would come in through WAN2 to make the effective speed higher. My testing however has taught me that that is not how this works at all. If I start downloading that Linus ISO, it will download on say WAN1. If I start another download, it will come in through WAN2. It doesn't aggregate the speeds together, but it lessens the load on each connection when downloading from two or more sources at once. Hope this helps anyone that might be thinking the same I did and couldn't figure out why a test download was only using one connection.
Exactly what I was looking for. Thank you!
@TheNetworkBerg
8 ай бұрын
Great to hear!
Thank you, nice job!
Sick tutorial
Thank you.
You should also mention about keeping ongoing sessions on the same gateway with the "sticky" option. That will prevent unwanted behaviors from some application that are receiving packets from a different gateways to crash or not work properly. That was apparent on your first bandwidth test that was load balancing a single stream on both of your gateways and you probably don't want that as application are not made to handle that properly.
@starryblue4
Жыл бұрын
Yes, i experience this when using loadbalancing in mikrotik and pfsense. like when you browsing bank websites, it will automatically log you out in the session because of different source ip.
@meisterchecho
Жыл бұрын
This should be applied when using VPN, since this needs an active connection..
@sebkeccu4546
5 ай бұрын
Where is this stickiness option? I didn't see it in hes video
Thanks 🙏
I will be very happy if you talking about hotspot in mikrotik. I see a lot of video a bout it but non of them was realy helpful.
Thanks Bro
i have done the same settings as you shown in this video but in failover when the WAN 1goes down it is switching to WAN 2 but when WAN1comes up it is not switching back to wan1 and also link status is showing unknown or sometimes pending
Since Windows has no load balancer anymore, I just installed pfsense on hyperV with low vHardware, now I can load balanced
Thank you for your nice procidure that you have prepared for Load Balancing it was awsome, I have a question how to setup two public IP addresses with same gateway on pfsense, each public IP address should give web and ssh access to each server, also each server should have communications Locally , your feedback is highly apperciated.
Plz make a video on BGP configuration in pfsense thank so much
Nice video TNB. This is out to peeps that have been running PfSense for a long time. I have 2 different setups of PfSense where their failover connection is running from an LTE device. I have email alerts watching primary and secondary connections. What I find common with using LTE connections is that they drop out intermittently early hours of the morning. One can also say off peak hours. Would like to know if anyone else is experiencing this as well?
@BigBenAdv
Жыл бұрын
Not just LTE connections actually. The fact of the matter is that most maintenance windows would be scheduled for off-hours and this applies to fixed lines as well. That said, there's also a chance that the LTE connection has a maximum lease time (maybe 24 hours?) so you see the link get re-established around the same time everyday.
can i do load balancing and failover active at the same time?
Can I do Load Balancing & Failover in the same time (double filter Rule load balancing & failover)?
How do you actually load balance incoming VPN connection? Is it possible to do failover of wan and be able to reach on prem services somehow?
Great Tuorial, i have made the same Configuration. But if ich change the Gateway in Advanced in "Balanced", my internal Servers (Nextcloud, Bookstack) are unreachable (mapped per Port Forwarding long time ago). If i change it so default it works again. Someone know the Problem? Thanks.
Can you make a video where you compare fortigate and pfsense, which is better
hello , i have question , i want to set mikrotik as load balancer as port forwarding service , is it easy ? to load balance as port forwarding system to connect vpn servers .
Why can't we just change the default gateway instead after creating the group? is there a significant difference when changing it compare to going to Firewall Rules and changing every LAN rule's gateways? I hope someone could answer.
i want to configure dual-wan without load-balancing and failover, can you help me ?
This is an excellent tutorial , but when some one on lan playing online it will be balanced or assigned to one of the 2 wan's
Hi, I know this is an old video but maybe somebody will be able to help me out? I work at a small company (around 20 people) and for reliability sake we want to have a secondary WAN connection. We're still discussing wether to make it a load balancing configuration or a failover one. My main concern with load balancing is that we have a bunch of self-hosted services that rely on a dynamic DNS (desec), since we don't have a static IP, a custom script updates our DNS anytime the public IP changes. Would there be any way to make that setup work with a load balancer? since the traffic is constantly switching between gateways. To me, failover would be easier since the moment the new gateway kicks in the dns is updated and that's it... but would be kind of "wasteful" if it's not being used while both providers are up. Thanks in advance to anyone that may help me out!
How about failing back? Let say my wan 1 is faster by 90 percent it goes down failover to wan 2 with just 10 percent of the speed, wan 1 goes up again will it failback? Edit: Failover and load balance works on untunneled network but not in wireguard. Is there a solution for that?
What happens when the primary line comes back online again? In my home setup, the failover doesnt make the primary WAN the defauly gateway again, even when the primary WAN is back online. Any way to tell pfSense to force the primary gateway back to the primary WAN once its back online again?
@bartoszchucherko9621
Жыл бұрын
I am using a USB modem with t-mobile. Exactly same thing happens, when primary WAN comes back online, gateway does not switch back. Did you find a solution?Thank you.
@JoerBrando
Жыл бұрын
@@bartoszchucherko9621 I never did, i just turned on Round Robin instead, that way it will just try them all continuously, but is not a good solution for limited 4G connections etc
@bartoszchucherko9621
Жыл бұрын
Thank you for reply.
@owobogbenga8185
Жыл бұрын
Anyone with solution to this
Does anyone know the advantages or disadvantages in using LAGG in Failover mode versus using Gateway Groups and Load Balancing to achieve a similar result? I've been having a difficult time making a decision on which one to implement, and I think I'm just going to go with Load Balancing as demonstrated in this video because it seems to offer more specific control over when and how to trigger a failover event. Are there circumstances where LAGG Failover is preferable?
@BigBenAdv
Жыл бұрын
These operate at different Layers. LAGG operates at Layer-1/2 whilst Gateway Load-balancing/ Failover operates at Layer-3. These are not mutually exclusive technologies either. So in essence, if you had a single WAN link with an ISP CPE (Modem/ ONT/ router etc), you could only do LAGG failover to cater for failure of ports/ interfaces/ cables. However, if you have 2 WAN links, then you do need to have gateway failover/ balancing groups because both WAN links are Layer-3 gateways. Each LAGG dependent interface has one IP and that IP is specific to that particular WAN link so you couldn't exactly just physically failover to the 2nd WAN link and expect it to work - it's technically possible with pure DHCP client interfaces and without PPP but you would only have one WAN link active at a given time. That said, you could 'bond' 2 physical links to each CPE from pfSense to enable the Layer-3 link to survive a cable/ port failure for each of the WAN links - this is where they are not mutually exclusive. As long as you have multiple layer-3 gateways, you should always use gateway groups. You don't necessarily have to have only one gateway group though. E.g. I have 2 x 1Gbps WAN from different ISP but have 2 different gateway groups using failover - one group favours WAN1 failover to WAN2, the other is in reverse. This allows me to use Group 1 for internal trusted devices networks, and Group 2 for untrusted networks (IOT/ Guest etc.). This lets me leverage on both links (get what you pay for) whilst providing service availability to all the networks.
@TylerStraub
Жыл бұрын
@@BigBenAdv thank you for the extremely thorough response, so much appreciated. Much respect!
What pfsense hardware are you using not sure what is best to get
@TheNetworkBerg
Жыл бұрын
I do not run any pfSense hardware, all instances I have used has been as Virtual machines. I would suggest reaching out to a distributor and telling them what your needs are and they can advise you what the correct specs should be. Though most small SOHO tend to use something like a Netgate 1100 or Netgate 2100
@Fawkes-ent
Жыл бұрын
@@TheNetworkBerg thanks for your reply I appreciate it
Just pinning this comment with some suggestions and reference material: Docs: docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html !!!NB!!! Similar to issues you may face when using ECMP/PCC on a MikroTik or other routers, many sites like banks that are security minded might freak out if you are sending multiple sessions from different source IPs. IE you log into your bank site on one session from one WAN IP, and then you are on the internet banking services on another session from a different WAN address. This sometimes tends to break the connection. It is recommended to create a rule for these security minded sites to rather connect using a Failover Group instead of a Load Balance group if you still want redundancy, alternatively you could just use the default connection to still get there. This way the sessions will be coming from a single source IP and should not cause issues. More details in the reference materials.
Comparing to mikrotik which is more flexible
@TheNetworkBerg
2 жыл бұрын
Hmmmmm you know, both are REALLY flexible. There are additional packages that you can download for your pfSense to meet your requirements. Heck if you were a good coder you could probably create some packages yourself. On the other hand, Mikrotik has scripting functionality and if you know the language then you could probably also script whatever requirement you have. So if you were really a decent scripter you could probably do whatever the pfSense can, but then again those are not features that are native to ROS. So really a hard question to answer hehehe. I really like both though, but from a pure firewalling stance and ease of use initially I think I would pick the pfSense.
@Joshv918
2 жыл бұрын
I’ve been told that Mikrotik is just a better router. I know ISPs that pulled Cisco stuff just to use Mikrotik. For mainly natting .. I’ve been using pfsense for routing and mikrotik crs3xx series switches for the core. If I knew more about mikrotik I would use it more for routing . A great video would be a mikrotik router. Natting and pfsense behind doing the firewall work. Never quite understood how to make that happen