Policy Routing, Load Balancing and Failover Strategies

This section provides guidance on common multi-WAN goals and how they can be achieved with pfSense® software.

Bandwidth Aggregation

One of the primary desires with multi-WAN is bandwidth aggregation. Load balancing can help accomplish this goal. There is, however, one caveat: If the firewall has two 50 Mbit/s WAN circuits, it cannot get 100 Mbit/s of throughput with a single client connection. Each individual connection must be tied to only one specific WAN. This is true of any multi-WAN solution other than MLPPP. The bandwidth of two different Internet connections cannot be aggregated into a single large “pipe” without involvement from the ISP. With load balancing, since individual connections are balanced in a round-robin fashion, 100 Mbit/s of throughput can only be achieved using two 50 Mbit/s circuits when multiple connections are involved. Applications that utilize multiple connections, such as download accelerators, will be able to achieve the combined throughput capacity of the two or more connections.

Note

Multi-Link PPPoE (MLPPP) is the only WAN type which can achieve full aggregate bandwidth of all circuits in a bundle, but MLPPP requires special support from the ISP. For more on MLPPP, see Multi-Link PPPoE (MLPPP).

In networks with numerous internal machines accessing the Internet, load balancing will reach speeds near the aggregate throughput by balancing the many internal connections out all of the WAN interfaces.

Segregation of Priority Services

Consider a site which has a reliable, high quality Internet connection that offers low bandwidth, or high costs for excessive transfers, and another connection that is fast but of lesser quality (higher latency, more jitter, or less reliable). In these situations, services can be segregated between the two Internet connections by their priority. High priority services may include VoIP, traffic destined to a specific network such as an outsourced application provider, or specific protocols used by critical applications, amongst other options. Low priority traffic commonly includes any permitted traffic that doesn’t match the list of high priority traffic. Policy routing rules can be setup to direct the high priority traffic out the high quality Internet connection, and the lower priority traffic out the lesser quality connection.

Another example of a similar scenario is getting a dedicated Internet connection for quality critical services such as VoIP, and only using that connection for those services.

Failover Only

There are scenarios where the best practice is to only use failover. For example, users who have a secondary backup Internet connection with a low bandwidth cap such as a 4G/LTE modem, and only want to use that connection if their primary connection fails. Gateway groups configured for failover can achieve this goal.

Another usage for failover is to ensure a certain protocol or destination always uses only one WAN unless it goes down.

Unequal Cost Load Balancing

pfSense software can achieve unequal cost load balancing by setting appropriate weights on gateways as discussed in Advanced Gateway Settings. By setting a weight on a gateway, it will be used more often in a gateway group. Weights can be set from 1 to 30, allowing

Unequal Cost Load Balancing

WAN_GW weight

WAN2_GW weight

WAN load

WAN2 load

3

2

60%

40%

2

1

67%

33%

3

1

75%

25%

4

1

80%

20%

5

1

83%

17%

30

1

97%

3%

Note that this distribution is strictly balancing the number of connections, it does not take interface throughput or existing load into account. This means bandwidth usage may not necessarily be distributed equally, though in most environments it works out to be roughly distributed as configured over time. This also means if an interface is loaded to its capacity with a single high throughput connection, the firewall will still direct additional connections to that interface.