Netgate is offering COVID-19 aid for pfSense software users, learn more.
Multiple WAN Connections¶
- Multi-WAN Terminology and Concepts
- Policy Routing, Load Balancing and Failover Strategies
- Multi-WAN Caveats and Considerations
- Summary of Multi-WAN Requirements
- Load Balancing and Failover with Gateway Groups
- Interface and DNS Configuration
- Multi-WAN and NAT
- Policy Routing Configuration
- Verifying Functionality
- Multi-WAN on a Stick
- Multi-Link PPPoE (MLPPP)
- Using OpenVPN with Multi-WAN
The multiple WAN (multi-WAN) capabilities of pfSense® allow a firewall to utilize multiple Internet connections to achieve more reliable connectivity and greater throughput capacity. Before proceeding with a multi-WAN configuration, the firewall must have a functional two interface (LAN and WAN) configuration. pfSense is capable of handling many WAN interfaces, with multiple deployments using 10-12 WANs in production. It will scale even higher than that, though we aren’t aware of any installations using more than 12 WANs.
All WAN-type interfaces are treated identically in the GUI. Anything that can be done with the primary WAN can also be done with an additional OPT WAN interface. There are no significant differences between the primary WAN and additional WANs.
This chapter starts by covering items to consider when implementing any multi-WAN solution, then covers multi-WAN configuration with pfSense software.
Choosing Internet Connectivity¶
The ideal choice of Internet connectivity will depend largely upon the options available at a given location, but there are some additional factors to take into consideration.
Speaking from the experience of those who have seen first hand the effects of multiple cable seeking backhoes, as well as nefarious copper thieves, it is very important to make sure connectivity choices for a multi-WAN deployment utilize disparate cabling paths. In many locations, DSL connections as well as any others utilizing copper pairs are carried on a single cable subject to the same cable cut, and others from the same telco such as fiber circuits may run along the same poles or conduits.
If one connection comes in over copper pair (DSL), choose a secondary connection utilizing a different type and path of cabling. Cable connections are typically the most widely available option not subject to the same outage as copper services. Other options include fiber service or fixed wireless coming in on a different path from copper services.
Two connections of the same type cannot be relied upon to provide redundancy in most cases. An ISP outage or cable cut will commonly take down all connections of the same type. Some pfSense users use multiple DSL lines or multiple cable modems, though the only redundancy that typically offers is isolating a site from modem or other CPE (Customer Premise Equipment) failure. Consider multiple connections from the same provider as a solution only for additional bandwidth, as the redundancy such a deployment offers is minimal.
Paths to the Internet¶
Another consideration when selecting Internet connectivity for a site is the path from the connection itself to the Internet. For redundancy purposes, multiple Internet connections from the same provider, especially of the same type, should not be relied upon as they could all fail concurrently.
With larger providers, two different types of connections such as a Fiber line and DSL will usually traverse significantly different networks until reaching core parts of the network. These core network components are generally designed with high redundancy and any problems are addressed quickly since they have widespread effects. Hence such connectivity is isolated from most ISP issues, but since they commonly utilize the same cable path, it still leaves a site vulnerable to extended outages from cable cuts.
Better Redundancy, More Bandwidth, Less Money¶
In the past, high-grade telco services such as DS1 or DS3 circuits were the choice for environments with high availability requirements. Generally the Service Level Agreements (SLA) offered on DS1 and DS3 connections were better than other types of connectivity, and those circuits were generally seen as more reliable. End-users have largely left such circuits behind, however, because they are too slow or too costly by today’s standards. With the multi-WAN capabilities on pfSense, a site can have more bandwidth and better redundancy for less money in many cases. Fiber services are rapidly becoming more widespread, shaking up this concept by providing extremely large amounts of bandwidth for relatively low cost, though such services may still have a less-than-desirable SLA for outage response.
Most organizations requiring high availability Internet connections do not want to rely upon DSL, cable or other “lesser class” broadband Internet connections. While they’re usually significantly faster and cheaper, the lesser SLA is enough to make many companies stick with DS1 or DS3 connectivity. In areas where multiple lower cost broadband options are available, such as DSL and cable, the combination of pfSense and two low cost Internet connections provides more bandwidth and better redundancy at a lower cost. The chance of two different broadband connections going down simultaneously is significantly less than the chance of any single service outage. Adding a backup Cable or DSL line to supplement a much faster fiber line ensures connectivity will continue when an outage occurs on the fiber line, even if it is a rare occurrence.