Multiple WAN Connections¶
- Multi-WAN Terminology and Concepts
- Policy Routing, Load Balancing and Failover Strategies
- Multi-WAN Caveats and Considerations
- Summary of Multi-WAN Requirements
- Load Balancing and Failover with Gateway Groups
- Interface and DNS Configuration
- Multi-WAN and NAT
- Policy Routing Configuration
- Verifying Functionality
- IPsec in Multi-WAN Environments
- Using OpenVPN with Multi-WAN
- Multi-WAN on a Stick
- Multi-Link PPPoE (MLPPP)
The multiple WAN (multi-WAN) capabilities in pfSense® software allow a firewall to utilize multiple Internet connections to achieve more reliable connectivity and greater throughput capacity.
Before proceeding with a multi-WAN configuration, the firewall must have a functional two interface (LAN and WAN) configuration.
pfSense software is capable of handling numerous WAN interfaces, with multiple deployments using over 10 WANs in production.
All WAN-type interfaces are treated identically in the GUI. Anything that can be done with the primary WAN can also be done with an additional OPT WAN interface. There are no significant differences between the primary WAN and additional WANs.
This section starts by covering items to consider when implementing any multi-WAN solution, then covers multi-WAN configuration with pfSense software.
For a brief run-down of what to configure when setting up Multi-WAN on pfSense software, see Summary of Multi-WAN Requirements.
Choosing Internet Connectivity¶
The ideal choice of Internet connectivity depends largely upon the options available at a given location, but there are some additional factors to take into consideration.
Speaking from the experience of those who have seen first hand the effects of multiple cable-seeking backhoes, as well as nefarious copper thieves, it is highly desirable to obtain connectivity choices for a multi-WAN deployment which utilize disparate cabling paths. In many locations, DSL connections as well as any others utilizing copper pairs are carried on a single cable subject to the same cable cut, and others from the same company such as fiber circuits may run along the same poles or conduits.
If one connection comes in over copper pair (DSL), choose a secondary connection utilizing a different type and path of cabling. Cable connections are typically the most widely available option not subject to the same outage as copper services. Other options include fiber service or fixed wireless coming in on a different path from copper services.
Two connections of the same type cannot be relied upon to provide redundancy in most cases. An ISP outage or cable cut will commonly take down all connections of the same type. Some people use multiple DSL lines or multiple cable modems, though the only redundancy that typically offers is isolating a site from modem or other CPE (Customer Premise Equipment) failure. Consider multiple connections from the same provider as a solution only for additional bandwidth, as the redundancy such a deployment offers is minimal.
Paths to the Internet¶
Another consideration when selecting Internet connectivity for a site is the path from the connection itself to the Internet. For redundancy purposes, multiple Internet connections from the same provider, especially of the same type, should not be relied upon as they could all fail concurrently.
With larger providers, two different types of connections such as a Fiber line and DSL will usually traverse significantly different networks until reaching core parts of the network. These core network components are generally designed with high redundancy and any problems are addressed quickly since they have widespread effects. Hence such connectivity is isolated from most ISP issues, but since they commonly utilize the same cable path, it still leaves a site vulnerable to extended outages from cable cuts.
Better Redundancy, More Bandwidth, Less Money¶
In the past, high-grade services such as DS1 or DS3 circuits were the choice for environments with high availability requirements. Generally the Service Level Agreements (SLA) offered on DS1 and DS3 connections were better than other types of connectivity, and those circuits were generally seen as more reliable. End users have largely left such circuits behind, however, because they are too slow or too costly by today’s standards. With the multi-WAN capabilities on pfSense software a site can have more bandwidth and better redundancy for less money in many cases. Fiber services are rapidly becoming more widespread, shaking up this concept by providing extremely large amounts of bandwidth for relatively low cost, though such services may still have a less-than-desirable SLA for outage response.
Most organizations which require high availability Internet connections do not want to rely upon DSL, cable or other “lesser class” broadband Internet connections. While they are usually significantly faster and cheaper, the unfavorable SLA is enough to make many companies think twice. In areas where multiple lower cost broadband options are available, such as fiber and cable, the combination of pfSense software and two low cost Internet connections provides more bandwidth and better redundancy at a lower cost. The chance of two different broadband connections going down simultaneously is significantly less than the chance of any single service outage. Adding a backup Cable or DSL line to supplement a much faster fiber line ensures connectivity will continue when an outage occurs on the fiber line, even if it is a rare occurrence.