Asus Dual Wan Load Balance Problems
Important
Netgate is offering COVID-19 aid for pfSense software users, learn more.
A Gateway Group is necessary to setup a Load Balancing or Failoverconfiguration. The group itself does not cause any action to be taken, but whenthe group is used later, such as in policy routing firewall rules, it defineshow the items utilizing the group will behave.
I'm not sure what metric the Asus uses. It could be actual bandwidth, or it could simply be number of individual connections. As an example of how you could see problems. Lets say one ISP is 10x faster than the other. And lets say you set load balancing to 1:1. You would essentially be limited to the slowest ISP. I have recently purchased dual 1Gbps fibre broadband which I am wanting to run via my ASUS RT-AC88U in Load Balance mode with a 1:1 ratio. I utilised LAN port 3 as my secondary WAN (leaving ports 1 & 2 free for NAS Link Aggregation when I purchase my NAS) but that's when some of the problems started. Hence, if you own an Asus Router (like the Asus RT-AC68U) which is capable of handling multiple WAN connections (aka Dual-WAN routers), it’s best to configure the load balancer mode.The. You can use dual WAN either in Load Balance or in Fail Over mode. If you use Load Balance mode then you can split your internet traffic between Primary and Secondary connections. You can set up your router so that a particular device in your LAN uses either primary or secondary.
The same gateway may be included in multiple groups so that several differentscenarios can be configured at the same time. For example, some traffic can beload balanced, and other traffic can use failover, and the same WAN can be usedin both capacities by using different gateway groups.
A common example setup for a two WAN firewall contains three groups:
LoadBalance: Gateways for WAN1 and WAN2 both on Tier 1
PreferWAN1: Gateway for WAN1 on Tier 1, and WAN2 on Tier 2
PreferWAN2: Gateway for WAN1 on Tier 2, and WAN2 on Tier 1
No matter which strategy is chosen, the best practice is to have at least onefailover group and to set that failover group to be used as the defaultgateway on the firewall. This ensures that the firewall always has a viabledefault gateway, and using a gateway group ensures that the correct gatewaysare used for this function and in the intended order. SeeManaging the Default Gateway for details.
Configuring a Gateway Group for Load Balancing or Failover¶
Asus Dual Wan Load Balance Problems Solving
To create a gateway group for Load Balancing or Failover:
Navigate to System > Routing, Groups tab
Click Add to create a new gateway group
Fill in the options on the page as described in Gateway Group Options
Click Save
Load Balancing¶
Any two gateways on the same tier are load balanced. For example, if GatewayA, Gateway B, and Gateway C are all Tier 1, connections would be balancedbetween them. Gateways that are load balanced will automatically failoverbetween each other. When a gateway fails it is removed from the group, so inthis case if any one of A, B, or C went down, the firewall would load balancebetween the remaining online gateways.
Weighted Balancing¶
If two WANs need to be balanced in a weighted fashion due to differing amountsof bandwidth between them, that can be accommodated by adjusting the Weightparameter on the gateway as described in Unequal Cost Load Balancing andAdvanced Gateway Settings.
Asus Dual Wan Load Balance Problems Pc
Failover¶
Gateways on a lower number tier are preferred by the firewall, and if theyare down then gateways of a higher numbered tier are used. For example, ifGateway A is on Tier 1, Gateway B is on Tier 2, and Gateway C is on Tier3, then Gateway A would be used first. If Gateway A goes down, then GatewayB would be used. If both Gateway A and Gateway B are down, then Gateway Cwould be used.
Complex/Combined Scenarios¶
By extending the concepts above for Load Balancing and Failover, complicatedscenarios are possible that combine both load balancing and failover. Forexample, if Gateway A is on Tier 1, and Gateway B and Gateway C are onTier 2, then Gateway D on Tier 3, the following behavior occurs: Gateway Ais preferred on its own. If Gateway A is down, then traffic would be loadbalanced between Gateway B and Gateway C. Should either Gateway B orGateway C go down, the remaining online gateway in that tier would still beused. If Gateway A, Gateway B, and Gateway C are all down, traffic wouldfail over to Gateway D.
Any other combination of the above can be used, so long as it can be arrangedwithin the limit of 5 tiers.
Problems with Load Balancing¶
Some websites store session information including the client IP address, and ifa subsequent connection to that site is routed out a different WAN interfaceusing a different public IP address, the website will not function properly.This is becoming more common with banks and other security-minded sites. Onemethod of working around this issue is to create a failover group and directtraffic destined to these sites to the failover group rather than a loadbalancing group. Alternately, perform failover for all HTTPS traffic.
The sticky connections feature of pf is intended to resolve this problem, but ithas historically been problematic. It is safe to use, and should alleviate this,but there is also a downside to using the sticky option. When using stickyconnections, an association is held between the client IP address and a givengateway, it is not based off of the destination. When the sticky connectionsoption is enabled, any given client would not load balance its connectionsbetween multiple WANs, but it would be associated with whichever gateway ithappened to use for its first connection. Once all of the client states haveexpired, the client may exit a different WAN for its next connection, resultingin a new gateway pairing. As such, it works best in environments with manyclients where one client utilizing a single WAN does not have a large impact.