How to configure pfSense as multi wan (DUAL WAN) load balance failover router

Author: Last updated: August 4, 2016 25 comments
How do I setup a multi-WAN load balancing and failover on pfSense router with two ADSL or cable or leased-line or FTTH (Fiber to the home) connections?

In this tutorial you will learn how to configure pfSense to load balance and fail over traffic from a LAN to multiple Internet connections (WANs) i.e. dual wan.

ADVERTISEMENTS

Why and how to setup a dual wan router?

A dual wan setup allows you to increase your internet bandwidth. You can load balance traffic as per your needs. You can get internet connection redundancy and failover. If one connection goes down your traffic will be routed automatically to a backup connection.

Requirements

Two internet connections from two different ISPs. You can mix-match ADSL/FTTH/4G LTE/Cable/T1/FIOS connection as per your needs.

  1. pfSense router with three network ports (NICS).
  2. Two ISP modems with network port (NIC)
  3. Static or dynamic IPs from ISPs
  4. Monitor IP # 1 for ISP # 1 – 8.8.8.8 (google dns IP)
  5. Monitor IP # 2 for ISP # 2 – 208.69.38.205 (opendns IP)

Our sample setup

Fig.01: What you'll need to get started with this setup

Fig.01: What you’ll need to get started with this setup

  1. I have two ISP modems+routers with dynamic IP address assigned.
  2. You need to connect each modem with pfsense using an Ethernet connection.
  3. You need to connect a network switch to pfsense using an Ethernet connection.
  4. All systems/servers/printers/wifi on LAN uses 172.16.1.254/24 subnet with 172.16.1.254 as a default gateway.

Configuration

Before starting, make sure all of the WAN-type interfaces are enabled with static IP WANs and with a gateway set as described above.

Step 1: Configure pfsense LAN interface

Open pfSense web interface using http://172.16.1.254/ > Interfaces > LAN and set it as follows as per (fig.01):

Fig.02: LAN interface settings

Fig.02: LAN interface settings

Step 2: Configure pfsense wan01 interface (ADSL ISP #1)

Open pfSense web interface using http://172.16.1.254/ > Interfaces > WAN 01 and set it as follows as per (fig.01):

Fig.02: Wan 01 (ADSL ISP 1) interface settings

Fig.02: Wan 01 (ADSL ISP 1) interface settings

Now the first WAN interface configured with a Static IP from the Interfaces menu. If you want you can set type to DHCP depending on your ISP 1 modem settings. Next make sure the gateway IP responds to ping to confirm that WAN 1 is actually online and working before proceeding. You can do this from pfSense itself by visiting Diagnostics > Ping:
Make sure the ISP #1 gateway responds to ping to confirm that each WAN 1 is actually online

Make sure the ISP #1 gateway responds to ping to confirm that each WAN 1 is actually online

Step 3: Configure pfsense wan02 interface (ADSL ISP #2)

Open pfSense web interface using http://172.16.1.254/ > Interfaces > WAN 02 and set it as follows as per (fig.01):

Fig.03: Wan 02 (ADSL ISP 2) interface settings

Fig.03: Wan 02 (ADSL ISP 2) interface settings

Now the second WAN interface configured with a Static IP from the Interfaces menu. If you want you can set type to DHCP depending on your ISP 2 modem settings. Next make sure the gateway IP responds to ping to confirm that WAN 2 is actually online and working before proceeding. You can do this from pfSense itself by visiting Diagnostics > Ping:
Make sure the ISP #2 gateway responds to ping to confirm that each WAN 2 is actually online

Make sure the ISP #2 gateway responds to ping to confirm that each WAN 2 is actually online

Step 4: Confirm both gateways are online

Once both gateways have been defined, visit Status > Gateways:

Fig.04: Wan gateways status must be green

Fig.04: Wan gateways status must be green

If they’re green, the connection to the gateway is OK and you need to configure monitor IP.

Step 5: Configure monitor IP for each gateway

Visit System > Routing > Select Gateways tab and you will see a screen as follows with private IP set as monitor IP for each gateway:

Fig.05: Ensure a gateway entry exists for each WAN interface

Fig.05: Ensure a gateway entry exists for each WAN interface

Click on edit gateway icon (button) for wan_adsl2_l1GW (default) and set monitor IP to 8.8.8.8:
Fig.06: Set monitor IP for WAN 1 (ADSL ISP # 1)

Fig.06: Set monitor IP for WAN 1 (ADSL ISP # 1)

Next, click on edit gateway icon (button) for WAN_ADSL2_L2 (ADSL ISP # 2) and set monitor IP to 208.69.38.205:
Fig.07: Set monitor IP for WAN 2 (ADSL ISP # 2)

Fig.07: Set monitor IP for WAN 2 (ADSL ISP # 2)

The gateway configuration has been changed. The changes must be applied for them to take effect. So click on the Apply Changes button.
update-apply-gateway-config

Step 6: Configuring dual WAN link load balancer

Finally, you are ready to configure the pfSense as a Load Balancer by visiting System > Routing > Select the Gateway Groups > Click the “Add” button:

Fig.08: Dual wan load balancer config

Fig.08: Dual wan load balancer config

Where,

  • Set Group Name to “WanLoadBalancer“.
  • Set Gateway Priority for both gateways to “Tier 1“. Please note that when two gateways are on the same tier (e.g. Tier 1), they will load balance. This means that on a per-connection basis, connections are routed over each WAN in a round-robin manner. If any gateway on the same tier goes down, it is removed from use and the other gateways on the tier continue to operate normally.
  • Set Trigger Level to “Memberdown“.
  • Set Description to “My Dual ADSL Wan Link Load Balancer
  • Finally click the “Save” > “Apply Changes” button.

Step 7: Configuring link fail over

Next, configure the pfSense as a failover for wan connections by visiting System > Routing > Select the Gateway Groups > Click the “Add” button:

Fig.09: Link failover for ADSL link 1 (wan1/isp1)

Fig.09: Link failover for ADSL link 1 (wan1/isp1)

When two gateways are on different tiers, the lower tier gateway(s) are preferred. If a lower tier gateway goes down, it is removed from use and the next highest tier gateway is used. This is how failover works on pfSense. So to set link failover for ADSL 1:

  • Set Group Name to “ADSLLinkFailover2
  • Set Gateway Priority wan_adsl2_l1GW (ISP 1) to “Tier 1
  • Set Gateway Priority wan_adsl2_l2GW (ISP 2) to “Tier 2
  • Set Trigger Level to “Member down
  • Set Description to “Link failover for ADSL 1

Set link failover for ADSL 2 as follows and swap Gateway Priority:

Fig.10: Link failover for ADSL link 2 (wan2/isp2)

Fig.10: Link failover for ADSL link 2 (wan2/isp2)

Finally click the “Save” > “Apply Changes” button to finish the LB and failover gateway configuration.

Step 7: Configuring the firewall rules for load balancer

You need to pass traffic to these LBs using the Gateway setting on firewall rules. Click on Firewall > Rules > Lan > Add and set it as follows:

Fig.11: LB firewall rule

Fig.11: LB firewall rule

Click on the “Display advanced” button > scroll down > find Gateway option and set it to WanLoadBalancer:
Set gateway to WanLoadBalancer

Set gateway to WanLoadBalancer

Click the “Save” > “Apply Changes” button to save firewall rules.

Step 8: Configuring the firewall rules for failover

You need to pass traffic to these failover gateways using the Gateway setting on firewall rules. Click on Firewall > Rules > Lan > Add and set it as follows:

Fig.12: Failover firewall rule for ISP 1 /ADSL 1 link

Fig.12: Failover firewall rule for ISP 1 /ADSL 1 link

Click on the “Display advanced” button > scroll down > find Gateway option and set it to ADSLLinkFailover1:
Set gateway to ADSLLinkFailover1

Set gateway to ADSLLinkFailover1

Click the “Save” > “Apply Changes” button to save firewall rules. Repeat the firewall rule for ADSLLinkFailover2.

Step 9: Client configuration

Make sure you assign all the IP addresses in the following range to your client computers:

  • Network: 172.16.1.254/24
  • IP ranges: 172.16.1.1 to 172.16.1.253
  • Default gateway: 172.16.1.254
  • DNS server: 172.16.1.254 (or 8.8.8.8/8.8.4.4)

Test it as follows from client system (I’m using OpenBSD):
$ ifconfig vio0
$ netstat -nr -f inet
$ ping -c 2 google.com
$ host cyberciti.biz 172.16.1.254
Sample outputs:

Fig.13: Testing your pfSense LB/Failover router

Fig.13: Testing your pfSense LB/Failover router

You can run a speed test using fast.com or speedtest.net. You will notice and use both internet connection when using Torrents and downloading a large file from load balancing. You can use the speedtest-cli as follows to verify that bandwidth is doubled from a client computer:
$ python speedtest-cli
If one internet connections goes down, you will be still connected via failover.

What next?

You will get the wan (internet) connection redundancy and load balancing but not the router redundancy. Your internet connection will go down, if your pfSense router failed due to hardware problems. This draw back can be addressed using router redundancy setup.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
25 comments… add one
  • thiagoc Aug 3, 2016 @ 22:19

    “tire” -> “tier”

    Reply Link
  • ewhy Tech Aug 4, 2016 @ 9:39

    It’s important to note that the setup, above, should have a Static IP address assigned, by the ISP. Most business accounts will include a few Static IPs (anywhere from 3 – 16 addresses), as part of the service agreement.

    However, if you’re trying this on a private ISP connection, you’ll either have to ask your ISP for as Static IP address. Or you’ll have to config your WAN interface to grab an address via DHCP, first. And, then, either use ‘as-is’.

    Or, reconfigure the WAN interface to use the DHCP address as a static address.

    [NOTE: Grabbing an IP via DHCP, then entering it as a ‘Static IP’, will BREAK your configuration, in the event that your ISP updates their network, or there is a long-term power outage…. or just anything that may cause your ISP Modem (or pfSens) to refresh the DHCP Lease.]

    Reply Link
  • Alex Aug 5, 2016 @ 0:58

    How does this setup handles nat? If there is a web server or ftp server working within the internal network will it continue to work if one of the ISPs goes down? Is there a specific way to configure nat/rules if the user wants to host email or web services behind that router?

    Reply Link
  • Mark Aug 5, 2016 @ 12:33

    Can we add as many WAN connections as we want( within hardware limits)?

    Reply Link
    • Martin May 26, 2017 @ 12:35

      Yes. Just add new gateway groups and firewall rules for each of the conditions in which you would want to operate the firewall.

      For example if you had three ISP connections –
      Gateway group – runs all three connections
      Gateway group – isp1 fails
      Gateway group – isp2 fails
      Gateway group – isp3 fails
      Gateway group – isp1 & isp2 fails
      Gateway group – isp1 & isp3 fails
      Gateway group – isp2 & isp3 fails

      Reply Link
  • Francisco Gonzalez Aug 5, 2016 @ 13:21

    Nice tutorial! just one thing, the SSL traffic, I’ve noticed problems with apps like banking and CPanel, last one complains “same session with 2 differents IPs” and you get to the login page again, personally I separate the SSL traffic from HTTP using source port in the firewall rules and using failover rules like you show us for SSL only.

    Again very nice tutorial!

    Francisco

    Reply Link
  • Etienne Nov 25, 2016 @ 11:44

    Hi !
    I believe “failover” is useless on the latest pfsense version
    if load balance have only two WANs.
    can you confirm ?
    Also, some servers may generate problems if using two different IP when accessing them.
    Do you know some solution else than the “stick to ip” on the general options ?

    Reply Link
  • Zoltan Dec 6, 2016 @ 12:40

    I have now 3 gateway groups, one load balancer and two failover.
    I’m about to configure the firewall rules.
    What should be the order of these rules, or is it optional??
    Thanks! :)

    Reply Link
  • jaomadn Jan 25, 2017 @ 1:00

    hi,
    May i ask also if i need a wan load balancer if i want to separate a browsing traffic from other traffic. like gaming..

    Reply Link
  • benjamin Feb 10, 2017 @ 18:26

    Hi after setting everything it seems to work, but if for example I disconnect my wan1 cable I cannot browse anything from the lan via my wan2, if I do a ping disgnistic on the second wan it will send the packets ok, am I missing soemthing?

    Regards

    Reply Link
    • benjamin Feb 10, 2017 @ 18:41

      For anyone having this issue I resolved it by going to firewall > lan > edited the lan rule and added on gateway Wanloadbalancer

      Reply Link
      • benjamin Feb 10, 2017 @ 18:44

        Sorry this did not fix anything I am still having trouble to browse from the lan, and this only made a combine of the 2 ISPs having difficulties since Ip changes a lot.

        Reply Link
  • metty Apr 3, 2017 @ 9:28

    thank you for this nice tutorial! Helped me a lot! In Step 7 and 8 there are two different Firewall > Rules > Lan > Add. One “Add” adds on top, the other on the bottom. As I remarked, the position is also important. Mabye you could add a screenshot in the end whith the positions of the firewall rules.

    Reply Link
  • shawnw May 14, 2017 @ 17:54

    would like to know how i should add firewall rukles with this setup i have a email server on the lan network and i have a dyndns running to to auto update to the best external ip at the time how can i setup the firewall tio send and receive the email ports over this load balance rule?

    Reply Link
  • Shahriar May 21, 2017 @ 12:24

    Hi
    Can you update this tutoriul for connect 3g modem? Please

    Reply Link
  • Jorge May 23, 2017 @ 13:52

    Sometimes the WAN connections aren’t of the same bandwidth. so in this case the WEIGHT option is useful (System->Routing->Gateway) edit the gateway and in Advanced Option set a Weight.

    Reply Link
  • K T YEO Oct 6, 2017 @ 2:00

    Hi Vivek Gite,
    Good Day,
    May I know?
    Can pfsense :
    1. give me bandwidth BONDING or AGGREGATION OR ADD bandwidth
    eg.
    If I have 8 dynamic ip WAN that is asymmetrical with such speeds of : upstream = 50Mbps , downstream = 100Mbps
    this is the maximum link speed that I can subscribe at my current location.
    I have 100+ cpu/windows PC for gaming purposes
    location = malaysia post code 75450
    meaning will pfsense give me 400Mbps upstream bandwidth and 800Mbps downstream bandwidth?
    thus provides 4Mbps for each PC of upstream speed/bandwidth
    this is my primary router
    I may face a challenge of getting 8 PCI Ethernet card slots PC to work on pfsense.
    does pfsense works with usb/lan adapter to use as wan?

    Is there a hardware appliance, pfsense with 8 WAN?

    can I also configure in same network a backup router (secondary) with dedicate 4 WAN of similar specs above so when any of the 1st pfsense WAN fails or its router fails, 2nd router with separate WAN will take over.

    can I also configure pfsense secondary router to return to primary router as soon as the outage at primary router is restored?

    which linux flavour works best with pfsense?

    i hope you can assist me. (newbies)

    thank you so very much.
    best regards,
    /kt yeo

    Reply Link
  • Rahul Aug 12, 2020 @ 22:29

    Is failover completely seamless ?
    Can we do a demo uaing skype call and during call disconnect the primary ISP to see that switch over to secondary ISP is seamless if call progresses without any disruption.

    Reply Link
  • Germano Sep 9, 2020 @ 15:21

    Thanks for the article is very useful for me.
    I’ve a doubt, I need to configure only the failover group on my pfsense because the load balanced is not necessary; can i skip this step or failover can’t work without load balancer rule?

    Reply Link
  • LTEFan Sep 14, 2020 @ 18:02

    Don’t we need DNS firewall rule too? Otherwise it won’t work.

    Reply Link
  • Jose Oct 2, 2020 @ 16:38

    Nice tutorial.
    But is it necessary that the connection interfaces of the ISPs will be ethernet ? is it not possible to do it with vlan interfaces?

    Reply Link
    • 🐧 Vivek Gite Oct 2, 2020 @ 17:54

      You can use PPPoE, VLAN and many other options as all of those supported by pfSense.

      Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: