In this tutorial you will learn how to configure pfSense to load balance and fail over traffic from a LAN to multiple Internet connections (WANs) i.e. dual wan.
Why and how to setup a dual wan router?
A dual wan setup allows you to increase your internet bandwidth. You can load balance traffic as per your needs. You can get internet connection redundancy and failover. If one connection goes down your traffic will be routed automatically to a backup connection.
Two internet connections from two different ISPs. You can mix-match ADSL/FTTH/4G LTE/Cable/T1/FIOS connection as per your needs.
- pfSense router with three network ports (NICS).
- Two ISP modems with network port (NIC)
- Static or dynamic IPs from ISPs
- Monitor IP # 1 for ISP # 1 – 184.108.40.206 (google dns IP)
- Monitor IP # 2 for ISP # 2 – 220.127.116.11 (opendns IP)
Our sample setup
- I have two ISP modems+routers with dynamic IP address assigned.
- You need to connect each modem with pfsense using an Ethernet connection.
- You need to connect a network switch to pfsense using an Ethernet connection.
- All systems/servers/printers/wifi on LAN uses 172.16.1.254/24 subnet with 172.16.1.254 as a default gateway.
Before starting, make sure all of the WAN-type interfaces are enabled with static IP WANs and with a gateway set as described above.
Step 1: Configure pfsense LAN interface
Open pfSense web interface using http://172.16.1.254/ > Interfaces > LAN and set it as follows as per (fig.01):
Step 2: Configure pfsense wan01 interface (ADSL ISP #1)
Open pfSense web interface using http://172.16.1.254/ > Interfaces > WAN 01 and set it as follows as per (fig.01):
Step 3: Configure pfsense wan02 interface (ADSL ISP #2)
Open pfSense web interface using http://172.16.1.254/ > Interfaces > WAN 02 and set it as follows as per (fig.01):
Step 4: Confirm both gateways are online
Once both gateways have been defined, visit Status > Gateways:
Step 5: Configure monitor IP for each gateway
Visit System > Routing > Select Gateways tab and you will see a screen as follows with private IP set as monitor IP for each gateway:
Next, click on edit gateway icon (button) for WAN_ADSL2_L2 (ADSL ISP # 2) and set monitor IP to 18.104.22.168:
The gateway configuration has been changed. The changes must be applied for them to take effect. So click on the Apply Changes button.
Step 6: Configuring dual WAN link load balancer
Finally, you are ready to configure the pfSense as a Load Balancer by visiting System > Routing > Select the Gateway Groups > Click the “Add” button:
- Set Group Name to “WanLoadBalancer“.
- Set Gateway Priority for both gateways to “Tier 1“. Please note that when two gateways are on the same tier (e.g. Tier 1), they will load balance. This means that on a per-connection basis, connections are routed over each WAN in a round-robin manner. If any gateway on the same tier goes down, it is removed from use and the other gateways on the tier continue to operate normally.
- Set Trigger Level to “Memberdown“.
- Set Description to “My Dual ADSL Wan Link Load Balancer“
- Finally click the “Save” > “Apply Changes” button.
Step 7: Configuring link fail over
Next, configure the pfSense as a failover for wan connections by visiting System > Routing > Select the Gateway Groups > Click the “Add” button:
- Set Group Name to “ADSLLinkFailover2“
- Set Gateway Priority wan_adsl2_l1GW (ISP 1) to “Tier 1“
- Set Gateway Priority wan_adsl2_l2GW (ISP 2) to “Tier 2“
- Set Trigger Level to “Member down“
- Set Description to “Link failover for ADSL 1“
Set link failover for ADSL 2 as follows and swap Gateway Priority:
Step 7: Configuring the firewall rules for load balancer
You need to pass traffic to these LBs using the Gateway setting on firewall rules. Click on Firewall > Rules > Lan > Add and set it as follows:
Click the “Save” > “Apply Changes” button to save firewall rules.
Step 8: Configuring the firewall rules for failover
You need to pass traffic to these failover gateways using the Gateway setting on firewall rules. Click on Firewall > Rules > Lan > Add and set it as follows:
Click the “Save” > “Apply Changes” button to save firewall rules. Repeat the firewall rule for ADSLLinkFailover2.
Step 9: Client configuration
Make sure you assign all the IP addresses in the following range to your client computers:
- Network: 172.16.1.254/24
- IP ranges: 172.16.1.1 to 172.16.1.253
- Default gateway: 172.16.1.254
- DNS server: 172.16.1.254 (or 22.214.171.124/126.96.36.199)
Test it as follows from client system (I’m using OpenBSD):
$ ifconfig vio0
$ netstat -nr -f inet
$ ping -c 2 google.com
$ host cyberciti.biz 172.16.1.254
$ python speedtest-cli
If one internet connections goes down, you will be still connected via failover.
You will get the wan (internet) connection redundancy and load balancing but not the router redundancy. Your internet connection will go down, if your pfSense router failed due to hardware problems. This draw back can be addressed using router redundancy setup.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
|Category||List of Unix and Linux commands|
|Firewall||Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04|
|Network Utilities||dig • host • ip • nmap|
|OpenVPN||CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04|
|Package Manager||apk • apt|
|Processes Management||bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time|
|Searching||grep • whereis • which|
|User Information||groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w|
|WireGuard VPN||Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04|