Policy Routing, Load Balancing and Failover Strategies

This section provides guidance on common Multi-WAN goals and how they are achieved with pfSense.

Bandwidth Aggregation

One of the primary desires with multi-WAN is bandwidth aggregation. With load balancing, pfSense can help accomplish this goal. There is, however, one caveat: If the firewall has two 5 Mbps WAN circuits, it cannot get 10 Mbps of throughput with a single client connection. Each individual connection must be tied to only one specific WAN. This is true of any multi-WAN solution other than MLPPP. The bandwidth of two different Internet connections cannot be aggregated into a single large “pipe” without involvement from the ISP. With load balancing, since individual connections are balanced in a round-robin fashion, 10 Mbps of throughput can only be achieved using two 5 Mbps circuits when multiple connections are involved. Applications that utilize multiple connections, such as many download accelerators, will be able to achieve the combined throughput capacity of the two or more connections.

Note

Multi-Link PPPoE (MLPPP) is the only WAN type which can achieve full aggregate bandwidth of all circuits in a bundle, but requires special support from the ISP. For more on MLPPP, see Multi-Link PPPoE (MLPPP)

In networks with numerous internal machines accessing the Internet, load balancing will reach speeds near the aggregate throughput by balancing the many internal connections out all of the WAN interfaces.

Segregation of Priority Services

In some situations, a site may have a reliable, high quality Internet connection that offers low bandwidth, or high costs for excessive transfers, and another connection that is fast but of lesser quality (higher latency, more jitter, or less reliable). In these situations, services can be segregated between the two Internet connections by their priority. High priority services may include VoIP, traffic destined to a specific network such as an outsourced application provider, or specific protocols used by critical applications, amongst other options. Low priority traffic commonly includes any permitted traffic that doesn’t match the list of high priority traffic. Policy routing rules can be setup to direct the high priority traffic out the high quality Internet connection, and the lower priority traffic out the lesser quality connection.

Another example of a similar scenario is getting a dedicated Internet connection for quality critical services such as VoIP, and only using that connection for those services.

Failover Only

There are scenarios where only using failover is the best practice. Some pfSense users have a secondary backup Internet connection with a low bandwidth limit such as a 3G modem, and only want to use that connection if their primary connection fails, Gateway groups configured for failover can achieve this goal.

Another usage for failover is to ensure a certain protocol or destination always uses only one WAN unless it goes down.

Unequal Cost Load Balancing

pfSense can achieve unequal cost load balancing by setting appropriate weights on the gateways as discussed in Weight. By setting a weight on a gateway, it will be used more often in a gateway group. Weights can be set from 1 to 30, allowing

Unequal Cost Load Balancing
WAN_GW weight WAN2_GW weight WAN load WAN2 load
3 2 60% 40%
2 1 67% 33%
3 1 75% 25%
4 1 80% 20%
5 1 83% 17%
5 1 83% 17%
30 1 97% 3%

Note that this distribution is strictly balancing the number of connections, it does not take interface throughput into account. This means bandwidth usage will not necessary be distributed equally, though in most environments it works out to be roughly distributed as configured over time. This also means if an interface is loaded to its capacity with a single high throughput connection, additional connections will still be directed to that interface.