Tag Archives: firewall

Screen shot 2011-02-05 at 20.01.13

Speeding up your internet connection with WAN load balancing

9 Replies

To start with this either requires you to have multiple Internet connections OR, like me, an ISP that gives you 100 Mbit/s download and 10 Mbit/s upload. The thing is that my ISP gives me a 100 Mbit full duplex connection but limits my upload to 10 Mbit/s per IP. Notice, per IP address! I can get five IP addresses, this means 5 x 10 Mbit/s upload. I could have five different computers all uploading at 10 Mbit/s or 5 network cards (NICs) in one computer with load balancing. Of course I use the load balancing solution with pfSense as OS for my router.

To make things even better you can do this by using a virtual, I use VMware ESXi with a dedicated NIC connected to the Internet.

Internet connection in ESXi

Now, create five virtual NICs on that virtual machine like this.

Five virtual NICs

As you can see there are five NICs connected to Internet and one to my LAN. Continue by installing pfSense. Connect LAN and the first WAN NIC when installing pfSense. Your Internet connection should be working (but without load balancing) to go to the next step.

Go to Interfaces > Assign and add your remaining NICs as OPT1-4. When activating them, don’t forget to check “Enable optional interface” at the top of the page and check “Disable userland FTP-proxy application” too.

NICs assigned to opt1-4

All your NICs should get an IP address (hopefully). Check this under Status > Interfaces. Should look something like the picture below.

All NICs have IP addresses

The next step is to create a pool for Load balancing containing all the WAN NICs. This is done under Services > Load balancer.

Use the following settings:
Type: Gateway
Behavior: Load balancing
Monitor: DNS Server 1 (use this if your NIC are all connected to the same ISP, otherwise the gateway of each NIC)

Now, add the interfaces and set an appropriate name for the pool.

Load balancing pool

The last step is to make sure the pool is used, this is done by a firewall rule. Go to Firewall > Rules and the LAN tab. Edit the existing rule and change the gateway to your pool’s name.

Gateway changed

You’re done! This is what I get when using speedtest.net (which doesn’t show my real upload speed, I’ve been achieving 30 MBit/s at least with multiple upload connections).

Speed test

Speedtest nr 2

Now, there’s one thing left. HTTPS can be a bit cranky when it’s load balanced, so you can add a firewall rules to make sure HTTPS is always running from/to the first WAN NIC. Add a new rule under Firewall > Rules under the LAN tab. Choose destination port range and select HTTPS, gateway should be set to Default (not the LB pool). Save the rule and move it to the top of the rules under the LAN tab. I’ve added rules for both HTTPS and HTTP.

HTTP and HTTPS rules

How to set up a PPTP server in Linux

I really don’t like having a lot of ports forwarded into my private network. To still be able to reach the computers behind my NAT router I’m using a PPTP server.

My example will be based on Ubuntu Linux.

Start with installning pptp.

apt-get install pptpd

Edit /etc/pptpd.conf and have a look at the bottom of the file, you should see two lines saying “localip” and “remoteip”. Configure those according to your network, mine says:

localip 172.16.0.250
remoteip 172.16.0.251-254

Now it’s time to add our internal DNS servers (or the ISPs DNS servers if you don’t have your own). This is done by editing /etc/ppp/options and editing the lines saying ms-dns.

ms-dns 172.16.0.6
# ms-dns 192.168.1.2

I only have one internal DNS, so the other one is commented out.

We have to have a user and a password to be able to login, this is configured in /etc/ppp/chap-secrets like this:

username     pptpd      secret_password       *
First the username, then pptpd, your password and at last * to be able to connect from any host.
The last step is to enable IP-forwarding in the kernel. Edit /etc/sysctl.conf and remove the comment for net.ipv4.ip_forward=1. Reboot your computer or run “sysctl net.ipv4.ip_forward=1″ at the command prompt.
Last, make sure the right TCP-port (1723) is forwarded to your Linux server in the firewall.