OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: BenKenobi on June 19, 2022, 09:50:46 pm
-
Thought I'd give OPNSense another shot but loadbalancing still won't work - PFSense load balancing works out of the box and is a breeze to configure compared to OPNsense. Even if configured to the letter OPNsense makes no attempt whatsoever to balance load - yes even with the appropriate gateway set in the 'all LAN traffic' rule all traffic is pushed on the default regardless.
All the guides I have read to make loadbalancing work in OPNsense require the use of unbound - don't use it, no intention of doing so - I run my own internal DNS / DHCP systems.
There's a lot to like about OPNsense but this is a showstopper for me.
Is there a solution to make load balancing work without unbound OR any kind of gateway monitoring.
-
Load balancing of WHAT?
-
How many load balancing features does OPNsense posess ? - dual WAN
-
Unbound isn't needed for that at all.
But as long as you can't make a gateway group the default gateway, I don't see how load balancing is supposed to actually work in OPNsense.
-
How many load balancing features does OPNsense posess ? - dual WAN
Load balancing of a farm of servers via HAproxy is the first in my mind.
So you mean load balancing of outbound connections to the Internet via two (or more) uplinks? You still have not written what you want to do with that "dual WAN".
-
But as long as you can't make a gateway group the default gateway, I don't see how load balancing is supposed to actually work in OPNsense.
You could create your two uplink interfaces and their respective gateways and NOT pick any of them as the default GW. Then add two static routes - one for each gateway - destination 0.0.0.0/0.
Theoretically equal cost multipath should work in FreeBSD 13. I'd be happy to relay further questions to FreeBSD network developers I happen to know. I just don't have the setup available or the time to create a lab installation just now.
-
The default gateway which is one of the WAN interfaces never changes and it uses that exclusively despite both WAN and OPT1 being part of a tier 1 group - each WAN has its own gateway and is a distinct ISP account. The tier 1 group comprising WAN and OPT1 (both are set as tier 1) is set up as the default route for all outgoing LAN traffic.
No matter how much traffic transits the group it all passes out on the default WAN.
In pFSense it just works, same kind of configuration, I'd like to move away from pFSense but I keep hitting barriers like this.
-
But as long as you can't make a gateway group the default gateway, I don't see how load balancing is supposed to actually work in OPNsense.
You could create your two uplink interfaces and their respective gateways and NOT pick any of them as the default GW. Then add two static routes - one for each gateway - destination 0.0.0.0/0.
Theoretically equal cost multipath should work in FreeBSD 13. I'd be happy to relay further questions to FreeBSD network developers I happen to know. I just don't have the setup available or the time to create a lab installation just now.
Ha! What an unlikely approach! I'd never think of it because in my experience, setting ambigous routes is a bad idea.
Anyway, as BenKenobi points out, it doesn't work anyway.
i would expect to be able to set a gateway group as the default gateway. That is the only logical way I can see. There is no documentation as to how to do it. And the wizard should allow us to set up a multiple-WAN configuration like that. I couldn't even get a second WAN interface to work without logging in on the console and starting pppoed manually. There is no way in the GUI to do that other than enabling the corresponding interface, and you can not assign an interface before the pppoe connection is up, so you're screwed. That is definitely buggy, but since we can't make bug reports ...
-
You can make bug reports on github.
I see - PPPoE is a different matter altogether, because that is supposed to push a whole lot of configuration down to the client, OPNsense in this case. Similar to DHCP you can only have one dynamically configured interface.
I was thinking business uplinks with static configuration ...
-
Yep, qualified ticket please. I can assure you there is at least one setup mistake at play here, but we won't know which until it's properly documented by the reporter.
Cheers,
Franco
-
I can assure you there is at least one setup mistake at play here
Sorry that doesn't offer many clues - if you suspect a configuration error then perhaps the documentation should make such configurations clearer.
Even so I'm not so sure - simply because the config works in pFSense, of course pFSense could be broken but if so I'm glad it is. To add even further insult the OPNsense insists on using the default gateway even when a 1:1 NAT explicitly says not to. The 'default' gateway is taking priority over everything, even if a specific gateway is stated in the Firewall rules for LAN outgoing traffic it is ignored and traffic exits on the 'default' gateway. Load shaping etc flat out doesn't work
How do I know - because my mail servers are supposed to use one gateway only, no exceptions, 1:1 in place and LAN rules. They don't as confirmed by RFC headers on a receiver which messes up my SPF and DMARC.
I'll do what I can to report but I'll be going back to pFSense unfortunately, I'd rather not because I don't care a lot for the direction Netgate are taking things, but I don't have time to mess with this. I will leave the system set up so that I can play but once I collect everything required for the report I'll be taking OPNsense down.
-
Sorry that doesn't offer many clues - if you suspect a configuration error then perhaps the documentation should make such configurations clearer.
I'm trying but the subject keeps sending mixed signals.
To a lot of people the worst that has happened is going through the motions of a proper support case workflow either in business or community manner to end up with the expected result.
Cheers,
Franco