Trying to set up two Wireguard tunnels and load balancing

Started by hushcoden, October 09, 2023, 09:51:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 09, 2023, 09:51:51 PM
I've created two WG tunnels (Mullvad) and created a gateway group with both tunnels on tier 1 to use load balancing, so in the firewall -> LAN rule I've selected that gateway group.

But when I look at the firewall -> live view of both wireguard interfaces, I see traffic on one WG interface only and on the other one it's just every now and then some ICMP and that's all, what am I missing?

Tia.
October 09, 2023, 10:16:50 PM #1
What happens, when you reload this page https://www.whatsmyip.org/ ?
October 10, 2023, 10:20:51 AM #2
Quote from: Bob.Dig on October 09, 2023, 10:16:50 PM
What happens, when you reload this page https://www.whatsmyip.org/ ?
I see a page with lots of info, starting from my IP address, and username & user agent, etc. - I can't take a screenshot as I'm testing that with the browser of my TV (which is connected via Wireguard)...
October 10, 2023, 10:25:43 AM #3
Quote from: hushcoden on October 09, 2023, 09:51:51 PM
But when I look at the firewall -> live view of both wireguard interfaces, I see traffic on one WG interface only and on the other one it's just every now and then some ICMP and that's all, what am I missing?
Are you testing multiple LAN clients? It would be very bad for your Internet experience if requests from a single machine would alternatingly use both tunnels.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 10, 2023, 10:33:48 AM #4
Quote from: Patrick M. Hausen on October 10, 2023, 10:25:43 AM
Are you testing multiple LAN clients? It would be very bad for your Internet experience if requests from a single machine would alternatingly use both tunnels.
Currently I have two devices using Wireguard and one of those if my TV... so, should I configure the two tunnels in the gateway group as failover instead (member down option) ?
October 10, 2023, 10:37:23 AM #5
I mean in case of a gateway group the OPNsense will use "sticky" connections, i.e. a client will stick to the tunnel it is using. Many applications lock sessions to IP addresses so alternating addresses for HTTPS requests would be a bad thing.

Unless you have e.g. 10 clients and can check if on average 5 are using each tunnel, testing is difficult in such scenarios. What are you trying to achieve? You have a single Internet uplink or two?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 10, 2023, 10:50:16 AM #6
Quote from: Patrick M. Hausen on October 10, 2023, 10:37:23 AM
Unless you have e.g. 10 clients and can check if on average 5 are using each tunnel, testing is difficult in such scenarios. What are you trying to achieve? You have a single Internet uplink or two?
I'm just testing & learning  :P  and I've changed the setup of the second tunnel in the gateway group to tier 2
October 10, 2023, 11:31:23 AM #7
Quote from: hushcoden on October 10, 2023, 10:20:51 AM
I see a page with lots of info, starting from my IP address, and username & user agent, etc. - I can't take a screenshot as I'm testing that with the browser of my TV (which is connected via Wireguard)...
Can you test with a pc? Press ctrl-F5 and you should get an IP-change every time, at least that is working for me.
October 10, 2023, 03:23:26 PM #8
Nope, IP doesn't change... but it's fine, I changed the setup to failover, i.e. tier 1 / tier 2 and member down (and I only have 1 Internet connection).

I believe load balance has an impact on performance, right?

Thank you all.
Print
Go Up Pages1
User actions