Jan 19, 2014

Set-up pfSense+Lusca-cache with multi-WAN

Version: pfsense 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011)
ISO download: http://www.mediafire.com/?1a1mwiw1198dd66



1.) Configure correctly your wan1 and wan2 interfaces (Static IP or DHCP) and Gateways.

WAN1 example:

WAN2 example:

Test your gateway (ping the router).

2.) Configure your DNS server in "General Setup" Tab


Some explanations:
  • Provider for WAN1 uses 2 DNS servers. I configure the correct gateway to reach theses DNS
  • Provider for WAN2 uses the gateway as DNS server (!). In this case, I didn’t configure the gateway to reach the DNS.
3.) Configure a "Gateway group" in "Routing" tab
Check the existing gateway (you may have one as “Default Gateway”)

As a monitor IP, I use the DNS servers of the providers.

Click on "Groups" and add one:
  • Choose Tier 1 and Tier 2 to prioritize a gateway (failover)
  • or, Choose the same priority (load-balancing)
In my opinion, "Packet Loss" is a good trigger.


4.) Set-up firewall rules

Set-up a "Floating" rule with the following parameter:

  • The floating rules apply on multiple interfaces,
  • Choose your WAN1 and WAN2 interfaces, and direction "out"
  • Choose "HTTP" as destination port
  • Specify the gateway with "MULTIWAN" (the most important thing!)

You can also create another rule (optional) to use MULTIWAN with other flows. Example on the LAN interface:

5.) Set-up manual Outbound NAT (AON option)
In "NAT" tab, you have to check "Manual Outbound NAT rule generation"

Then, add 2 mappings with WAN1 and WAN2 interfaces:
  • Protocol = any
  • Source = any
  • Destination = any
  • Translation = Interface address
6.) Configure correctly Squid Web Proxy (the tricky thing!)

I assume that you have installed Squid (Lusca-Cache) package. In my case, I also installed SquidGuard (filter) and LightSquid (reports).

In "Proxy server" tab / General settings, add the loopback interface:

I also use a "transparent proxy". I choose to activate this option, you must change the port for pfSense Web GUI (HTTPS instead of HTTP) in "Advanced" tab.

Then, you have to add a Custom Options on the bottom of the page:


Don’t forget to end with a semicolon.

7.) Test it!
  • Open your favorite Web Browser (Firefox) and go to " www.whatismyip.com ".
  • Unplug the "Tier 1 router" and reload the page.
Your IP address may change in case of failover.


Post a Comment