Troubleshoot Outbound Load Balancing Issues

Summary

This is a collection of things that have been seen on the forums on problems with Multi-Wan / Load balancing setups.

Basic testing of a load balancing setup

You've set it up, and it looks like its working, but is it really happening?

pfSense load balancing status page - all OK

Check that both connections are available. First check that both (all) your WAN connections are marked as available.

If you have a problem here go XXXXXX

As long as none of them are red all is well. (Yellow means that connection was down recently but is back up now).

If a connection is red (down) for no apparent reason

You MUST use different monitor IPs for each WAN link or you will have weird results.

Also, as a crucial sanity check, use the diagnostics ping test to the monitor IP with the respective interface selected.  You'll see notes saying that the ping test doesn't work reliably in multi-WAN and this is sort of true, but the key here is that the monitoring system is simply doing a ping as well!

Have seen some very illogical pseudo-failure modes that were resolved by using the diag ping to figure out which monitoring IP was "appropriate", (i.e. worked at all), for each WAN link.  There was no rhyme or reason to what did or didn't work but they were at least consistent and the system is rock solid once you've sussed out the right combination. This step is pretty much a requirement at least as of v1.2.2.

Also a tip - don't use the gateway as your monitor IP on any of them.  Too easy for the ISP to be having routing issues such that you can't past their core so the link is functionally down even though you can reach the gateway. So for each WAN link be sure to pick a (diag-pingable) public IP which is outside of that ISPs network.

Squid doesn't seem to be using both connections

You are right, at this stage (1.0.1 plus February 2007 updates), Squid (and most other packages) don't understand load balancing, and will just use the WAN connection.

Ground up testing

This set of progressive tests assumes that your pfSense box is running OK and you can access it from another system on the local network (LAN) with a web browser.

pfSense can see the modem / routers

With the pfSense web interface, use Diagnostics - Ping and check that pfSense can ping each (all) of your router / modems. Note that you must select the right interface for the IP address of each modem / router or or will fail.

If you have set up load balancing following the MultiWan/Load-Balancing page, then the IP addresses will be 192.168.0.254 and 192.168.2.254.

If this does not work then you have a basic network or setup problem to resolve. Check your mopdem / router setup, and the cabling between them and the pfSense system.

Can a system on the LAN see the modem / routers

Now try to ping each of your modem routers from another system that is connected to the pfSense LAN network.

If this is the same system that you are accessing the web interface from, then the connection between the system and pfSense is OK.

Is pfSense set as the default gateway on your test system? If not then correct the configuration (or change the pfSense DHCP setup if you are using pfSense for DHCP - the gateway field in the Services - DHCP server settings should be blank).

Is the last rule in your Firewall - Rules the Balance rule?

Are all the ISP connections being used?

Use a search engine (Google) to search for "what is my ip" Click on several of the resulting sites. You should get results showing that your ip address is each of your WAN ip addresses. If you are the only person using the pfSense firewall, everytime you reload one of the "what is my ip" pages you should get a different ip address