Repurposing old PC as load balancing dual WAN router/firewall

[coolVariable]

Got 2 WAN connections that we want to load balance by setting up an old PC as a load balancing, dual WAN router/firewall.
With sometimes up to 15 people concurrently using the internet, I assume it would make most sense to load balance by user.

I found one linux distro that appears custom made for this (http://www.zeroshell.net/eng/load-balancing-failover/).
I am somewhat hesitant TBH to use this distro, vs for example ubuntu, since I assume ubuntu (and the other large distros) get more/better updates?

Any recommendations?


PS: Also any recommendations for ethernet cards (will probably get them from newegg or fry's) that will have drivers included in pretty much every linux distro. I have zero interest in f'ing around with hacking some drivers to get the NICs to work in linux.

 

[GotNoRice]

I would seriously consider looking into m0n0wall or PFsense. They are both FreeBSD based rather than linux based, but are well supported. PFsense has more features and should be able to do exactly what you need.

For ethernet adapters I would look for a used Intel Dual-port server adapter. Intel adapters are almost universally supported and absolutely rock solid when it comes to reliability.

Like this one: http://www.ebay.com/itm/370535184077

Even though the card was meant for PCI-X/64-bit slots it will work fine in a normal 32-bit/33Mhz slot as long as there is room for the extra PCI connector to hang behind the slot and not hit a capacitor or something else on the motherboard.

 

[coolVariable]

I would seriously consider looking into m0n0wall or PFsense. They are both FreeBSD based rather than linux based, but are well supported. PFsense has more features and should be able to do exactly what you need.

For ethernet adapters I would look for a used Intel Dual-port server adapter. Intel adapters are almost universally supported and absolutely rock solid when it comes to reliability.

Like this one: http://www.ebay.com/itm/370535184077

Even though the card was meant for PCI-X/64-bit slots it will work fine in a normal 32-bit/33Mhz slot as long as there is room for the extra PCI connector to hang behind the slot and not hit a capacitor or something else on the motherboard.

thanks to the quick response.

pfsense looks good. I had seen it before but thought linux might be better maintained. Pfsense looks very good though and I will give it a try.

For buying NICs, w probably want to go with a new item/place where we can return it, if need be eg if this doesn't work as intended: found an intel single NIC on Amazon: http://www.amazon.com/Intel-PWLA8391.../ref=de_a_smtd

 

[mfenn]

thanks to the quick response.

pfsense looks good. I had seen it before but thought linux might be better maintained. Pfsense looks very good though and I will give it a try.

For buying NICs, w probably want to go with a new item/place where we can return it, if need be eg if this doesn't work as intended: found an intel single NIC on Amazon: http://www.amazon.com/Intel-PWLA8391.../ref=de_a_smtd

I run pfsense myself and like it quite a bit. I'm not sure how well it support load balancing WAN links though (it might be great, I just don't know). The Zeroshell distribution looks very slick though. You can of course do everything yourself in a general-purpose distribution like Ubuntu or CentOS, but you better be prepared to learn a lot about setting things up manually!

I agree that Intel NICs are the way to go for support purposes. If you have plenty of PCI(e) slots, your cheapest option is probably to get multiple single-port adapters. The dual-port NICs are mostly on higher-end chips (which you don't need).

 

[coolVariable]

I run pfsense myself and like it quite a bit. I'm not sure how well it support load balancing WAN links though (it might be great, I just don't know). The Zeroshell distribution looks very slick though. You can of course do everything yourself in a general-purpose distribution like Ubuntu or CentOS, but you better be prepared to learn a lot about setting things up manually!

I agree that Intel NICs are the way to go for support purposes. If you have plenty of PCI(e) slots, your cheapest option is probably to get multiple single-port adapters. The dual-port NICs are mostly on higher-end chips (which you don't need).

zeroshell does look slicker than pfsense (as far as I could see).
Still waiting for the new NICs to arrive ...
Would be nice if there was an app for ubuntu to use it like this. I would feel much better about ubuntu as the OS for a router/firewall than something like zeroshell.

 

[greenhawk]

with 15 users, it might be worth looking at setting up a web proxy and possibly download managers so that overall anything one person needs can be gotten faster if someone else already has got it.

 

[coolVariable]

[/need to vent]
Been spending 3+ hours now with pfsense and am less than impressed.
Can't get the damn thing to even work as a normal router/firewall with one of our WAN connections (fixed IP), despite following the install guides to the "t" and trying multiple re-installs.
The LAN works fine but (i) the WAN gateway shows as offline, and (ii) same very simple settings (eg WAN subnet) seem to be impossible to change or the settings are very well hidden, which leads to (iii) no internet access. WTF?
DD-WRT on my cheap linksys has better/more options than this and "just works".
Makes me wish there was a DD-WRT distro that did load balancing and ran on an x86.

 

[Jimmah]

[/need to vent]
Been spending 3+ hours now with pfsense and am less than impressed.
Can't get the damn thing to even work as a normal router/firewall with one of our WAN connections (fixed IP), despite following the install guides to the "t" and trying multiple re-installs.
The LAN works fine but (i) the WAN gateway shows as offline, and (ii) same very simple settings (eg WAN subnet) seem to be impossible to change or the settings are very well hidden, which leads to (iii) no internet access. WTF?
DD-WRT on my cheap linksys has better/more options than this and "just works".
Makes me wish there was a DD-WRT distro that did load balancing and ran on an x86.

Weird, I had no issues with Pfsense, guess you're one of the unlucky ones.

Zeroshell is indeed pretty nice, less shinyness but more usefulness than Pf. I don't have experience with ZS load balancing but I do know it is possible, my experience lies with the captive portal side of it (which is awesome).

Maybe look into MikroTik? They have some good gear, we have 35 of their routers (all diff. kinds) and not one has had issues or needed a reboot in 8+ months we've been running them.

 

[mfenn]

[/need to vent]
Been spending 3+ hours now with pfsense and am less than impressed.
Can't get the damn thing to even work as a normal router/firewall with one of our WAN connections (fixed IP), despite following the install guides to the "t" and trying multiple re-installs.
The LAN works fine but (i) the WAN gateway shows as offline, and (ii) same very simple settings (eg WAN subnet) seem to be impossible to change or the settings are very well hidden, which leads to (iii) no internet access. WTF?
DD-WRT on my cheap linksys has better/more options than this and "just works".
Makes me wish there was a DD-WRT distro that did load balancing and ran on an x86.

I'm running 2.0 RC3, but if I recall you go to interfaces->assign make sure that you have the proper NIC assigned to WAN, then go to Interfaces->WAN, choose static, then supply your IP, netmask, and gateway in the Static IP section. You supply the netmask in CIDR notation instead of dotted decimal, so that may be what's tripping you up.

 

[coolVariable]

I'm running 2.0 RC3, but if I recall you go to interfaces->assign make sure that you have the proper NIC assigned to WAN, then go to Interfaces->WAN, choose static, then supply your IP, netmask, and gateway in the Static IP section. You supply the netmask in CIDR notation instead of dotted decimal, so that may be what's tripping you up.

Thank you so much! By googling CIDR notation, I was able to figure it out (still REALLY STUPID for pfsense to use that vs the more standard decimal netmask settings).
Now I can try and see what this thing can do ...

Let me know if you have any recommendations, eg for the firewall, VPN or anything else.

 

[mfenn]

No problem, glad you got it working!

I imagine pfsense uses CIDR because it is much easier to work with than dotted decimal when you're defining subnets, etc. I do agree that the interface should let you specify the netmask in either format, since it is trivial for a computer to convert between the two.

My pfsense setup is pretty vanilla. I think the only things that I've changed are a few port forwarding rules (and their associated firewall entries) as well as adding a dynamic DNS plugin. I haven't set up VPN or anything like that with it. Actually, I mostly am using pfsense because I wanted a router that didn't crash every other day.

 

[coolVariable]

I think I got it all working now.
too bad that pfsense doesn't support l2tp/ipsec, only l2tp, ipsec and pptp individually, which means we have to go with pptp (windows vpn client compatible)

 

[coolVariable]

I was wondering if there are any other recommendations besides pfsense.
As a multi-WAN router pfsense works great ...
BUT as a VPN server (and even as a firewall that lets VPN traffic through to an internal VPN server) it is hopelessly broken.
The help forum for pfsense is overrun with people complaining about (very real) bugs in pfsense for VPN functions but the devs apparently just ignore the complaints.
I have everything set up correctly but VPN functionality only works 25% of the time. It's a f'ing lottery whether VPN will work or not.
Sadly, that makes it unusable for our purposes. What are the alternatives that people recommend?

My verdict (for others looking to use pfsense): Don't bother. It has great potential but is just too buggy.

 

[mfenn]

I've never played around with the pfsense VPN software, but it should pass VPN traffic to an internal VPN server just fine. If it wasn't, most likely you have something wrong with the firewall rules or your VPN server setup.

 

[coolVariable]

I've never played around with the pfsense VPN software, but it should pass VPN traffic to an internal VPN server just fine. If it wasn't, most likely you have something wrong with the firewall rules or your VPN server setup.

Nope. Just goddamn bugs within Pfsense.
Been up and down their helpforum and have tried setting it up at least 50 times at this point.
It's pretty shocking and damning that the devs are gearing up for a version 2.0 release when it is pretty much acknowledged on the forum that VPN support is essentially nil/broken (besides OpenVPN which I haven't tried, since some of our clients do not support it, though the programming for PPTP makes me wonder about OpenVPN as well)

 

[KingGheedora]

I know it's fun to roll your own sometimes, but have you considered some sort of appliance? A small business firewall router might cost about the same as a new PC and support dual WAN and all the features you might need. I set up something similar for my home as well as my work. I used a Juniper SSG-5, which I believe supports dual-WAN, but I'm not sure because I didn't use or need that feature. But the VPN options and everything else generally work out of the box.

If you are making this for a business I'm guessing the business wants this solution in place as soon as possible and the money you might save by rolling your own is cancelled out by the time spent trying to get the roll-your-own solution built.

No offense, OP, I'm not accusing you of wasting time or whatever, because I'm sure you've already taken this into consideration and in your case it makes sense to try to do what you are doing. Just pointing this out for others who might see this and not realize the appliance solutions make more sense in most business use cases.

 

[coolVariable]

I know it's fun to roll your own sometimes, but have you considered some sort of appliance? A small business firewall router might cost about the same as a new PC and support dual WAN and all the features you might need. I set up something similar for my home as well as my work. I used a Juniper SSG-5, which I believe supports dual-WAN, but I'm not sure because I didn't use or need that feature. But the VPN options and everything else generally work out of the box.

If you are making this for a business I'm guessing the business wants this solution in place as soon as possible and the money you might save by rolling your own is cancelled out by the time spent trying to get the roll-your-own solution built.

No offense, OP, I'm not accusing you of wasting time or whatever, because I'm sure you've already taken this into consideration and in your case it makes sense to try to do what you are doing. Just pointing this out for others who might see this and not realize the appliance solutions make more sense in most business use cases.

Multi WAN router = $300+
old PC = free

though:
Frustration due to buggy router OS (pfsense): priceless

Based on my experience with "normal" routers, I am not sure they are always better, eg: DD-WRT pretty much eats any high end router for breakfast.

 

[mfenn]

Nope. Just goddamn bugs within Pfsense.
Been up and down their helpforum and have tried setting it up at least 50 times at this point.

I was referring to when you said, "and even as a firewall that lets VPN traffic through to an internal VPN server". I understand that you don't like the built-in VPN server, and I can't attest to its quality or lack thereof, but once you separate out the VPN functions, those packets become just another stream to filter against.

It's pretty shocking and damning that the devs are gearing up for a version 2.0 release when it is pretty much acknowledged on the forum that VPN support is essentially nil/broken (besides OpenVPN which I haven't tried, since some of our clients do not support it, though the programming for PPTP makes me wonder about OpenVPN as well)

Also, holy crap, you need to cut back the vitriol man. Are you always like this?

What is so "shocking and damning" that developers are making a 2.0 release? Especially when it is an open-source project? Now, if you were paying for support, I could see you having an argument. From the sounds of it though, you aren't.

 

[KingGheedora]

Multi WAN router = $300+
old PC = free

though:
Frustration due to buggy router OS (pfsense): priceless

Based on my experience with "normal" routers, I am not sure they are always better, eg: DD-WRT pretty much eats any high end router for breakfast.

Yes but I got the sense you were setting this up for a business (though I may have been wrong about that). In a business scenario, the time you spent messing with pfsense cancels out any savings you might have had over a router. Router is also smaller, quieter, uses less power, and makes less heat.

I haven't ever tried DD-WRT, but I've heard good things about it. If it does what you need, it might be a good idea to go with that.

 

[Modelworks]

Some others I have used are :
smoothwall - http://www.smoothwall.org/about/feature-comparison-chart/
ipcop - http://ipcop.org/
ipfire - http://www.ipfire.org/
clearOS - http://www.clearfoundation.com/Software/overview.html

I used smoothwall the most and ipcop a close second. ClearOS has all the features anyone could want but has higher hardware requirements. ipfire is a great alternative for home users.

 

[coolVariable]

Yes but I got the sense you were setting this up for a business (though I may have been wrong about that). In a business scenario, the time you spent messing with pfsense cancels out any savings you might have had over a router. Router is also smaller, quieter, uses less power, and makes less heat.

I haven't ever tried DD-WRT, but I've heard good things about it. If it does what you need, it might be a good idea to go with that.

DD-WRT doesn't do dual WAN (and is more a replacement OS for certain routers).
I used it before.

 

[coolVariable]

Some others I have used are :
smoothwall - http://www.smoothwall.org/about/feature-comparison-chart/
ipcop - http://ipcop.org/
ipfire - http://www.ipfire.org/
clearOS - http://www.clearfoundation.com/Software/overview.html

I used smoothwall the most and ipcop a close second. ClearOS has all the features anyone could want but has higher hardware requirements. ipfire is a great alternative for home users.

thank you. I will have a look at them.

 

[coolVariable]

I was referring to when you said, "and even as a firewall that lets VPN traffic through to an internal VPN server". I understand that you don't like the built-in VPN server, and I can't attest to its quality or lack thereof, but once you separate out the VPN functions, those packets become just another stream to filter against.

That is what you would think and what I assumed.
The firewall has issues allowing PPTP/VPN traffic to reach a VPN server on the LAN. I have tried multiple times at this point!
pfsense is just so buggy that even that doesn't work. And if you don't believe me check out their forums which are full of people complaining about this and other issues!

What is so "shocking and damning" that developers are making a 2.0 release?

pfsense supposedly can act as a router, a firewall, a VPN server, ...
Out of those 3 main features only one works (router). I will be the first to admit that I really like the router functionality. But it does not work as a VPN server and the firewall feature is broken too.
If somebody releases a 1.0 version of a piece of software, I would expect at least basic features to generally function, even if there are some minor bugs. If you release a 2.0 version, I don't think it is wrong to expect most, if not all, bugs to be worked out.
Instead, this is a barely working beta version that is so full of bugs ....

For the devs to pretend that everything is working fine when pretty much everyone reports that bugs with 2 of their main features is - in my opinion - shocking and pretty damning.
I gladly donate to open source projects, and have done so in the past, but I expect some professionalism in return. This is just a pathetic hackjob.

 

[mfenn]

If somebody releases a 1.0 version of a piece of software, I would expect at least basic features to generally function, even if there are some minor bugs. If you release a 2.0 version, I don't think it is wrong to expect most, if not all, bugs to be worked out.
Instead, this is a barely working beta version that is so full of bugs ....

Ah, I think I see where the misunderstanding lies.

Open Source version numbering that follows the GNU model (which is most) is actually quite a lot different than the typical commercial version numbering scheme that you may be used to. In commercial products, the major version (first number) typically denotes a major change (hopefully improvement!) in feature set, etc.

In an open source project, the major version instead denotes a major change in underlying architecture. The minor version (second number) is used for incremental improvements and the optional third number is used for bugfixes.

When an open source developer changes the major version, they do so because they've greatly changed the way the program works under the hood, perhaps to get around limitations in the original architecture. For example, Python 2.6 to Python 3.0 broke backwards compatibility for code, but allowed the Python developers to radically improve the interpreter.

Since new major versions generally represent substantial rewrites, it's not at all unusual to see the number of features actually go down from version x.y to version x+1.z. Continuing the Python example, Python 3.0 wasn't nearly up to the featureset of Python 2.6, but that has been improved with 3.1 and 3.2.

So, in short, a version 2.0 release may be necessary if the problems are fundamental enough to necessitate a substantial rewrite.

 

[coolVariable]

Ah, I think I see where the misunderstanding lies.

Open Source version numbering that follows the GNU model (which is most) is actually quite a lot different than the typical commercial version numbering scheme that you may be used to. In commercial products, the major version (first number) typically denotes a major change (hopefully improvement!) in feature set, etc.

In an open source project, the major version instead denotes a major change in underlying architecture. The minor version (second number) is used for incremental improvements and the optional third number is used for bugfixes.

When an open source developer changes the major version, they do so because they've greatly changed the way the program works under the hood, perhaps to get around limitations in the original architecture. For example, Python 2.6 to Python 3.0 broke backwards compatibility for code, but allowed the Python developers to radically improve the interpreter.

Since new major versions generally represent substantial rewrites, it's not at all unusual to see the number of features actually go down from version x.y to version x+1.z. Continuing the Python example, Python 3.0 wasn't nearly up to the featureset of Python 2.6, but that has been improved with 3.1 and 3.2.

So, in short, a version 2.0 release may be necessary if the problems are fundamental enough to necessitate a substantial rewrite.

Well, maybe pfsense devs should put a disclaimer next to the download then: ATTENTION! SOFTWARE DOES NOT ACTUALLY WORK!