Load balancing, as the name implies, is the act of distribute load (in this case network packages) to one or more interfaces, which can be WANs if you have more than one ISP service connected to your pfSense appliance and/or VPN client connections over a single WAN. Failover is similar, but instead of distribute, it switches from one link to the next when a failure occurs.
A Gateway Group is necessary to setup a Load Balancing or Failover configuration. The group itself does not cause any action to be taken, but when the group is used later, such as in policy routing firewall rules, it defines how the items utilizing the group will behave.
The same gateway may be included in multiple groups so that several different scenarios can be configured at the same time. For example, some traffic can be load balanced, and other traffic can use failover, and the same WAN can be used in both capacities by using different gateway groups.
Configuring a Gateway Group for Load Balancing or Failover
To create a gateway group for Load Balancing or Failover, navigate to System >> Routing >> Gateway Groups tab, click on Add and fill in the options on the page as needed:
- Group Name: A name for the gateway group
- Gateway priority: A list of Interfaces will be listed. For each gateway, pick a tier. Tiers with the same values are used for load balancing. Tiers with higher values are used as fail over when tiers with lower values fail
- Virtual Address: Optionally specifies a virtual IP address to use for an interface, if one exists. This option is used for features such as OpenVPN, allowing a specific virtual address to be chosen, rather than using only the Interface address directly when a specific gateway is active in the group. In most cases, this is left at the default value Interface Address.
- Trigger Level: Decides when to mark a gateway as down. As the names are self explanatory, just pick one of: Member Down, Packet loss, High Latency or the combination of the last two.
Once you are done, click Save and Apply changes.
Configuring aVPN gateway group as the default gateway for your WAN
Now you can use this gateway group the same way you would use a gateway, including setting it as the default gateway for your WAN connection. In a previous post we discussed how to configure a Surfshark VPN connection and used it as your default gateway. We can improve this further by replacing the VPN connection by a gateway group containing several VPN connections. For such, create several VPN connections as detailed here. Once you are done, create a gateway group as discussed in this post and finish the setup by configuring the gateway group as the default gateway.
And that is it, now you have a resilient gateway on your network using multiple VPN connections!