Multi-WAN routing with pfSense

It’s been a very busy few weeks. Our office lease expired at the beginning of August and we were forced to move in order to get more space. We completed the move two weeks ago.

In addition to more space, we also got more bandwidth: 30 megabits, or thereabouts. Unfortunately, though, our provider (Time Warner Cable) can’t give us a single 30-megabit connection. They can, however, give us three 10 megabit connections. This is very odd considering that the installation consists of a single piece of coax feeding into a splitter to which are attached three cable modems. It sounds fishy, I know, but I have verified that we’re getting a combined 26+ megabits out of those three modems. Why I can’t get a single modem capable of 30 megabits is beyond me, but I know better than to try fighting the cable company.

In any case, we can’t really make use of three individual 10 megabit connections, so we need to bring those three WAN connections together and feed a single LAN. This won’t give us 30 megabits for a single connection, of course, but it will give us an effective 30 megabits download speed over multiple connections. That’s perfect for my Web crawler.

It turns out that multi-wan routing isn’t as simple as I thought it would be. Dual WAN routers are plentiful and cheap, and apparently work quite well. Multi (i.e. more than two) WAN routers are harder to come by, and are usually more expensive. There are some inexpensive units, but they top out at 25 megabits total throughput (upstream plus downstream). The least expensive unit that looks like it’d do we need is priced at about $2,000. And I couldn’t find any information about how well it works.

David did some research and found pfSense–an open source firewall based on m0n0wall and running on OpenBSD. pfSense is the BSD equivalent to IPCop, although pfSense has many more features, including support for multiple WAN connections. There are apparently some IPCop hacks that support multiple WAN connections, but from what I’ve read they are not highly regarded.

I won’t regale you with all I went through getting pfSense working with this configuration. It took me much longer than I thought it would, due mostly to my own ignorance. pfSense itself is incredibly easy to install and configure–much easier than IPCop–and the pfSense forums are full of helpful information and frequented by quite helpful people. In particular, I found the document about multi-wan routing to be very well done. It took me a while to understand all of what was going on there, but in the end my configuration is very similar to the configuration in that document.

A few things to note if you’re considering using pfSense for multi-WAN routing:

  • pfSense needs static IP addresses if you want to do load balancing between the connections. That means you have to either get static IP addresses from your ISPs, or you have to put a router between your cable or DSL connection and the pfSense box. We elected to get static IP addresses rather than have the added complexity of three routers that serve only to turn the dynamic IP address from the ISP into a static IP address for pfSense.
  • pfSense does round robin load balancing, meaning that the first request goes to WAN1, next to WAN2, etc. This is sub-optimum. A true load balancer would examine the traffic on each connection and assign requests in an attempt to balance the traffic as much as possible. For our purposes (the Web crawler), the round robin approach should work fine, but in other applications you might find that the asymmetric load balancing leaves a lot of bandwidth unused.
  • Some Web sites (my email, for example, and many banking sites) expect all requests for a session to come from the same IP address. The “sticky connections” feature of pfSense will help you keep all the traffic for a particular session on the same IP address, but you might have to create special firewall rules for some sites. Creating those rules is very easy.
  • You don’t need a really high-powered box to run pfSense. I’m running it on a generic box with an AMD Geode processor running at 1 GHz with 1 GB of RAM and a 100 GB hard drive. The box is not at all stressed running pfSense.

I’ve only had pfSense running in this configuration for one day, so I can’t say for sure how stable it is or how well it will work for us. IPCop stayed up for almost 80 days before we had to pull it down for the move. I can only hope that pfSense will work as well. So far, I’m quite happy with it.

More fun with Sprint

Sometimes I wonder why I keep my Sprint mobile phone service. Debra and I are the only people I know who’ve had the same mobile phone number and provider for 10 years. I’d switch to some other service, but they all seem the same to me. I’m definitely not a mobile phone power user.

But today I find myself in the odd position of calling customer service to request that they add a feature to my service. I find this odd because I have the most basic plan I could get from them, and the cheapest phone available (i.e. “free” with the contract). It’s also odd because I usually handle all my account needs online (don’t even get me started on Sprint’s brain dead Web site), but for some reason they won’t let me sign up for text messaging online.

So I dialed *2 for customer service and was informed that my wait will be “more than 20 minutes.” I’m sitting here with my phone on speaker, listening to very bad atmospheric jazz that sounds like it’s coming in on an AM radio in the middle of the night. Every 30 seconds or so a woman’s voice comes on and says, “Please continue to hold. All representatives are currently assisting other customers.” Then it starts to tell me about the Web site and the music comes back on–cutting off the information.

What really irks me about this is that they know my phone number. When I dialed *2 the automated response system said, “please hold while we look up your account information.” Wouldn’t it be more customer friendly for the system to record my number and put me in a queue for their customer service people to call back? I guarantee I’d be a lot more friendly than I will be by the time I’ve listened to 30 minutes of this bad music on hold.

To make matters worse, Sprint has this annoying habit of calling me at the most inopportune moments, trying to sell me plan upgrades. They’re quick to point out that the call will not be counted against my allotted minutes, and then they go into the pitch about how I need to add another phone to my plan (for who? Charlie, maybe?) or sign up for even more minutes that I never use. So I know they have the technology to pick up the phone and call. Why can’t they call me at my convenience.

Sometimes I miss Ma Bell. At least then you knew exactly what you were getting.