pfSense Multi-WAN Load Balancing - Gateway Groups
Multi-WAN load balancing in pfSense distributes outbound traffic across multiple internet links to increase aggregate throughput. Balancing operates at the connection level: each new TCP connection or UDP flow is assigned to one of the available links according to the configured policy. A single connection cannot be split across links - all traffic within one connection traverses a single gateway.
pfSense implements load balancing through Gateway Groups, where gateways assigned to the same tier participate in traffic distribution. When one gateway fails, traffic is automatically redistributed among the remaining gateways on the same tier without administrator intervention.
Gateway Monitoring
Correct load balancing depends on accurate gateway state detection. pfSense uses the dpinger daemon for continuous gateway availability monitoring.
Configuring Monitoring
Monitoring parameters are configured per gateway under System > Routing > Gateways. When editing a gateway, the following parameters are available.
Monitor IP - the address to which probe packets are sent. By default, this is the gateway IP address itself. For improved accuracy, specify a public IP address beyond the ISP network:
- For WAN1: Monitor IP = 8.8.8.8 (Google DNS)
- For WAN2: Monitor IP = 1.1.1.1 (Cloudflare DNS)
Using different Monitor IP addresses for each gateway prevents false positives when both gateways probe the same address and that address becomes temporarily unreachable.
Probe Interval - the interval between probe packets in seconds. The default value (1 second) provides rapid failure detection. Increasing the interval reduces link overhead but slows failure detection.
Loss Interval - the timeout for a single probe response in milliseconds. A probe that receives no response within this interval is counted as lost. The default value is 2000 ms.
Time Period - the averaging window in seconds over which mean latency and loss metrics are calculated. The default value is 60 seconds.
Monitoring Methods
pfSense monitors gateways using ICMP packets (default). In cases where the ISP or intermediate equipment blocks ICMP, select an alternative Monitor IP that reliably responds to ICMP probes.
Warning:
Some ISPs apply rate limiting to ICMP traffic on their gateways. When using the ISP gateway address as the Monitor IP with a 1-second probe interval, false positives may occur due to dropped ICMP responses. Use a public DNS server or increase the Probe Interval to 2-5 seconds.
Gateway Status Values
Based on monitoring data, each gateway is assigned one of the following statuses:
| Status | Condition | Effect on Load Balancing |
|---|---|---|
| Online | Loss below warning threshold, latency normal | Gateway participates in balancing |
| Warning | Loss or latency exceeded warning threshold | Gateway participates (depends on Trigger Level setting) |
| Down | Loss exceeded down threshold | Gateway excluded from balancing |
| Pending | Initial data collection in progress | Gateway does not participate |
Current gateway status is displayed under Status > Gateways.
Creating a Load Balancing Gateway Group
To configure load balancing, create a Gateway Group where all participating gateways are assigned to the same tier.
Step-by-Step Configuration
- Navigate to System > Routing > Gateway Groups.
- Click Add.
- Configure the group parameters:
| Parameter | Value | Description |
|---|---|---|
| Group Name | WAN_LoadBalance | Group name (alphanumeric, no spaces) |
| Gateway Priority | WAN1_DHCP = Tier 1, WAN2_DHCP = Tier 1 | Both gateways on the same tier for balancing |
| Trigger Level | Packet Loss | Condition for changing gateway status |
| Description | Load balance across WAN1 and WAN2 | Purpose description |
- Click Save, then Apply Changes.
Trigger Level Parameter
Trigger Level determines under which gateway condition the group stops routing traffic through it:
| Value | Behavior |
|---|---|
| Member Down | Gateway excluded only when status is Down |
| Packet Loss | Gateway excluded when Down or loss threshold exceeded |
| High Latency | Gateway excluded when Down or latency threshold exceeded |
| Packet Loss or High Latency | Gateway excluded under any of the above conditions |
For load balancing, Packet Loss or High Latency is recommended - this removes a degraded link from the group before it fails completely.
Weight Configuration
By default, pfSense distributes traffic evenly across gateways on the same tier. When links have different bandwidths, weight values should be configured for proportional distribution.
Weights are configured per gateway under System > Routing > Gateways when editing a gateway, in the Weight parameter (range 1 to 30).
Calculation Example
Suppose WAN1 has 100 Mbps bandwidth and WAN2 has 50 Mbps. For proportional distribution:
- WAN1: Weight = 2
- WAN2: Weight = 1
In this configuration, approximately two out of every three new connections are directed through WAN1 and one through WAN2.
| Link | Bandwidth | Weight | Traffic Share |
|---|---|---|---|
| WAN1 | 100 Mbps | 2 | ~67% |
| WAN2 | 50 Mbps | 1 | ~33% |
Warning:
Weight values affect the distribution of connection count, not traffic volume. If a large file download is established through WAN2, all traffic for that connection traverses WAN2 regardless of weights. Volume-based balancing is not supported in pfSense.
Applying the Gateway Group to Firewall Rules
A Gateway Group only begins routing traffic after it is assigned to a firewall rule. Without this step, the group remains unused.
Rule Configuration
- Navigate to Firewall > Rules and select the LAN tab (or another internal interface).
- Create a new rule or edit an existing rule that permits outbound traffic.
- Under Extra Options, click Display Advanced.
- In the Gateway field, select the
WAN_LoadBalancegroup. - Click Save, then Apply Changes.
Typical rule configuration:
| Parameter | Value |
|---|---|
| Action | Pass |
| Interface | LAN |
| Protocol | Any |
| Source | LAN net |
| Destination | Any |
| Gateway | WAN_LoadBalance |
For more granular control, create multiple rules with different Gateway Groups. For example, HTTP/HTTPS traffic can be balanced across links while VoIP traffic is pinned to a low-latency link.
Warning:
A rule with a specific gateway must be placed above the default gateway rule (*). Otherwise, traffic matches the default rule first and never reaches the Gateway Group.
Outbound NAT for Multi-WAN
When using multiple WAN interfaces, each WAN must have a corresponding outbound NAT rule. Without a correct NAT rule, traffic routed through a given WAN is sent with the wrong source address and dropped by the ISP.
Verifying NAT Rules
- Navigate to Firewall > NAT > Outbound.
- Confirm that NAT rules exist for each WAN interface covering all internal subnets.
In Automatic and Hybrid modes, pfSense generates NAT rules for all WAN interfaces automatically. In Manual mode, rules must be created manually for each WAN.
Example rule set for a dual-WAN configuration with LAN subnet 192.168.1.0/24:
| Interface | Source | Translation | Port |
|---|---|---|---|
| WAN1 | 192.168.1.0/24 | WAN1 address | * |
| WAN2 | 192.168.1.0/24 | WAN2 address | * |
| WAN1 | 127.0.0.0/8 | WAN1 address | 500 (ISAKMP) |
| WAN2 | 127.0.0.0/8 | WAN2 address | 500 (ISAKMP) |
DNS in Multi-WAN
Proper DNS configuration is critical for Multi-WAN. When one link fails, DNS queries routed through that link stop receiving responses, potentially causing name resolution failures even with the second link operational.
DNS Configuration Recommendations
Option 1: DNS Resolver with Forward Mode (recommended)
- Under System > General Setup, specify DNS servers for each WAN:
- DNS Server 1: 8.8.8.8 - Use gateway: WAN1_DHCP
- DNS Server 2: 1.1.1.1 - Use gateway: WAN2_DHCP
- Under Services > DNS Resolver, enable DNS Query Forwarding.
- pfSense sends DNS queries through both links and uses the first response received.
Option 2: DNS Resolver without Forward Mode
The DNS Resolver in standard mode performs recursive queries directly to root DNS servers. DNS queries are routed according to the routing table and are not bound to a specific WAN. However, route convergence after a link failure may introduce a delay.
Option 3: Local DNS Server
When using a dedicated DNS server on the local network (for example, for Active Directory), DNS traffic from that server is routed as regular traffic through the Gateway Group.
Sticky Connections
Sticky connections bind all connections from a single client (by source IP address) to one gateway for a specified duration. This resolves issues with web services that tie sessions to the client IP address.
Configuration
- Navigate to System > Advanced > Miscellaneous.
- Under Gateway Monitoring, enable Use sticky connections.
- Set the Sticky connections expiry - the time in seconds after which the binding is removed when no active connections remain. The default value of 0 retains bindings until reboot.
Limitations
- Binding is based on the source IP address, not the destination. All connections from a client are directed through one gateway.
- With sticky connections enabled, balancing effectiveness decreases: clients with established bindings are not redistributed across links until the timer expires.
- Bindings do not persist across pfSense reboots.
Troubleshooting
Traffic Not Balancing
Symptom: all traffic passes through a single WAN link.
Checks:
- Firewall rule - verify that the LAN rule specifies a Gateway Group, not a specific gateway or the default (*).
- Rule order - the rule with the Gateway Group must be above the default gateway rule.
- Sticky connections - if sticky connections are enabled, the client may be bound to one gateway. Temporarily disable for diagnostics.
- States table - inspect connection bindings under Diagnostics > States. Filter by client IP and verify which interface connections traverse.
- Gateway status - confirm both gateways show Online status under Status > Gateways.
Asymmetric Routing
Symptom: some connections drop, websites load incompletely.
Cause: return traffic may arrive through a gateway different from the one used to initiate the connection. The ISP or intermediate equipment drops packets with a mismatched source address.
Resolution:
- Verify that Outbound NAT is correctly configured for both WANs.
- Confirm that pfSense translates the source address to the correct WAN interface address for each connection.
- If static routes are present, ensure return traffic uses the same WAN.
Connection Loss During Switchover
Symptom: when one gateway fails, active connections through that gateway are interrupted.
This is expected behavior - pfSense cannot migrate an active TCP connection between gateways. New connections are automatically directed through available gateways. To minimize the impact:
- Reduce the Time Period for faster failure detection.
- Set Trigger Level to Packet Loss or High Latency for early exclusion of a degraded gateway.
Comparison with Other Platforms
Cisco PBR (Policy-Based Routing)
Cisco IOS configures policy routing through route-maps with set ip next-hop. pfSense uses an analogous approach by assigning Gateway Groups in firewall rules. The key difference: pfSense automatically handles failover between gateways on the same tier, whereas Cisco IOS requires additional IP SLA configuration for monitoring and switchover.
FortiGate SD-WAN
FortiGate SD-WAN provides built-in SLA monitors supporting TCP, HTTP, and DNS probes. pfSense is limited to ICMP monitoring through dpinger. FortiGate also supports volume-based balancing, which is absent in pfSense.
MikroTik PCC (Per Connection Classifier)
MikroTik uses PCC to mark connections based on address and port hashes, then routes them through different gateways. pfSense implements similar logic through Gateway Groups but with less granular hashing control. The pfSense advantage is built-in gateway monitoring and automatic failover, whereas MikroTik requires netwatch configuration for equivalent functionality.
Related Sections
- Multi-WAN Failover - configuring automatic switchover to a backup link
- Outbound NAT - configuring NAT rules for multiple WAN interfaces
- Firewall Rules - creating rules with Gateway Group assignments