Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
veechee
New Contributor

Load balance two PPPoE connections?

Hi there, Right now I have a remote office that has a single 3.5 mbps PPPoE DSL connection. The provider has been having some serious service issues, causing the connection to drop several times per day, and sometimes dropping for 8-12 hours at a time until the modem is reset. Therefore, I' ve been investigating a secondary Internet connection for this office. What is available is expensive T1/E1-type connections complete with Cisco routers, but unfortunately they are out of my budget (US$750-US$1000 per month). However, I have found another DSL provider, which maintains a totally independent network, including a " cable facility" right in the office building. However, they are also PPPoE based, and are more expensive, so I could probably only get a 1.5 or 2 mbps max DSL. The CIR, which is the guaranteed bandwidth, is actually about the same though, which is why they justify charging more. There are no major servers at this office, but some clients will connect via SSL-VPN to access a NAS device, and soon there will be IPSec link to the main office also. There is a total of about 15 users in the office daily. If I go with a second DSL connection, my initial plan is: - allow both WAN1 and WAN2 for all regular outbound Internet services - browsing, email, Skype - use gateway load balancing on each link to redirect all outbound traffic to one connection when the other is down - make the primary IPSec link WAN2 (new) and a failover tunnel on WAN1 (existing) - for inbound SSL-VPN, use quasi-load balancing using a CNAME record pointing to both WAN host names, so that inbound connections are randomly assigned My questions are: - Any issue doing the dead gateway detection with PPPoE connections? Or is it not even necessary since the FGT knows immediately when the connection drops? - Any concerns with CPU or memory usage running two PPPoE links? I believe PPPoE is a bunch more work for the FGT since it has to run an extra service for this versus straight Ethernet. - Could I make the IPSec links both active load balancing too instead of failover? - Any other suggestions or comments on my plan? I' ve never done a dual WAN installation before. Thanks!
3 REPLIES 3
veechee
New Contributor

Anybody have any thoughts on this? I' ve found a third provider that offers non-DSL services, so I' m now pricing them out to see if maybe they are cheaper than the quotes I' ve received so far. Once I get those quotes back I want to make a decision and get dual WAN going one way or the other.
ede_pfau
Esteemed Contributor III

Hi, I don' t see any problems with your plan. It' s not uncommon to l-b 2 WAN lines. The keyword to look up is " ECMP" , either in the Handbook or on this forum. We' ve had it discussed several times in the last week. L-b for IPSec tunnels is more or less the same. Create the VPNs in interface mode, then you need 2 routes with equal distances. You have to make sure that each VPN uses a different WAN line so that if a WAN line goes down this tunnel fails, the route is eliminated from the routing table and the other VPN route is used. As VPN interfaces are bound to physical interfaces this is more or less automatically fulfilled. All of this is meant in view of IPSec VPN to the main office. See for yourself with SSL VPN but I don' t see major differences here. About PPPoE - we use it here in Germany all the time, for DSL lines. Apart from the initial negotiations I cannot think of any CPU intensive workload that goes with it. Encapsulation and de-enc. will not impact CPU at all. So basically, go for l-b' d WAN lines first (create 2 default routes, or just check the checkbox in the interface setup) and get it running. Then you can put l-b VPN on top of that. Test a bit and kill lines randomly. You won' t have session failover or such, though. It only gets (more) complicated if you want to have source IP address ranges to use a specific WAN line, or want to have inbound VIP. But as don' t have servers there this won' t be an issue.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
veechee
New Contributor

I' m close to getting a second link ordered. I got the price as slow as US$650 for a E1 line, but the better option for my needs and budget is looking to be a 6 down/1.5 up PPPoE DSL for ~US$90. Once I put a second link in the mix, which is most likely going to be PPPoE DSL, do I need to use " Detect Interface for Gateway Load Balancing" on both WAN interfaces, or can I leave that off because the FGT knows when the PPPoE connection drops? Also, existing DSL link is 3.5/0.5 Mbps, and new one will be 6/1.5 Mbps. Assuming both links perform to the rated speeds, should I change my load balancing strategy? I' m thinking SSL VPN incoming and IPSec to the other office on the 6/1.5 only... I' m trying to see if I can get the current DSL line up to 6/1.5 but the provider is much , much more expensive for that type of service: price list says US$460 per month! A ridiculous difference compared to the competition.
Labels
Top Kudoed Authors