Pfsense & unifi setup with dual wan load balancing / aggregation

Hey everyone!
noob alert :smiley:

We are a Non Profit organisation based out of India, our goal is to achieve the best internet experience in our office. (no other usecase). The following details are kept in mind the next 3 years requirements.

Hardware setup:
pfsense Firewall
1 USW-24-POE Gen 2
6 Unifi AP AC Pro/HD

We want to setup the following things on pfsense:

  1. 2 WAN connections with 1 Gbps each and with load balancing
  2. QoS to prioritize video/ audio calls using skype / zoom
  3. block all peer to peer (torrents, file sharing, game servers) and other services
  4. ad-blocking using pfblocker
  5. very basic IDS/IPS using Suricatia
  6. block a few ports/applications, example - windows update
  7. We do not have any VPN requirements

Q1) To get ~1 Gbps internet/WAN throughput which pfsense (Netgate,Protectli,etc) firewall hardware should we go with ?

Q2) Is it possible for us to bind applications/traffic type or devices to a particular WAN interfaces ?

Q3) Is it possible that get more overall WAN throughput than 1 Gbps using Load balancing across the network ? If yes, then which pfsense device should we go with as we have 2 WAN 1 Gbps each.

This video talks about using load balancing and disabling sticky connections to achieve more throughput per client, which also causes some issue with services/websites which have some level of ip/network related auth.
Our preference is to increase overall WAN throughput in the network in comparison to per client.

Hope this makes sense!

Regarding 2)

As long as you can match it with firewall rules, you can specify which gateway traffic should be directed to in the “Advanced” options of the rule.

Regarding 3)

(Disclaimer: I’ve never used multi-WAN for load-balancing, so all information is purely based off my interpretation of the pfSense docs)

By default, outgoing packets in a multi-WAN configuration are distributed in a round-robin fashion. That would increase the throughput even for a single client (so long as it is actually connected with more 1Gbit/s). Enabling “Sticky connections” will send packets belonging to the same state through the same gateway, which should cap the throughput of that connection to the max throughput of that one gateway.

But since you said that your preference is to increase overall network performance as opposed to single-client performance, that should be fine.


Thanks for replying, by this i understood that in our scenario where we have 2 WAN connections 1Gbit/s each, we will be able to get more than 1 Gbit/s internet throughput speed in our network when there is a need and in theory can go up to ~2 Gbit/s internet speed spread across different clients on the network.

If what i understood above is correct, the question that i have is that the Ethernet port on Netgate/Protectli Pfsense and my Unifi Switch is 1 Gbit/s each so do i connect 2 ports from Pfsense box to the switch or how do a go about this and what would the configuration look like ?

There are different ways how you can connect the router to the network.

You could either connect the WANs directly into two ports of the firewall and then connect the firewall to the switch with two ports (setup in a link aggregation). However I like feeding my WAN into the switch instead on its own VLAN (two different VLANs in your case). That way you would only need two 1 Gbit/s interfaces on the router instead of four.

Traffic from the internet would come through one of the WAN links into an untagged switch port, get tagged in the switch, sent through the 2 Gbit/s link to the router, run through the network stack there, back through the same physical links into the switch and from there to the client. This works because 1000Base-T is full-duplex and can send 1Gbit/s in each direction simultaneously.

If you’re looking for HA, this might not be the best setup.