This tutorial is about configuring FreeBSD to equaly load balance two Internet Lines ( 2 WANs). Load balancing is done in a round robin fashion but the firewall also tracks states of connections so when you access an external address ( for example an website on Internet) your source address will remain the same, and packets will be forwarded to the same internet connections, that way it will not break internet functionality. This does not require support from ISP (like a dynamic routing protocol for example) but is not a very precise load balancing, but it works, so you can use both lines if you have lots of LAN users. On most cases it will be enough for your needs, if you want to equaly load different ADSL or Cable Modem lines, or other type of connections.

We will use PF Firewall.

We asume you've installed FreeBSD and you've configured both internet lines, connected to FreeBSD router, on different network cards.


Step 1. Compile kernel with PF Firewall
------------------------------------------------------
Compile the kernel with PF firewall by adding the following lines to your kernel config and then compile kernel.

# pf support in kernel
device mem
device pf
device pflog
device pfsync

Also if you do not want to compile PF into kernel, it is possible to load it as module.
kldload pf


Step 2. Configure rc.conf to load pf at boot
----------------------------------------------------------

Add the following lines to /etc/rc.conf

pf_enable="YES"
pf_rules="/etc/pf.conf"


Step 3. Create your firewall config file
---------------------------------------------------

# --------------- file /etc/pf.conf --------------------
lan_net = "10.0.0.0/24"
int_if = "fxp2"
ext_if1 = "fxp0"
ext_if2 = "fxp1"
ext_gw1 = "80.10.111.22"
ext_gw2 = "90.20.200.10"

virus_ports="{135,137,139,445,1080,1025,1026,1433,1434}"
tcp_udp = "{tcp,udp}"

#nat on $ext_if1 from $lan_net to any -> ($ext_if1)
#nat on $ext_if2 from $lan_net to any -> ($ext_if2)

nat on $ext_if1 from $lan_net to any -> $ext_if1 static-port
nat on $ext_if2 from $lan_net to any -> $ext_if2 static-port

#block virus port
block in quick proto $tcp_udp from any port $virus_port to any
block out quick proto $tcp_udp from any to any port $virus_port

pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin \
proto {udp,icmp} from $lan_net to any keep state

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) proto tcp from ($ext_if2) to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) proto tcp  from ($ext_if1) to any

# -------------------- end /etc/pf.conf file ----------------------------------------


Notes
--------
Your LAN clients will use NAT for address translation.