Inbound Load Balancing

wizard

I followed the tutorial building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP&pfSync which worked fine but i can't seem to get the load balancer to work. I also tried my setup without carp as you suggested with one load balancer instead of two with no success.

my setup is the following

WAN IP: 10.110.1.61
LAN IP:  192.168.1.10

Web Server IP's: 192.168.1.2; 192.168.1.3

i followed the howto from http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing and i set 192.168.1.2 with icmp as the monitor ip. And i allowed all traffic to pass the WAN interface.  But i can't access the web servers and i can't seem to find a solution.

hoba

Are you sure the webservers respond to pings? if not they are assumed dead and will be excluded from the pool (just in case you have a local firewall running at the webservers too).

wizard

@hoba first of all thx a lot for you help i now have a working load balancer. I also successfuly configured failover with carp up till now everything works fine. My setup

load balancer1

WAN IP 10.110.1.61
LAN IP 192.168.1.10

load balancer2

WAN IP 10.110.1.75
LAN IP 192.168.1.15

Virtual IP'S (carp)

WAN 10.110.1.76
LAN 192.168.1.1

The web servers have there gateway set to the virtual ip on the lan. My web servers work fine in till the point were i unplug the master and the backup takes over. From then on i can't access the web servers. I checked the interfaces carp0 and carp1 the master drops the interfaces and the backup takes over. I can even ping the interfaces but the webservice refuses to work do you have an idea why?  The settings on both hosts are identical expect the master has the sync setting enabled. I am not using a dedicated sync interface for the sync i am using the lan interface do you think that could be a problem?

hoba

Enable SYNC at the Backupmachine too (the first sync option in the list at Firewall>VIP, CARP settings). This one is needed for synchronizing the states between both firewalls. The other options below this are only for config syncing and should only be set at the master.
Besides that make sure your loadbalancer uses the WAN CARP IP as external IP and not the real interface IP. Also check that your firewall rules at WAN are correct.
Another thing to try is disabling loadbalancer settings sync and manually adding the pool/virtual servers at the backup system. (I think this is something that wasn't tested extensively before though it should not cause any problems).

billm

@wizard:

I followed the tutorial building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP&pfSync which worked fine but i can't seem to get the load balancer to work. I also tried my setup without carp as you suggested with one load balancer instead of two with no success.

my setup is the following

WAN IP: 10.110.1.61
LAN IP:  192.168.1.10

Web Server IP's: 192.168.1.2; 192.168.1.3

i followed the howto from http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing and i set 192.168.1.2 with icmp as the monitor ip. And i allowed all traffic to pass the WAN interface.  But i can't access the web servers and i can't seem to find a solution.

uhhh, use TCP for the monitor - it'll actually test the port availability, not just the node.

–Bill

wizard

@Hoba i already enabled the Sync option on both machines. To me it seems to be a carp problem as i said in my previous posting everything works fine untill i unplug the network cable of the master host. The backup machine takes over the master state but nothing else seems to happen. And the two web servers behind the load balancers are not reachable. This is the output of ifconfig after the backup has taken over the master state and the web servers are not reachable:

ifconfig
fxp0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet6 fe80::2d0:b7ff:fe70:1ce1%fxp0 prefixlen 64 scopeid 0x1
        inet 10.110.1.60 netmask 0xffffff00 broadcast 10.110.1.255
        ether 00:d0:b7:70:1c:e1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet6 fe80::2d0:b7ff:fe68:ba70%fxp1 prefixlen 64 scopeid 0x2
        inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:d0:b7:68:ba:70
        media: Ethernet autoselect (10baseT/UTP)
        status: active
pflog0: flags=100 <promisc>mtu 33208
pfsync0: flags=41 <up,running>mtu 1348
        pfsync: syncdev: fxp1 maxupd: 128
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
carp0: flags=49 <up,loopback,running>mtu 1500
        inet 10.110.1.76 netmask 0xffffffff
        carp: MASTER vhid 1 advbase 1 advskew 100
carp1: flags=49 <up,loopback,running>mtu 1500
        inet 192.168.1.1 netmask 0xffffffff
        carp: MASTER vhid 2 advbase 1 advskew 100

perhaps it might help someone find my problem</up,loopback,running></up,loopback,running></up,loopback,running,multicast></up,running></promisc></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast>

wizard

@all THX everybody for your great advice i finally found the problem today. The problem was syncing the firewall rules and load balancing settings from the master to the backup box. I deleted all settings on the backup box today and typed them by hand and my failover setup suddenly worked at last. Could it have something to do with running pfsense as a live-cd instead of installing it to a hd.  I could see the various options being synced to the backup in the web interface but they seemed to have no effect.

billm

@wizard:

@all THX everybody for your great advice i finally found the problem today. The problem was syncing the firewall rules and load balancing settings from the master to the backup box. I deleted all settings on the backup box today and typed them by hand and my failover setup suddenly worked at last. Could it have something to do with running pfsense as a live-cd instead of installing it to a hd.  I could see the various options being synced to the backup in the web interface but they seemed to have no effect.

I wonder if slbd started on the secondary after it's settings got sync'd.  Something for us to look into I 'spose.

–Bill

sullrich

I bet it did not.  There is no code to restart SLBD and other services.

billm

@sullrich:

I bet it did not.  There is no code to restart SLBD and other services.

OK…see the person that imported slbd needs to be shot for not completing it....oh wait, that was me, doh!

--Bill

sullrich

Thats most likely my fault as I added the Sync code. :)

Could we simply HUP slbd on filter reload?