Help! I give up…. I need to setup Load Balancing *locally* and it only works a

WolphFang

Here is /var/etc/slbd.conf:

I am currently trying to setup one server per "cluster" for testing purposes….

The pfSenseMGMT one seems to work fine.

pfSenseMGMT:\
	:poolname=pfSenseMGMT:\
	:vip=192.168.0.2:\
	:vip-port=3392:\
	:sitedown=127.0.0.2:\
	:sitedown-port=3392:\
	:method=round-robin:\
	:services=1:\
	:service-port=80:\
	:0=192.168.0.1:\
	:ping:
Server-0-6:\
	:poolname=Server-0-6:\
	:vip=192.168.0.2:\
	:vip-port=3391:\
	:sitedown=127.0.0.2:\
	:sitedown-port=3391:\
	:method=round-robin:\
	:services=1:\
	:service-port=3389:\
	:0=192.168.0.6:\
	:ping:
Server-0-5:\
	:poolname=Server-0-5:\
	:vip=192.168.0.2:\
	:vip-port=3390:\
	:sitedown=127.0.0.2:\
	:sitedown-port=3390:\
	:method=round-robin:\
	:services=1:\
	:service-port=3389:\
	:0=192.168.0.5:\
	:ping:

Status -> Load Balancer -> Virtual Servers shows all Servers Online.

rkelleyrtp

Sorry, dumb question.  Are you specifying port 3390 as per the conf file when connecting to the remote machines via RDP?

WolphFang

@rkelleyrtp:

Sorry, dumb question.  Are you specifying port 3390 as per the conf file when connecting to the remote machines via RDP?

Using 192.168.0.2:3390 and/or 192.168.0.2:3391
When I http to 192.168.0.2:3392, that works just fine.

Just noticed something though in the states:

tcp	192.168.0.6:3389 <- 192.168.0.2:3391 <- 192.168.0.5:32700	CLOSED:SYN_SENT
tcp	192.168.0.5:32700 -> 192.168.0.6:3389	SYN_SENT:CLOSED

Why is the second line missing the load balancer in the middle?

Addendum: Downloading and installing wireshark to look for *.0.2 traffic on one the TS's.

rkelleyrtp

Sorry, don't have the answer to your question.  But, I am going to try this on my own pfSense firewall right now.  I will let you know what I find.

BTW - I am sure you have seen this, eh?  http://doc.pfsense.org/index.php/Setup_Incoming_Load_Balancing

WolphFang

Addendum: Downloading and installing wireshark to look for *.0.2 traffic on one the TS's.

Beyond the ICMP checks, I am not receiving any traffic from pfSense when connecting to the VIP:PORT combination.

WolphFang

Running a packet capture on the LAN interface for target host of 192.168.0.6 when connecting from 192.168.0.5 to 192.168.0.2:3391 reveals:

ICMPs…

08:06:38.846401 arp who-has 192.168.0.6 tell 192.168.0.1
08:06:38.846453 IP 192.168.0.1 > 192.168.0.6: ICMP echo request, id 17533, seq 0, length 64
08:06:38.846914 arp reply 192.168.0.6 is-at 00:0c:29:50:8d:aa
08:06:38.847029 IP 192.168.0.6 > 192.168.0.1: ICMP echo reply, id 17533, seq 0, length 64

Malformed attempt at connection?

08:06:43.727167 IP 192.168.0.5.32976 > 192.168.0.6.3389: tcp 0

ICMPs…

08:06:43.866523 IP 192.168.0.1 > 192.168.0.6: ICMP echo request, id 20093, seq 0, length 64
08:06:43.866850 IP 192.168.0.6 > 192.168.0.1: ICMP echo reply, id 20093, seq 0, length 64

Malformed attempt at connection?

08:06:46.764640 IP 192.168.0.5.32976 > 192.168.0.6.3389: tcp 0

ICMPs…

08:06:48.886760 IP 192.168.0.1 > 192.168.0.6: ICMP echo request, id 22653, seq 0, length 64
08:06:48.887107 IP 192.168.0.6 > 192.168.0.1: ICMP echo reply, id 22653, seq 0, length 64

Malformed attempt at connection?

08:06:52.800578 IP 192.168.0.5.32976 > 192.168.0.6.3389: tcp 0

ICMPs

08:06:53.906960 IP 192.168.0.1 > 192.168.0.6: ICMP echo request, id 42365, seq 0, length 64
08:06:53.907377 IP 192.168.0.6 > 192.168.0.1: ICMP echo reply, id 42365, seq 0, length 64
08:06:58.928464 IP 192.168.0.1 > 192.168.0.6: ICMP echo request, id 47229, seq 0, length 64
08:06:58.928866 IP 192.168.0.6 > 192.168.0.1: ICMP echo reply, id 47229, seq 0, length 64
08:07:03.946814 IP 192.168.0.1 > 192.168.0.6: ICMP echo request, id 49789, seq 0, length 64
08:07:03.947293 IP 192.168.0.6 > 192.168.0.1: ICMP echo reply, id 49789, seq 0, length 64
08:07:08.967876 IP 192.168.0.1 > 192.168.0.6: ICMP echo request, id 52349, seq 0, length 64
08:07:08.968258 IP 192.168.0.6 > 192.168.0.1: ICMP echo reply, id 52349, seq 0, length 64

Why is the load balancer using the connecting IP# as its source IP# for a generic TCP connection?

rkelleyrtp

Unfortunately, no help here.  In fact, after configuring my LB pool, I get an "Offline" message under Status–>Load Balancer-->Virtual Servers.  In addition, I don't get any servers listed under the Status-->Load balancer -->Pools tab.  The only thing I have not done is reboot my firewall yet...

WolphFang

@rkelleyrtp:

Unfortunately, no help here.  In fact, after configuring my LB pool, I get an "Offline" message under Status–>Load Balancer-->Virtual Servers.  In addition, I don't get any servers listed under the Status-->Load balancer -->Pools tab.  The only thing I have not done is reboot my firewall yet...

I thought pools were only for load balancing outbound across ISPs?

My status under virtual servers shows:

Name	Port	Servers	Status	Description

pfSenseMGMT 	3392 192.168.0.1 Online 	Last change Feb 19 2010 08:21:37

Server-0-6 	3391 192.168.0.6 Online 	Last change Feb 19 2010 08:21:37

Server-0-5 	3390 192.168.0.5 Online 	Last change Feb 19 2010 08:21:37

WolphFang

I found sufficient documentation to realize that this is not a TCP reconnecting daemon. It is a pf rules modifier for NAT reflection to produce the load balancing.

That is why I am getting those bad entries for the connection attempts.

The arrangement I am trying to setup is not possible with slbd.

The only reason it works for the MGMT port is because the pfSense machine is both IPs so that the response packets get processed before being sent back to the web-browser and get de-natted/re-natted the way they are needed.

When slbd redirects the connection attempts from the local machine to a local machine, it rewrites the request NATted, which causes the response to be transmitted directly to the originator, therefore it can't get re-munged into a proper format for the initiator to know it is a response, so I am sure it gets dropped and a TCP session is never even setup. The initial hand-shake fails.

WolphFang

I figured out a way to get it to rewrite EVERYTHING going in/out.

Firewall -> NAT
Manual Mode
Edit WAN rule: make it WAN interface, NAT, any <-> any
Create LAN rule: make it LAN interface, NAT, any <-> any

Testing operations now both locally and remotely.

WolphFang

@WolphFang:

I figured out a way to get it to rewrite EVERYTHING going in/out.

Firewall -> NAT
Manual Mode
Edit WAN rule: make it WAN interface, NAT, any <-> any
Create LAN rule: make it LAN interface, NAT, any <-> any

Testing operations now both locally and remotely.

ARGH! Someone went and OBEYED that stupid https management warning message on the Sonic Wall while I was finagling the rules!

All locked out now, everything, no more testing tonight. :(

rkelleyrtp

If it were me, I would just use haproxy for this.  Check out this blog:
http://blog.loadbalancer.org/load-balancing-windows-terminal-server-–-haproxy-and-rdp-cookies/#more-296