• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Load Balance DNS

Scheduled Pinned Locked Moved General pfSense Questions
11 Posts 3 Posters 6.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    Matrioux
    last edited by Sep 24, 2012, 8:14 PM

    Hello,

    Trying to load balance DNS.

    • I set up a mulit-server pool listening on port 53

    • I set up a vitual server using an IP address from my DMZ interface

    • If I use protocol TCP, relayd runs fine and everything works (except DNS requests, as tcp is tcp only)

    • If I change the protocol on the virtual server to DNS, relayd terminates with no detailed message in the log:

      • Sep 24 16:13:05 relayd[29690]: terminating

      • Sep 24 16:13:05 relayd[29690]: configuration merge done

      • Sep 24 16:13:05 relayd[29690]: reloading configuration

    if set to tcp, I can contact the servers. The interface IP is a valid DMZ interface, I shouldn't need an alias IP.

    What am I missing?

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Sep 24, 2012, 9:12 PM

      dns can be both udp and tcp - mostly udp to be honest.  Protocol switches to tcp when doing large transfers like zone transfer.  But normally queries are udp.

      Can you load balance UDP?  I didn't think so?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • M
        Matrioux
        last edited by Sep 25, 2012, 1:18 AM

        pfSense added dns to load balance in 2.0.1

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Sep 25, 2012, 4:53 AM

          Well yes they did ;)
          Here this thread should be of help
          http://forum.pfsense.org/index.php?topic=44490.0#msg231262

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            Matrioux
            last edited by Sep 25, 2012, 12:15 PM

            Because I am using a legit IP address already assigned to the DMZ interface, I shouldn't need the IP Alias. Also, I am not getting any other entries in the log, nothing about failing to bind or failing to listen, so I think my problem may be different then the one described. I have it working well for all my load balancing with TCP, the only problem is when I change the protocol switch to dns, suddenly the whole thing fails and relayd terminates (thus killing all my other load balancing)

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Sep 25, 2012, 12:53 PM

              "Because I am using a legit IP address already assigned to the DMZ interface"

              What?  Don't you have to use an IP on the external interface?

              Setup the virtual servers

              visit services -> load balancer -> virtual servers
                  delete any virtual servers that you created before that do not work
                  set the name to Load balance WAN -> LAN/OPT or something descriptive
                  set the description to Load balance web servers on LAN/OPT or something descriptive
                  set the ip address note, this will be the external IP (can be carp, etc)
                  set the port to 80 if you wish to load balance http
                  set virtual server pool to the one you just created
                  click submit
                  Add a firewall rule to permit the traffic
                make sure dns is pointed to public wan balancer ip

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                Matrioux
                last edited by Sep 25, 2012, 1:16 PM

                Sorry for the confusion, my DMZ addresses ARE public external IP Addresses, my DMZ doesn't currently use NAT. I have 2 subnets pointing from the world to my pfSense box, one I use for NATing my LAN, one is for the DMZ.

                Load balancing is working fine using these same servers for http and https, its just the protocol DNS on port 53 that isn't working right. I even tried using the same IP addresses that are working for http and https load balancing for the dns load balancing, and it still fails when the protocol is changed to dns in the services->load balancer->virtual server.

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by Sep 25, 2012, 2:15 PM

                  Have a look at related threads e.g.

                  http://forum.pfsense.org/index.php?topic=44490.0
                  http://forum.pfsense.org/index.php?topic=9569.0

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Sep 25, 2012, 2:52 PM

                    hmmmm – From the way I read the docs on load balancing that doesn't seem to be a supported configuration?

                    going to need one of the developers to chime in on your config.  Does it work if you set it up using the documented method, ie via your segment your natting?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • M
                      Matrioux
                      last edited by Sep 25, 2012, 2:54 PM

                      I've seen those threads,

                      One is the initial bounty request that got it added and the other ran into problems with the IP alias and CARP, neither of which I'm using. Every thread I have read seems to imply that it should be running fine the way I have it set up and that several people are using it without issues. I am not sure where else to look. The setup works fine with protocol set to TCP (although the DNS requests don't work obviously) then if I switch the protocol to DNS, relayd fails to restart with no real information in the logs (see above).

                      Most every problem thread is an ip alias issue and fixing that resolves the problem, but I shouldn't need an ip alias as the ip address I'm using is a live interface defined one.

                      To answer the question just posted, I have tried using an IP Alias with an unassigned external ip from the subnet assigned for internal LAN NAT. I get the same three lines in the log and relayd fails to start.

                      I'm not sure how to troubleshoot the process or get more information from relayd about why its failing when the virtual server protocol is changed to dns.

                      1 Reply Last reply Reply Quote 0
                      • M
                        Matrioux
                        last edited by Sep 25, 2012, 3:03 PM Sep 25, 2012, 2:56 PM

                        I'll try moving ALL the load balancing to an external IP address using IP Alias and see if that makes any difference.

                        [edit]

                        Ok, that works. TCP Load Balancing worked fine using external IP addresses on the DMZ interface
                        DNS load balancing ONLY works if ALL load balancing (including the TCP) uses IP Aliases.

                        I will dig into this further and see if I can suss out exactly whats going on.

                        Thanks all!

                        1 Reply Last reply Reply Quote 0
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received