Load Balance DNS

Matrioux · Sep 24, 2012, 8:14 PM

Hello,

Trying to load balance DNS.

I set up a mulit-server pool listening on port 53
I set up a vitual server using an IP address from my DMZ interface
If I use protocol TCP, relayd runs fine and everything works (except DNS requests, as tcp is tcp only)
If I change the protocol on the virtual server to DNS, relayd terminates with no detailed message in the log:
- Sep 24 16:13:05 relayd[29690]: terminating
- Sep 24 16:13:05 relayd[29690]: configuration merge done
- Sep 24 16:13:05 relayd[29690]: reloading configuration

if set to tcp, I can contact the servers. The interface IP is a valid DMZ interface, I shouldn't need an alias IP.

What am I missing?

johnpoz · Sep 24, 2012, 9:12 PM

dns can be both udp and tcp - mostly udp to be honest. Protocol switches to tcp when doing large transfers like zone transfer. But normally queries are udp.

Can you load balance UDP? I didn't think so?

Matrioux · Sep 25, 2012, 1:18 AM

pfSense added dns to load balance in 2.0.1

johnpoz · Sep 25, 2012, 4:53 AM

Well yes they did ;)
Here this thread should be of help
http://forum.pfsense.org/index.php?topic=44490.0#msg231262

Matrioux · Sep 25, 2012, 12:15 PM

Because I am using a legit IP address already assigned to the DMZ interface, I shouldn't need the IP Alias. Also, I am not getting any other entries in the log, nothing about failing to bind or failing to listen, so I think my problem may be different then the one described. I have it working well for all my load balancing with TCP, the only problem is when I change the protocol switch to dns, suddenly the whole thing fails and relayd terminates (thus killing all my other load balancing)

johnpoz · Sep 25, 2012, 12:53 PM

"Because I am using a legit IP address already assigned to the DMZ interface"

What? Don't you have to use an IP on the external interface?

Setup the virtual servers

visit services -> load balancer -> virtual servers
delete any virtual servers that you created before that do not work
set the name to Load balance WAN -> LAN/OPT or something descriptive
set the description to Load balance web servers on LAN/OPT or something descriptive
set the ip address note, this will be the external IP (can be carp, etc)
set the port to 80 if you wish to load balance http
set virtual server pool to the one you just created
click submit
Add a firewall rule to permit the traffic
make sure dns is pointed to public wan balancer ip

Matrioux · Sep 25, 2012, 1:16 PM

Sorry for the confusion, my DMZ addresses ARE public external IP Addresses, my DMZ doesn't currently use NAT. I have 2 subnets pointing from the world to my pfSense box, one I use for NATing my LAN, one is for the DMZ.

Load balancing is working fine using these same servers for http and https, its just the protocol DNS on port 53 that isn't working right. I even tried using the same IP addresses that are working for http and https load balancing for the dns load balancing, and it still fails when the protocol is changed to dns in the services->load balancer->virtual server.

dhatz · Sep 25, 2012, 2:15 PM

Have a look at related threads e.g.

http://forum.pfsense.org/index.php?topic=44490.0
http://forum.pfsense.org/index.php?topic=9569.0

johnpoz · Sep 25, 2012, 2:52 PM

hmmmm – From the way I read the docs on load balancing that doesn't seem to be a supported configuration?

going to need one of the developers to chime in on your config. Does it work if you set it up using the documented method, ie via your segment your natting?

Matrioux · Sep 25, 2012, 2:54 PM

I've seen those threads,

One is the initial bounty request that got it added and the other ran into problems with the IP alias and CARP, neither of which I'm using. Every thread I have read seems to imply that it should be running fine the way I have it set up and that several people are using it without issues. I am not sure where else to look. The setup works fine with protocol set to TCP (although the DNS requests don't work obviously) then if I switch the protocol to DNS, relayd fails to restart with no real information in the logs (see above).

Most every problem thread is an ip alias issue and fixing that resolves the problem, but I shouldn't need an ip alias as the ip address I'm using is a live interface defined one.

To answer the question just posted, I have tried using an IP Alias with an unassigned external ip from the subnet assigned for internal LAN NAT. I get the same three lines in the log and relayd fails to start.

I'm not sure how to troubleshoot the process or get more information from relayd about why its failing when the virtual server protocol is changed to dns.

Matrioux · Sep 25, 2012, 3:03 PM

I'll try moving ALL the load balancing to an external IP address using IP Alias and see if that makes any difference.

[edit]

Ok, that works. TCP Load Balancing worked fine using external IP addresses on the DMZ interface
DNS load balancing ONLY works if ALL load balancing (including the TCP) uses IP Aliases.

I will dig into this further and see if I can suss out exactly whats going on.

Thanks all!