Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internal load balance (virtual server)

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nian
      last edited by

      Is it possible to load balance (in a failover fashion) completely on the LAN side?

      All articles I read about deal with load balancing on the WAN side. The "Virtual Server" interface itself states it only listens on the WAN interface.

      Is it possible to set up a load balancer to handle the LAN side of things? A good example might be two databases in an active-passive configuration.

      pfsense LAN IP: 10.x.x.1
      db1 LAN IP: 10.x.x.10
      db2 LAN IP: 10.x.x.11
      virtual db IP: 10.x.x.12

      … so I have 10.x.x.12 set up in a pool to point to 10.x.x.10 first, and 10.x.x.11 as a failover.

      1. I tried using "Virtual Server" with 10.x.x.12, and it doesn't listen.
      2. I set up an alias "dbs" of two hosts (10.x.x.10, 10.x.x.11), and then created a NAT from 10.x.x.12 to this alias "dbs". Unfortunately, each subsequent connection might pick up each of the databases in a pool.

      In both cases I have a firewall rule set up to use the database pool as gateway.

      Any suggestions? Is this even possible?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        I see a problem with your idea: You use the balancing pool in a firewall rule.
        But traffic from within your LAN destined to your LAN will never go over the firewall.

        An exception that "might" work (i'm not sure)
        Is if you create a normal NAT forwarding from WAN to LAN, enable NAT reflection and try to access the server via the WAN.

        client –> pfSenseLAN --> pfSenseWAN --NAT/reflection--> server

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • N
          nian
          last edited by

          Thanks GruiensForeschli. The NAT didn't work. I know that NAT is resolved prior to firewall rules.

          Does anyone know how "Virtual Servers" works? If it's a matter of configuration I can try to dig into the code to do this, or set up a bounty. Is it a combination of custom NAT with gateway routing, or what's the behind-the-scenes program that handles this?

          It's interesting to note, in the NAT, it says:

          If you want this rule to apply to another IP address than the address of the interface chosen above, select it here (you need to define Virtual IP addresses first). Note if you are redirecting connections on the LAN, select the "any" option.

          … why do LAN port forwards require the "any" option, but WAN does not? Is it a limitation of the program doing the NAT? If it's that kind of limitation, then I guess there is no solution.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.