Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Active Active Load Balancing

    Scheduled Pinned Locked Moved
    General pfSense Questions
    2
    2
    477
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chriva
      last edited by

      Hi to all,
      I need your advice on a configuration I plan to deploy.
      Before going "live" I prefer to ask your opinion.

      The question is about a pfsense firewall and an active/active load balancer cluster(nginx) that I have setup.
      Basically PFsense connects LAN1 to LAN2.

      • LAN1 is the client networks

      • LAN2 is the server network

      The load balancers have two VIP:

      • test1 primarily on LB1

      • test2 primarily on LB2

      There is no problem between LoadBalancers and the server farm: the farm exposes an http service

      I also defined on my dns the test.intranet name that points to both IP and answers like this (from the client): in a round robin fashion

      dig test.intranet

      ; <<>> DiG 9.10.6 <<>> test.intranet
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62823
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4000
      ;; QUESTION SECTION:
      ;test.intranet. IN A

      ;; ANSWER SECTION:
      test.intranet. 3600 IN A 192.168.250.101
      test.intranet. 3600 IN A 192.168.250.100

      dig test.intranet

      ; <<>> DiG 9.10.6 <<>> test.intranet
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62823
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4000
      ;; QUESTION SECTION:
      ;test.intranet. IN A

      ;; ANSWER SECTION:
      test.intranet. 3600 IN A 192.168.250.100
      test.intranet. 3600 IN A 192.168.250.101

      PFsense dns point to the same internal DNS and resolve like
      drill test.intranet.dynameeting.it @127.0.0.1
      ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 4768
      ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
      ;; QUESTION SECTION:
      ;; test.intranet. IN A

      ;; ANSWER SECTION:
      test.intranet. 3578 IN A 192.168.250.100
      test.intranet. 3578 IN A 192.168.250.101

      I've put an alias in PFSense
      TEST test.intranet

      The question: is ok if I set my PFSense rules like
      allow http LAN1_network -> TEST
      deny LAN1_network -> LAN2_network

      or I will get some drop or problem?
      (feel free to move my answer on another section if this is not the good one!)![alt text]0_1544776531813_2018-12-14 09_30_50-lb_aa.png

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        I would expect that to be OK as long as the load balancers are acting as true proxies rather then forwarders. If all traffic to/from the servers goes via the load-balancer that is all the rules you will need.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post