• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Active Active Load Balancing

Scheduled Pinned Locked Moved General pfSense Questions
2 Posts 2 Posters 580 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chriva
    last edited by Dec 14, 2018, 8:36 AM

    Hi to all,
    I need your advice on a configuration I plan to deploy.
    Before going "live" I prefer to ask your opinion.

    The question is about a pfsense firewall and an active/active load balancer cluster(nginx) that I have setup.
    Basically PFsense connects LAN1 to LAN2.

    • LAN1 is the client networks

    • LAN2 is the server network

    The load balancers have two VIP:

    • test1 primarily on LB1

    • test2 primarily on LB2

    There is no problem between LoadBalancers and the server farm: the farm exposes an http service

    I also defined on my dns the test.intranet name that points to both IP and answers like this (from the client): in a round robin fashion

    dig test.intranet

    ; <<>> DiG 9.10.6 <<>> test.intranet
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62823
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4000
    ;; QUESTION SECTION:
    ;test.intranet. IN A

    ;; ANSWER SECTION:
    test.intranet. 3600 IN A 192.168.250.101
    test.intranet. 3600 IN A 192.168.250.100

    dig test.intranet

    ; <<>> DiG 9.10.6 <<>> test.intranet
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62823
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4000
    ;; QUESTION SECTION:
    ;test.intranet. IN A

    ;; ANSWER SECTION:
    test.intranet. 3600 IN A 192.168.250.100
    test.intranet. 3600 IN A 192.168.250.101

    PFsense dns point to the same internal DNS and resolve like
    drill test.intranet.dynameeting.it @127.0.0.1
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 4768
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; test.intranet. IN A

    ;; ANSWER SECTION:
    test.intranet. 3578 IN A 192.168.250.100
    test.intranet. 3578 IN A 192.168.250.101

    I've put an alias in PFSense
    TEST test.intranet

    The question: is ok if I set my PFSense rules like
    allow http LAN1_network -> TEST
    deny LAN1_network -> LAN2_network

    or I will get some drop or problem?
    (feel free to move my answer on another section if this is not the good one!)![alt text]0_1544776531813_2018-12-14 09_30_50-lb_aa.png

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Dec 18, 2018, 5:30 PM

      I would expect that to be OK as long as the load balancers are acting as true proxies rather then forwarders. If all traffic to/from the servers goes via the load-balancer that is all the rules you will need.

      Steve

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received