HEADS UP: relayd deprecated on pfSense 2.5.0

  • Rebel Alliance Developer Netgate

    [EDIT: relayd has been removed from 2.5.0, see posts below]

    The built-in load balancer daemon, relayd, does not work with OpenSSL 1.1.x which is now the default on FreeBSD 12.x and thus on pfSense 2.5.0 development snapshots. It will take significant work to address its issues, and the service does not see much use these days compared to the more robust and feature-filled HAProxy package.

    At this time we are leaning toward deprecating the relayd-based load balancing service. Most, if not all, scenarios possible in relayd can be done in superior ways in HAProxy.

    A few notable differences with respect to converting from relayd:

    • HAProxy is more complex, thus can be a little trickier for beginners to configure
    • HAProxy is a true proxy, not NAT-based, thus may consume more resources
    • HAProxy will need IP Alias VIPs to bind in some cases that relayd did not, since relayd worked via NAT.
    • HAProxy may conflict with the WebGUI if both are set to bind to port 443, though it's trivial to work around either by binding HAProxy to an alternate port and using NAT rules to redirect external traffic, or by moving the GUI to another port.
    • HAProxy does not preserve the client IP address by default, but has an option to do so (Transparent Client IP). In most cases this is not necessary as HAProxy can add headers such as X-Forwarded-For which can be used in logging on the web server or by applications on the web server to achieve similar effects

    There are more details and a comparison in the Server Load Balancing hangout at https://www.netgate.com/resources/videos/server-load-balancing-on-pfsense-24.html and the slides at https://www.slideshare.net/NetgateUSA/server-load-balancing-on-pfsense-24-pfsense-hangout-july-2017

    It may be possible for us to write some code to import settings from relayd into haproxy as well, but it is not likely to be fully automated for all cases.

    The decision is not yet final, however. If you use relayd but absolutely cannot use HAProxy, now is the time to speak up with specifics so we can take these scenarios into account.

    If you are not sure if you can use HAProxy, now is the time to try it out. Replicate existing relayd setups in HAProxy and post on the cache/proxy category if you need assistance. You can do this now on any release, no need to wait for snapshots.

    For those affected, if you convert your setup over to HAProxy before upgrading to 2.5.0, then there will be no downtime due to the change.

  • Rebel Alliance Developer Netgate

    The FreeBSD port is broken, the upstream repository hasn't seen an update in almost 5 years, and there is no sign of anyone working to port it to the new OpenSSL. Thus, relayd is currently slated to be removed from 2.5.0.


  • Rebel Alliance Developer Netgate

    FYI- relayd has now been removed from master (pfSense 2.5.0)


  • @jimp
    Would the removal of "relayd" effect Dual WAN load balancing that's currently integrated into pfsense?

  • Rebel Alliance Developer Netgate

    @kossie said in HEADS UP: relayd deprecated on pfSense 2.5.0:

    Would the removal of "relayd" effect Dual WAN load balancing that's currently integrated into pfsense?

    No, that never used relayd. This is server load balancing only.

  • @jimp

    Perfect thanks for the quick reply! I look forward to testing 2.5.0 when released.

  • It looks like I posted originally in the wrong section.


    haproxy unfortunately doesn't have the one big feature relayd has... established connections are not broken when switching to the backup firewall. We have some applications that get load balanced that have long living connections and 24/7 use that customers will get disconnected if an established connection breaks. Relayd was a nice solution for that.

    Anyone know if this will ever return if relayd gets fixed or anyone else with similar requirements have a plan when 2.5.0 is released?

  • Rebel Alliance Developer Netgate

    At this point it is unlikely to return. The upstream code hasn't been touched in years, and I don't see any sign of anyone working on it. It's not something we have the resources to take on, either.

    Pretty much all the solutions out there now are proxies. I don't think there is anything left that would work purely with NAT.

    If you only need load balancing and not failover or taking out servers from the pool, you could just make a port forward NAT rule with an alias for the target. Not fancy, but it may get the job done. Problem is that it can't handle server failures. Maybe with some custom scripting to monitor and add/remove from the target table... Still seems like a lot of room for error.

    Failover with haproxy should be pretty quick. If your application can't handle a minor TCP connection hiccup gracefully, it probably has more problems than reconnecting on failover, though. You're far more likely to have the connection die due to random Internet happenings than failover.

  • I will research the alias option with port forward NAT. That might be ok for some scenarios. Thanks for that info. I will certainly miss relayd's failover connection handling. It worked well for our scenario.

Log in to reply