Relayd going away in 2.5.0 :(



  • The notes state that the new openssl version in 2.5.0 isn't compatible with relayd and work has not been done by upstream to fix that.

    I use relayd because it's simple load balancing works for our stateless application and it has a feature that haproxy does not. If the primary firewall needs to be switched for maintenance or problem failover, the backup will take over and the existing established connections being load balanced with relayd still keep working. Because relayd only manipulates pf rules, the connection state will failover. The firewall states are kept between firewalls with pfsync.

    With haproxy, It is an application that binds to ports and the connections get proxied (recreated) between haproxy and the backend servers. If we need to switch to the backup firewall (or change requiring restart of haproxy), The existing connections will be broken.

    We really liked that relayd kept connection state for load balanced connections. We didn't need the more advanced features of haproxy.

    While we could setup other servers for haproxy, we would still have the same issue when needing to do maintenance of the haproxy servers and need at least 2 more servers.

    Anyone else have this type of requirement and if so how are you going to deal with the change to 2.5.0?



  • https://forum.netgate.com/topic/140790/heads-up-relayd-deprecated-on-pfsense-2-5-0 it should be discussed in the appropriate development section.



  • Thanks Grimson.


  • Rebel Alliance Moderator

    With haproxy, It is an application that binds to ports and the connections get proxied (recreated) between haproxy and the backend servers. If we need to switch to the backup firewall (or change requiring restart of haproxy), The existing connections will be broken.

    Not necessarily true. It only depends on what you use for session and state handling. States from internet to the proxy would sync to the backup node the same way they would with relayd. It has nothing to do that haproxy binds to ports etc. The problem you speak about mostly come from sessions getting lost by the switch from master to backup.

    Did you actually test HAproxy for your use case? In what configuration? Layer 4 or Layer 7 mode balancing? Stickyness? What is the problem you are running into with it?

    Sure relayd is a nice little thing on top of PF to have, but I'm curious why a full load balancer should do a worse job than a little "pf hack" in loadbalancing your application. And if you say "stateless" application, that would implicate no login, cookie, session etc. dependency but sheer availability of the application. I can't see how that shouldn't work out with haproxy just fine?



  • @JeGr
    As haproxy terminates the TCP connection in a socket, and the state of that socket is not sinked to the secondary haproxy node the TCP connection will break when a failover is performed.

    Stick-table content can be synced.. but the state of all socket-connections is not.

    @adam65535
    As for configuration changes on a running haproxy this should not have much notable impact on http connections as it would ask the browser nicely to close existing http connections, and new TCP-connection can be made to the already running new haproxy instance. And the old process keeps serving connections until the hard-stop-timeout (its default on the pfSense package is 15 minutes) or it will stop when no connections remain. Long existing connections like for a database connection or a ssh session, yes those would eventually break.. Or you would need a stop timeout of like 24 hours or something.. but that gives a risk of running lots of haproxy processes simultaneously if several changes are made during a day, risks like out-of-memory then arise...


Log in to reply