Load Balancing LDAP for pfsense Authentication

guyp · May 9, 2019, 10:51 AM

I'm running a new number of LDAP severs which I've put behind pfsense load balancing. All systems inside the network are able to correctly reach the load balancer and thus authenticate to anyone of the LDAP servers.

However, I'm trying to do the same with pfSense's authentication. However when I select the VIP of the load balancer in the settings, it's not able to reach anything. If I specify a specific LDAP server then all is well.

Has anyone tried to use pfsense to load balancer for a service it's using?

From the CLI of pfsense I'm not able to tenet to ldap VIP port 389. I'm guessing I need to add some specific NAT rules to force the traffic, which I did for internal systems.

Any ideas?

stephenw10 · May 13, 2019, 10:42 PM

What sort of load-balancing is it? Does that VIP respond to pfSense in any other way?

Steve

guyp · May 31, 2019, 9:37 AM

I was using the load balancer Application built into pfsense.. I've now swapped to HAProxy inside pfsense which is working perfectly.

stephenw10 · May 31, 2019, 1:54 PM

Ah, OK! Yes HAProxy will work there as it's a true proxy. relayd is basically a dynamic port forward so you run into the same routing issues you would with a normal port forward when sourcing from the firewall itself.
Better to be on HAProxy anyway as Relayd will very likely be removed in 2.5.

Steve

guyp · May 31, 2019, 1:56 PM

Yes indeed... very impressed with HAProxy in pfsense..
My only slight complaint, is that I would like to use a port alias to simplify my configurations but it seems HAProxy doesn't currently support that.

So for a web site hosting 80 and 443 connections I need to duplicate everything once for port 80 and once for port 443.