Loadbalancing no go and PFsense crashes



  • Hi,

    I have two ISP so two wan’s and wanted to loadbanlance them with RC1 however I can ping both gateway’s before I loadbalance. However when I activate loadblance and restart the gateway are not found so the loadbalance is not activated.

    To activate the loadbalance I have to make the check IP the same as the PFsense IP however I don’t get why my gateways are not pingable any more.

    I have tried different approaches and different manuals for this however with no luck.

    Then I have a problem with the stability of PFsense with loadbalance because it locks up the machine and only a hardreset will help. Because the filesystem might be damaged I had to reinstall PFsense a few times.

    Marce

    pfsense# ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=b <rxcsum,txcsum,vlan_mtu>inet 192.168.1.30 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::20c:76ff:fead:8e17%em0 prefixlen 64 scopeid 0x1
            ether 00:0c:76:ad:8e:17
            media: Ethernet autoselect (1000baseTX <full-duplex>)
            status: active
    fxp0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet XX.168.56.50 netmask 0xfffffff8 broadcast XX.168.56.55
            inet6 fe80::2d0:b7ff:fe8f:7cf6%fxp0 prefixlen 64 scopeid 0x2
            ether 00:d0:b7:8f:7c:f6
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=b <rxcsum,txcsum,vlan_mtu>inet6 fe80::20c:76ff:fead:8e16%em1 prefixlen 64 scopeid 0x3
            inet XXX.241.60.186 netmask 0xfffffff8 broadcast XXX.241.60.191
            ether 00:0c:76:ad:8e:16
            media: Ethernet autoselect (10baseT/UTP <half-duplex>)
            status: active
    pfsync0: flags=41 <up,running>mtu 2020
            pfsync: syncdev: lo0 maxupd: 128
    lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
            inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
    pflog0: flags=100 <promisc>mtu 33208
    l</promisc></up,loopback,running,multicast></up,running></half-duplex></rxcsum,txcsum,vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu></up,broadcast,running,simplex,multicast>



  • Sounds like a piloterror to me. I know several people using loadbalancing without issues (including me in a production environment). Let us know the types of WANs you use and how you have set up the loadbalancing pool.



  • same problem here.



  • I have two wans and the first one is a SDSL 2048/2048 with fixed addresses and the second one is a ADSL and also with fixed addresses.

    They are from the the same ISP so the DNS is and the the IP, gateway are different.

    I have put the information in the loadbalance pool as a Gateway and the I put as gateway on the LAN - HTTP rule the gateway to Balance (just the name). I restart and both gateways of the static connection are not pingable anymore so no loadbalance pool.



  • You mix up routing somewhere. You entered the gateway-adresses of the WANs in the pool, not the interfaceadresses, right?



  • 🙂 I have put the IP addresses (WAN and OPT1) in the IP field and the the gateway addresses in the Monitor IP field.

    I thought this was the correct way……

    IP address: XXX.168.56.50 and XXX.241.60.186
    Gateway: XXX.168.56.49 and XXX.241.60.185



  • So I guess it’S working now?  ;D



  • No, it does not.  😕

    I only replied to your posting and wrote down how I filled the field of the Loadbalancing form. I know the dat is filled in correct however one or both Wan’s won’t start and the firewall wil crash soon after.



  • I’m sure you send your routing to hell. Unless you show us your config.xml or at least relevent parts of it we can’t further help you.



  • @msatter:

    No, it does not.  :-
    I only replied to your posting and wrote down how I filled the field of the Loadbalancing form. I know the dat is filled in correct however one or both Wan’s won’t start and the firewall wil crash soon after.

    I doubt the info you filled in is correct, otherwise it would work.  Seriously, this works and has been tested by many people already.



  • I will edit this post every time I have done a step in the setup so I don’t loose any screens or logs:

    Ping output:

    PING XX.168.56.49 (XX.168.56.49) from XX.168.56.50: 56 data bytes
    64 bytes from XX.168.56.49: icmp_seq=0 ttl=255 time=0.292 ms
    64 bytes from XX.168.56.49: icmp_seq=1 ttl=255 time=0.231 ms
    64 bytes from XX.168.56.49: icmp_seq=2 ttl=255 time=0.250 ms

    –- XX.168.56.49 ping statistics —
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 0.231/0.258/0.292/0.025 ms

    Ping output:

    PING XXX.241.60.185 (XXX.241.60.185) from XXX.241.60.186: 56 data bytes
    64 bytes from XXX.241.60.185: icmp_seq=0 ttl=255 time=4.505 ms
    64 bytes from XXX.241.60.185: icmp_seq=1 ttl=255 time=21.487 ms
    64 bytes from XXX.241.60.185: icmp_seq=2 ttl=255 time=2.103 ms

    — 195.241.60.185 ping statistics —
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 2.103/9.365/21.487/8.627 ms

    Status log loadbalancing and both are down so I will restart the machine:

    Jul 7 13:01:44 slbd[13492]: Switching to sitedown for VIP 127.0.0.1:666
    Jul 7 13:01:44 slbd[13492]: ICMP poll failed for XXX.241.60.185, marking service DOWN
    Jul 7 13:01:43 slbd[13492]: ICMP poll failed for XX.168.56.49, marking service DOWN
    Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 added real service XXX.241.60.185:666
    Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 added real service XX.168.56.49:666
    Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 sitedown at 127.0.0.1:666
    Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 configured as "127.0.0.1"
    Jul 7 13:01:42 slbd[13492]: Using configuration file /var/etc/slbd.conf
    Jul 7 13:01:42 slbd[13492]: Using r_refresh of 5000 milliseconds

    I have now restarted and because the WAN and OPT1 are death I have switched my client to a different gateway to be able to post the rest.

    Status log loadbalancing and both the WAN and OPT1 are still death

    Jul 7 13:17:44 slbd[296]: Switching to sitedown for VIP 127.0.0.1:666
    Jul 7 13:17:44 slbd[296]: ICMP poll failed for XXX.241.60.185, marking service DOWN
    Jul 7 13:17:43 slbd[296]: ICMP poll failed for XX.168.56.49, marking service DOWN
    Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 added real service 195.241.60.185:666
    Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 added real service 82.168.56.49:666
    Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 sitedown at 127.0.0.1:666
    Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 configured as "127.0.0.1"
    Jul 7 13:17:42 slbd[296]: Using configuration file /var/etc/slbd.conf
    Jul 7 13:17:42 slbd[296]: Using r_refresh of 5000 milliseconds

    config.xml removed on 11 july 2006



  • Eehm also this posting went death so I asume I did everyting correct and my configuration is OK and loadbalancing pool won’t work for me!?!?!?

    Marcel



  • I just gave it an other go and after I rebooted the links were still down. So I went in to the interface menu and pushed the button SAVE to restart the links.

    The links are now up and running and I ping them. I’m now going to test linkdown and I have to check how Round-Robin is going to work because I did only see traffic on the first link even with al multi-treath downloader.

    Any advise is very welcome.

    So the links are not comming up by them selves and have to restart the links manually to fill the loadbalance pool

    Marcel

    I disconneted the WAN and the OPT1 did not take over and so the pool did not work. One positive thing when I reconnected the WAN it went up and presto I got the Internet back.

    Marcel



  • Do you actually use the pool as gateway in your firewallrules?



  • That is correct and I have more information en conducted some tests.

    When I startup the computer and look at the consolle it will state on the line for the firewall starting the different rules however it also stat 4 times “bad adress: balancer”

    balancer is the name of the load balance pool and that also occured when it was Load_balancer.

    Secondly I can ping from ont het PFsense prompt to gateway and then the first point behind the gateway toe the first adress of “IP adress block” and on the other I can only ping the gateway and external adresses. I don’t get that.

    I hope this information helps to find the problem why the load balance pool will not activate automaticly and why the backup won’t work and that round-robin won’t work?

    Marcel

    @hoba:

    Do you actually use the pool as gateway in your firewallrules?



  • I might have a quick look at your setup if you catch me at IRC (freenode, ##pfsense). You really must be having set up something wrong.



  • Thanks Hoba,

    I have send you by mail the config.xml and I will try a factory reset and only configure lan,want,opt and loadbalance pool and no rules….yet.

    Marcel

    @hoba:

    I might have a quick look at your setup if you catch me at IRC (freenode, ##pfsense). You really must be having set up something wrong.



    • Disable advanced outbound NAT or add an outbound NAT rule for your SDSL interface
    • For the pool you have to use the GATEWAY IPs, not the interface IPs (in your case you can use the same gateway IP and monitor IP; for WAN it’s 195.xx.xx.185, for SDSL it’s 82.xx.xx.49)
    • Change your firewallrules at LAN to use either the default gatewy, the sdslgateway or the pool (depending how you want tu utilize your bandwidth)

    Btw, I already have asked you several times if you really use the Gateway IPs and not the Interface IPs  ::)
    The way you have set it up you send your routing into a kind of loopback mode which leads to a crash and due to the missing outbound nat rule for SDSL Interface it was not working beyond the SDSL subnet.



  • Danke schön Huba!!! It works like a charm. I used a clean installation to test it so I will try tomorrow to use my original config file.

    I will write more tomorrow when I have tested it with the old configuration that will adapt to the working situation.

    5 Mbit that is a nice speed so surft over the Internet.

    Vielen danke nochmals für die super Hilfe!! /  A lot of thanks for the super help again!!

    Marcel  🙂



  • Nice  😄



  • Now since we took so much time to help you, please help us by imprvoing the documentation on the wiki.  Please correct whatever load balancing related items that did not make sense but do now.





  • Will do and my problem was that my brain would not see GW and IP as the same thing so when I read it it automaiticly splits in to different things.

    In PFsense they can be the same when it is concerning loadbalance.

    I will adapt the document so it will be dummy proof and I also suggest some extra tekst in the screen where you can setup the loadbalance.

    I have been busy today to make a clean install of PF and I don’t understand the NAT bit because it is running correct without it and Huba suggested me to make an outbound NAT rule on Wan2 and to disable advanced outbound NAT….ehm have you ever tried to do that? I think you will have to manually edit the config file to do that it is not posible to achieve that in the webinterface.

    I have now nog NAT active because I cant switch it off when I activate it.

    My next item is Squid and the loadbalancer because I love that programme. I tried it and it only wanted to go to the standard gateway and not use the loadbalance pool. I saw some information ablout the localadress (127.0.0.1) and port 666. I read in the forum and it became clear to me that it would not be easy to archieve that.

    My question is if it is posible to see the loadbalance pool as an uplink proxy and adress it through a addres and port?

    I will make my suggestions next week and I wish you all a very nice and rexaling weekend!

    Marcel

    ps. I had already today people that tried to get in to the firewall through port 222, I am sorry it is still closed and will remain that way  ;D



  • @msatter:

    I have been busy today to make a clean install of PF and I don’t understand the NAT bit because it is running correct without it and Huba suggested me to make an outbound NAT rule on Wan2 and to disable advanced outbound NAT….ehm have you ever tried to do that? I think you will have to manually edit the config file to do that it is not posible to achieve that in the webinterface.

    I said either or. If you turn advanced outbound NAT off, it does set up NATs for all interfaces with gateway automatically.
    If you need advanced outbound NAT for some reason (like having multiple public IPs for example) you have to create a rule for all your WANs so the traffic gets natted.

    @msatter:

    My next item is Squid and the loadbalancer because I love that programme. I tried it and it only wanted to go to the standard gateway and not use the loadbalance pool. I saw some information ablout the localadress (127.0.0.1) and port 666. I read in the forum and it became clear to me that it would not be easy to archieve that.

    My question is if it is posible to see the loadbalance pool as an uplink proxy and adress it through a addres and port?

    This won’t work, only connection THROUGH the pfSense will be loadbalanced. Connections originating from the pfSense itself (like squid) can’t use the pool. You can set up an external squidbox inside your LAN that goes through the box and thus will be balanced.

    @msatter:

    I will make my suggestions next week and I wish you all a very nice and rexaling weekend!

    Same to you  😄



  • really interesting discussion and hoba’s answers. thank you all. (while creating loadbalansing pool and using instructions i also thinked that it would be great to improve documentation and to add some texts in the user interface of pfsense)


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy