Loadbalancing no go and PFsense crashes

msatter

Hi,

I have two ISP so two wan’s and wanted to loadbanlance them with RC1 however I can ping both gateway’s before I loadbalance. However when I activate loadblance and restart the gateway are not found so the loadbalance is not activated.

To activate the loadbalance I have to make the check IP the same as the PFsense IP however I don’t get why my gateways are not pingable any more.

I have tried different approaches and different manuals for this however with no luck.

Then I have a problem with the stability of PFsense with loadbalance because it locks up the machine and only a hardreset will help. Because the filesystem might be damaged I had to reinstall PFsense a few times.

Marce

pfsense# ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=b <rxcsum,txcsum,vlan_mtu>inet 192.168.1.30 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::20c:76ff:fead:8e17%em0 prefixlen 64 scopeid 0x1
        ether 00:0c:76:ad:8e:17
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
fxp0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet XX.168.56.50 netmask 0xfffffff8 broadcast XX.168.56.55
        inet6 fe80::2d0:b7ff:fe8f:7cf6%fxp0 prefixlen 64 scopeid 0x2
        ether 00:d0:b7:8f:7c:f6
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=b <rxcsum,txcsum,vlan_mtu>inet6 fe80::20c:76ff:fead:8e16%em1 prefixlen 64 scopeid 0x3
        inet XXX.241.60.186 netmask 0xfffffff8 broadcast XXX.241.60.191
        ether 00:0c:76:ad:8e:16
        media: Ethernet autoselect (10baseT/UTP <half-duplex>)
        status: active
pfsync0: flags=41 <up,running>mtu 2020
        pfsync: syncdev: lo0 maxupd: 128
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pflog0: flags=100 <promisc>mtu 33208
l</promisc></up,loopback,running,multicast></up,running></half-duplex></rxcsum,txcsum,vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu></up,broadcast,running,simplex,multicast>

hoba

Sounds like a piloterror to me. I know several people using loadbalancing without issues (including me in a production environment). Let us know the types of WANs you use and how you have set up the loadbalancing pool.

rexster

same problem here.

msatter

I have two wans and the first one is a SDSL 2048/2048 with fixed addresses and the second one is a ADSL and also with fixed addresses.

They are from the the same ISP so the DNS is and the the IP, gateway are different.

I have put the information in the loadbalance pool as a Gateway and the I put as gateway on the LAN - HTTP rule the gateway to Balance (just the name). I restart and both gateways of the static connection are not pingable anymore so no loadbalance pool.

hoba

You mix up routing somewhere. You entered the gateway-adresses of the WANs in the pool, not the interfaceadresses, right?

msatter

I have put the IP addresses (WAN and OPT1) in the IP field and the the gateway addresses in the Monitor IP field.

I thought this was the correct way……

IP address: XXX.168.56.50 and XXX.241.60.186
Gateway: XXX.168.56.49 and XXX.241.60.185

hoba

So I guess it’S working now?  ;D

msatter

No, it does not. 

I only replied to your posting and wrote down how I filled the field of the Loadbalancing form. I know the dat is filled in correct however one or both Wan’s won’t start and the firewall wil crash soon after.

hoba

I’m sure you send your routing to hell. Unless you show us your config.xml or at least relevent parts of it we can’t further help you.

sullrich

@msatter:

No, it does not.  :-
I only replied to your posting and wrote down how I filled the field of the Loadbalancing form. I know the dat is filled in correct however one or both Wan’s won’t start and the firewall wil crash soon after.

I doubt the info you filled in is correct, otherwise it would work.  Seriously, this works and has been tested by many people already.

msatter

I will edit this post every time I have done a step in the setup so I don’t loose any screens or logs:

Ping output:

PING XX.168.56.49 (XX.168.56.49) from XX.168.56.50: 56 data bytes
64 bytes from XX.168.56.49: icmp_seq=0 ttl=255 time=0.292 ms
64 bytes from XX.168.56.49: icmp_seq=1 ttl=255 time=0.231 ms
64 bytes from XX.168.56.49: icmp_seq=2 ttl=255 time=0.250 ms

–- XX.168.56.49 ping statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.231/0.258/0.292/0.025 ms

Ping output:

PING XXX.241.60.185 (XXX.241.60.185) from XXX.241.60.186: 56 data bytes
64 bytes from XXX.241.60.185: icmp_seq=0 ttl=255 time=4.505 ms
64 bytes from XXX.241.60.185: icmp_seq=1 ttl=255 time=21.487 ms
64 bytes from XXX.241.60.185: icmp_seq=2 ttl=255 time=2.103 ms

— 195.241.60.185 ping statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.103/9.365/21.487/8.627 ms

Status log loadbalancing and both are down so I will restart the machine:

Jul 7 13:01:44 slbd[13492]: Switching to sitedown for VIP 127.0.0.1:666
Jul 7 13:01:44 slbd[13492]: ICMP poll failed for XXX.241.60.185, marking service DOWN
Jul 7 13:01:43 slbd[13492]: ICMP poll failed for XX.168.56.49, marking service DOWN
Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 added real service XXX.241.60.185:666
Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 added real service XX.168.56.49:666
Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 sitedown at 127.0.0.1:666
Jul 7 13:01:42 slbd[13492]: VIP 127.0.0.1:666 configured as "127.0.0.1"
Jul 7 13:01:42 slbd[13492]: Using configuration file /var/etc/slbd.conf
Jul 7 13:01:42 slbd[13492]: Using r_refresh of 5000 milliseconds

I have now restarted and because the WAN and OPT1 are death I have switched my client to a different gateway to be able to post the rest.

Status log loadbalancing and both the WAN and OPT1 are still death

Jul 7 13:17:44 slbd[296]: Switching to sitedown for VIP 127.0.0.1:666
Jul 7 13:17:44 slbd[296]: ICMP poll failed for XXX.241.60.185, marking service DOWN
Jul 7 13:17:43 slbd[296]: ICMP poll failed for XX.168.56.49, marking service DOWN
Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 added real service 195.241.60.185:666
Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 added real service 82.168.56.49:666
Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 sitedown at 127.0.0.1:666
Jul 7 13:17:42 slbd[296]: VIP 127.0.0.1:666 configured as "127.0.0.1"
Jul 7 13:17:42 slbd[296]: Using configuration file /var/etc/slbd.conf
Jul 7 13:17:42 slbd[296]: Using r_refresh of 5000 milliseconds

config.xml removed on 11 july 2006

msatter

Eehm also this posting went death so I asume I did everyting correct and my configuration is OK and loadbalancing pool won’t work for me!?!?!?

Marcel

msatter

I just gave it an other go and after I rebooted the links were still down. So I went in to the interface menu and pushed the button SAVE to restart the links.

The links are now up and running and I ping them. I’m now going to test linkdown and I have to check how Round-Robin is going to work because I did only see traffic on the first link even with al multi-treath downloader.

Any advise is very welcome.

So the links are not comming up by them selves and have to restart the links manually to fill the loadbalance pool

Marcel

I disconneted the WAN and the OPT1 did not take over and so the pool did not work. One positive thing when I reconnected the WAN it went up and presto I got the Internet back.

Marcel

hoba

Do you actually use the pool as gateway in your firewallrules?

msatter

That is correct and I have more information en conducted some tests.

When I startup the computer and look at the consolle it will state on the line for the firewall starting the different rules however it also stat 4 times “bad adress: balancer”

balancer is the name of the load balance pool and that also occured when it was Load_balancer.

Secondly I can ping from ont het PFsense prompt to gateway and then the first point behind the gateway toe the first adress of “IP adress block” and on the other I can only ping the gateway and external adresses. I don’t get that.

I hope this information helps to find the problem why the load balance pool will not activate automaticly and why the backup won’t work and that round-robin won’t work?

Marcel

@hoba:

Do you actually use the pool as gateway in your firewallrules?

hoba

I might have a quick look at your setup if you catch me at IRC (freenode, ##pfsense). You really must be having set up something wrong.

msatter

Thanks Hoba,

I have send you by mail the config.xml and I will try a factory reset and only configure lan,want,opt and loadbalance pool and no rules….yet.

Marcel

@hoba:

I might have a quick look at your setup if you catch me at IRC (freenode, ##pfsense). You really must be having set up something wrong.

hoba

• Disable advanced outbound NAT or add an outbound NAT rule for your SDSL interface
• For the pool you have to use the GATEWAY IPs, not the interface IPs (in your case you can use the same gateway IP and monitor IP; for WAN it’s 195.xx.xx.185, for SDSL it’s 82.xx.xx.49)
• Change your firewallrules at LAN to use either the default gatewy, the sdslgateway or the pool (depending how you want tu utilize your bandwidth)

Btw, I already have asked you several times if you really use the Gateway IPs and not the Interface IPs  ::)
The way you have set it up you send your routing into a kind of loopback mode which leads to a crash and due to the missing outbound nat rule for SDSL Interface it was not working beyond the SDSL subnet.

msatter

Danke schön Huba!!! It works like a charm. I used a clean installation to test it so I will try tomorrow to use my original config file.

I will write more tomorrow when I have tested it with the old configuration that will adapt to the working situation.

5 Mbit that is a nice speed so surft over the Internet.

Vielen danke nochmals für die super Hilfe!! /  A lot of thanks for the super help again!!

Marcel 

hoba

Nice 

sullrich

Now since we took so much time to help you, please help us by imprvoing the documentation on the wiki.  Please correct whatever load balancing related items that did not make sense but do now.

hoba

http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing

msatter

Will do and my problem was that my brain would not see GW and IP as the same thing so when I read it it automaiticly splits in to different things.

In PFsense they can be the same when it is concerning loadbalance.

I will adapt the document so it will be dummy proof and I also suggest some extra tekst in the screen where you can setup the loadbalance.

I have been busy today to make a clean install of PF and I don’t understand the NAT bit because it is running correct without it and Huba suggested me to make an outbound NAT rule on Wan2 and to disable advanced outbound NAT….ehm have you ever tried to do that? I think you will have to manually edit the config file to do that it is not posible to achieve that in the webinterface.

I have now nog NAT active because I cant switch it off when I activate it.

My next item is Squid and the loadbalancer because I love that programme. I tried it and it only wanted to go to the standard gateway and not use the loadbalance pool. I saw some information ablout the localadress (127.0.0.1) and port 666. I read in the forum and it became clear to me that it would not be easy to archieve that.

My question is if it is posible to see the loadbalance pool as an uplink proxy and adress it through a addres and port?

I will make my suggestions next week and I wish you all a very nice and rexaling weekend!

Marcel

ps. I had already today people that tried to get in to the firewall through port 222, I am sorry it is still closed and will remain that way  ;D

hoba

@msatter:

I have been busy today to make a clean install of PF and I don’t understand the NAT bit because it is running correct without it and Huba suggested me to make an outbound NAT rule on Wan2 and to disable advanced outbound NAT….ehm have you ever tried to do that? I think you will have to manually edit the config file to do that it is not posible to achieve that in the webinterface.

I said either or. If you turn advanced outbound NAT off, it does set up NATs for all interfaces with gateway automatically.
If you need advanced outbound NAT for some reason (like having multiple public IPs for example) you have to create a rule for all your WANs so the traffic gets natted.

@msatter:

My next item is Squid and the loadbalancer because I love that programme. I tried it and it only wanted to go to the standard gateway and not use the loadbalance pool. I saw some information ablout the localadress (127.0.0.1) and port 666. I read in the forum and it became clear to me that it would not be easy to archieve that.

My question is if it is posible to see the loadbalance pool as an uplink proxy and adress it through a addres and port?

This won’t work, only connection THROUGH the pfSense will be loadbalanced. Connections originating from the pfSense itself (like squid) can’t use the pool. You can set up an external squidbox inside your LAN that goes through the box and thus will be balanced.

@msatter:

I will make my suggestions next week and I wish you all a very nice and rexaling weekend!

Same to you 

Mercredi

really interesting discussion and hoba’s answers. thank you all. (while creating loadbalansing pool and using instructions i also thinked that it would be great to improve documentation and to add some texts in the user interface of pfsense)