• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Multiple IP addresses on Host Override with health detection?

Scheduled Pinned Locked Moved DHCP and DNS
4 Posts 2 Posters 611 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 3
    321liftoff
    last edited by Nov 5, 2022, 3:33 PM

    Trying to find a solution, where clients can have a single IP address or FQDN on pfSense to access a pool of servers. Using these options within the custom options of DNS Forwarder provides all the IP addresses and even rotates between them with each DNS request:

    localise-queries
    host-record=host,host.domain.com,192.168.1.1
    host-record=host,host.domain.com,192.168.1.2
    

    The problem is when one of the servers goes down, then clients will be sent to a failing IP address half of the time. So wondering how a health check could be done on the ip addresses?

    Services->LoadBalacing (relayd) seemed to provide this exact function (although through NAT), but this was depricated in version 2.5.0.

    HAProxy is referenced as an option, but the client's IP address cannot be passed through to the server when the clients and servers reside on the same subnet (thus not using pfSense as a gateway/router).

    What other options exist?

    J 1 Reply Last reply Nov 8, 2022, 4:55 PM Reply Quote 0
    • J
      JeGr LAYER 8 Moderator @321liftoff
      last edited by Nov 8, 2022, 4:55 PM

      @321liftoff said in Multiple IP addresses on Host Override with health detection?:

      HAProxy is referenced as an option, but the client's IP address cannot be passed through to the server when the clients and servers reside on the same subnet (thus not using pfSense as a gateway/router).

      What do you mean by that? If you create a FQDN that points to pfSense' IP on the LAN there's no problem with that. Just create a hostname like proxy.domain.com in your DNS or via the DNS Resolver/Forwarder Host Override and use HAproxy in TCP mode if it's not a HTTP/S service you are proxying. UDP also won't work of course. But if it's TCP you're looking at - HAproxy and TCP mode can do exactly that.

      Cheers

      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      3 1 Reply Last reply Nov 8, 2022, 5:58 PM Reply Quote 0
      • 3
        321liftoff @JeGr
        last edited by Nov 8, 2022, 5:58 PM

        @jegr Per the documentation when configuring the backend services of HAproxy, it has the following:
        8d413875-b0a5-41d5-819c-0ad36116e355-image.png

        So a couple of limitations when using Transparent ClientIP

        • the client cannot be on the same pfSense network interface as the backend server
        • the client cannot be on the same subnet as the backend server

        Are these constraints not true?

        J 1 Reply Last reply Nov 9, 2022, 10:04 AM Reply Quote 0
        • J
          JeGr LAYER 8 Moderator @321liftoff
          last edited by Nov 9, 2022, 10:04 AM

          @321liftoff Yes they are but why would you need to use transparent ClientIP? That wasn't mentioned anywhere in your question, that's why I'm wondering. Does your service actually need the source IP of the client to work?

          Cheers

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received