Load Balancer and RDP

duderz

Hi,

Is there any documentation or such for the built-in Load Balancer?
I've tried to setup the load balancer to load balance 3 terminal servers (Windows 2003, Terminal Server) using port TCP 3389. However I've failed miserably in all my attempts. I'm using PFsense on vmware ws 5.5 (I need to validate the LB function before buying HW for production)

Any tips would be greatly appreciated

//Duderz

Guest

I take it you've already read and followed this:

http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing

duderz

Thanks for your response submicron.
I managed to waste my work laptop, so it will take about 2 weeks before I can  retry the load balancer setup…
In mean time, if anyone else has tried load balancing terminal servers, please report you success/failure stories here.

[EDIT]
Allrite, so I set up pfsense on vmwplayer on my wifes laptop and got the load balancing to work. However, I would still like to know if there's any client affinity or the like built in? The reason I'm asking is because I would like to be reconnected to the same Terminal Server when diconnecting/reconnecting. As far as I can see from the GUI standpoint the load balancing is simply using round-robin with a single "if all fails" host.

Disregarding Terminal Server, these issues would also be present on a load balanced web server pool, ie. session state.

Kind regards and …
Happy New Year to all!
/d

hoba

The same client should stay mapped to the same server for the time the connection is established or state-entries are still present for it (sticky states). However, after the client has disconnected for some time he'll be thrown to the next server in the pool.

billm

@duderz:

Allrite, so I set up pfsense on vmwplayer on my wifes laptop and got the load balancing to work. However, I would still like to know if there's any client affinity or the like built in? The reason I'm asking is because I would like to be reconnected to the same Terminal Server when diconnecting/reconnecting. As far as I can see from the GUI standpoint the load balancing is simply using round-robin with a single "if all fails" host.

We can load balance by source IP hash - that'll require some small changes that won't make 1.0 - round robin was the only requirement for 1.0.

@duderz:

Disregarding Terminal Server, these issues would also be present on a load balanced web server pool, ie. session state.

Yes and no :)  Web application state should be stored in a backend database to ensure that server failure doesn't affect the end user.  With that said, the load balancing feature of pfSense was always supposed to be minimal, we support it because at least one commercial software firewall developer has it and we'd hate to be considered to have less features ;)  However, we aren't a load balancer, if you want commercial quality load balancing, you need to buy a commercial load balancer.  Or make a package out of haproxy, which has a number of interesting features.

–Bill

PS. Load balancing in pfSense was contracted work and meets the specifications of the individuals requesting it; one of those requirements was to preserve source IP in the IP payload and not in the HTTP headers, which precluded us from using haproxy.  It also allowed us to use software that would help us for outbound load balancing w/out having to write our own daemon (or create an ugly ifstated config).

duderz

@billm:

../
We can load balance by source IP hash - that'll require some small changes that won't make 1.0 - round robin was the only requirement for 1.0.
/..
../ However, we aren't a load balancer, if you want commercial quality load balancing, you need to buy a commercial load balancer.  Or make a package out of haproxy, which has a number of interesting features.
/..

Thanks Bill.
I understand that pfsense is not a load balancer, however It would be absolutely fantastic if the built-in load balancer would be able to load balance by source IP hash. That would solve the issue with session disconnect/reconnect for Terminal Server, SSH, VNC, X et.al

sullrich

I recompiled SLBD with the PF_POOL_STICKYADDR option which should do what you want.

Do this from a shell to get this:

killall slbd && fetch -o /usr/local/sbin/slbd http://www.pfsense.com/~sullrich/slbd

This is unsupported but I would like to hear if it works or not.

duderz

@sullrich:

I recompiled SLBD with the PF_POOL_STICKYADDR option which should do what you want.

Do this from a shell to get this:

killall slbd && fetch -o /usr/local/sbin/slbd http://www.pfsense.com/~sullrich/slbd

This is unsupported but I would like to hear if it works or not.

Thanks sullrich!
I tested your modified version of slbd and can confirm that client affinity works great :-)
I also tried to add and remove new hosts (targets) on the fly, but that didn't work without rebooting. Maybe slbd reads the config file only (slbd.conf) when the process is started?

I'm happy that you spended time on compling a version with client affinity. May I make a just one additional request?
-> Would it be possible to add this to the core?

If so, do you think the following changes would be makeable?

• Add a chekbox in the web gui to use pure round-robin, or round-robin with client affinity
• Add a "reload settings" button to reload the settings on the fly without rebooting pfsense

sullrich

I'll do this for 1.1, but not for 1.0.

duderz

@sullrich:

I'll do this for 1.1, but not for 1.0.

Thank you  ;D You truly are a "Hero Member"

sullrich

This is done.  Note that for 1.0 you can simply touch /var/etc/use_pf_pool__stickyaddr to get the same effect.

rneily

@sullrich:

This is done.  Note that for 1.0 you can simply touch /var/etc/use_pf_pool__stickyaddr to get the same effect.

Is this still present in beta4 and will it be included in release 1.0?

sullrich

@rneily:

@sullrich:

This is done.   Note that for 1.0 you can simply touch /var/etc/use_pf_pool__stickyaddr to get the same effect.

Is this still present in beta4 and will it be included in release 1.0?

Yep.