Load balancing web server issue 2.0.1-RELEASE (amd64)

creatureofthedark · Mar 7, 2012, 11:36 PM

Hey i'm not shore if this is the correct place for this or not but I have seen one or two similar here so ill give it a go.

This may be a very simple mistake.. but I have gone over the bellow howto a few times and I simply cant get it to work..

http://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers

iv been working on a simple test bed to load balance 4 web servers..
The set-up is bellow
WAN LAN
user[10.10.0.50] <===> [10.10.0.1] PfSense [10.10.1.200] <===> [10.10.1.1-4] web servers
[10.10.1.100] virtual server

Name Protocol IP Address Port Pool Fall Back Pool Description
WebVirtualIP tcp 10.10.1.100 80 NorthWebServers none Load Balanced Web Servers North

Name Mode Servers Port Monitor Description
NorthWebServers loadbalance 10.10.1.1 80 webservers webservers North Web Server Pool
10.10.1.2
10.10.1.3
10.10.1.4

I planed to simply NAT 80 to the virtual server IP address however i cant even get a user on 10.10.1.10 to access the web servers via the virtual server ip address…
it can access them individually but not on there own....

am I doing something stupid here??

any help would be great!!

marcelloc · Mar 8, 2012, 1:52 AM

After you setup a load balance you need to configure What ip is going to listen. Select wan ip for it, remove nat wan web server port and create a rule on wan to Allow http traffic.

You may need to change pfsense gui port to do not conflict with balance port.

creatureofthedark · Mar 8, 2012, 8:09 PM

hey marcelloc,

Thank you for your response I have followed your advice and set-up so that the virtual server is on the same IP as my WAN interface… I have then removed all NAT rules and on the WAN interface... still did not work... I then changed the webui to https to take it of port 80 and still nothing happened...

currently on the firewall i have...

WAN
Proto Source Port Destination Port Gateway Queue Schedule Description
TCP * * WAN address 80 (HTTP) * none
TCP * * * 80 (HTTP) * none

LAN
Proto Source Port Destination Port Gateway Queue
TCP * * LAN address 80 (HTTP) * none
TCP * * * 80(HTTP) * none

if got each one logging and im noticing in the log the bellow is being blocked...
This suggests to me that the load balancing is working but for some reason its not being allowed to the individual hosts...

Feb 27 00:22:22 WAN 10.10.0.10:57812 10.10.1.4:80 TCP:S

Feb 27 00:22:25 WAN 10.10.0.10:57812 10.10.1.2:80 TCP:S

Feb 27 00:22:31 WAN 10.10.0.10:57812 10.10.1.3:80 TCP:S

Feb 27 00:23:02 WAN 10.10.0.10:57813 10.10.1.4:80 TCP:S

Feb 27 00:23:05 WAN 10.10.0.10:57813 10.10.1.2:80 TCP:S

Feb 27 00:23:11 WAN 10.10.0.10:57813 10.10.1.3:80#

although... thinking about it i may be interpreting these logs wrong... if they are logged if a rule handles it dose that mean its been aloud?? if so why is it the host not getting the webpage??

creatureofthedark · Mar 8, 2012, 8:21 PM

also note that iv just added in two new rules that allow any source and port any destination any port on both wan and lan firewall rules…

I have also added a nat for wan interface to port 8080 to redirect to one of the web servers on port 80...

i cannot access the web server on port 80 but i can access the web-gui on 443 from the user host on 10.10.0.10 [in wan network]

creatureofthedark · Mar 8, 2012, 10:15 PM

ok i have just seen on the logs that the firewall is passing the traffic but the client is getting time outs…. iv pulled down the firewalls on the web servers and made shore that i can still get the webpage on the LAN network and i can...

i have nooooo idea what im doing wrong now... but i'm guessing its me doing something very stupid...

I don't have to setup any form of routing do i??

marcelloc · Mar 9, 2012, 2:46 AM

Just reading again your post, I found a mistake.

Change virtual server from 192.168.1.100 to wan ip and keep wan rule to Allow http access to balance ip and/or web servers(just like nat do).

creatureofthedark · Mar 9, 2012, 9:41 AM

i did that in respons to your first link… still with no effect... the fire wall is now passing the traffic but for some unknown reason im still getting timeouts...

on the dash board it is showing the load balance as active...

WebVirtualIP
Active
10.10.0.1:80

iv opened up all ports...

firewall log is showing traffic passing when i do a request with a nice green little arrow thing but odly its got a red cross when traffic comes from the web servers to the router on port 80.... i think i have a firewall issue some where... but i cant work out where.... could it be due to there is no gateway on any of the interfaces?

marcelloc · Mar 9, 2012, 12:38 PM

What you get on status -> loadbalance?

creatureofthedark · Mar 9, 2012, 3:44 PM

10.10.1.1 id down at the moment.. but the overs are up

Pools
Name Mode Servers Monitor Description
NorthWebServers Load balancing 10.10.1.1:80 (0.00%) webservers North Web Server Pool
10.10.1.2:80 (86.90%)
10.10.1.3:80 (87.10%)
10.10.1.4:80 (86.76%)

Virtual servers
Name Address Servers Status Description
WebVirtualIP 10.10.0.1 : 80 10.10.1.1 Active Load Balanced Web Servers North
10.10.1.2
10.10.1.3
10.10.1.4

marcelloc · Mar 9, 2012, 4:05 PM

It looks fine.

you did changed pfsense gui to https, but I think you need also to select Disable webConfigurator redirect rule on system -> advanced.

pfsense lan ip is the gateway of your websevers?

att,
Marcello Coutinho

creatureofthedark · Mar 9, 2012, 10:02 PM

ahhh we have the problem me thinks :P

your question about the gateway on the web servers got me thinking and i checked the /etc/network/interfaces on the servers… it was set incorrectly :P

Thank you for all your help!!! i am so sorry it turned out to be me being a complete idiot....