Load balancing web server issue 2.0.1-RELEASE (amd64)



  • Hey i'm not shore if this is the correct place for this or not but I have seen one or two similar here so ill give it a go.

    This may be a very simple mistake.. but I have gone over the bellow howto a few times and I simply cant get it to work..

    http://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers

    iv been working on a simple test bed to load balance 4 web servers..
    The set-up is bellow
                                          WAN                      LAN
    user[10.10.0.50] <===> [10.10.0.1] PfSense [10.10.1.200] <===> [10.10.1.1-4] web servers
                                                                                              [10.10.1.100] virtual server

    Name Protocol IP      Address         Port Pool                 Fall Back Pool Description
    WebVirtualIP tcp 10.10.1.100 80 NorthWebServers none Load          Balanced Web Servers North

    Name Mode                                   Servers Port Monitor   Description
    NorthWebServers loadbalance 10.10.1.1  80    webservers  webservers North Web Server Pool
                                                    10.10.1.2
                                                    10.10.1.3
                                                    10.10.1.4

    I planed to simply NAT 80 to the virtual server IP address however i cant even get a user on 10.10.1.10 to access the web servers via the virtual server ip address…
    it can access them individually but not on there own....

    am I doing something stupid here??

    any help would be great!!



  • After you setup a load balance you need to configure What ip is going to listen. Select wan ip for it, remove nat wan web server port and create a rule on wan to Allow http traffic.

    You may need to change pfsense gui port to do not conflict with balance port.



  • hey marcelloc,

    Thank you for your response I have followed your advice and set-up so that the virtual server is on the same IP as my WAN interface… I have then removed all NAT rules and on the WAN interface... still did not work... I then changed the webui to https to take it of port 80 and still nothing happened...

    currently on the firewall i have...

    WAN
    Proto  Source Port Destination         Port         Gateway Queue Schedule Description
    TCP *       * WAN address 80 (HTTP) *         none  
    TCP *       * *                 80 (HTTP) *         none

    LAN 
    Proto Source Port Destination          Port         Gateway Queue
    TCP *         * LAN address 80 (HTTP) *      none
    TCP    *            *      *                      80(HTTP)  *              none

    if got each one logging and im noticing in the log the bellow is being blocked...
    This suggests to me that the load balancing is working but for some reason its not being allowed to the individual hosts...

    Feb 27 00:22:22 WAN   10.10.0.10:57812   10.10.1.4:80 TCP:S

    Feb 27 00:22:25 WAN   10.10.0.10:57812   10.10.1.2:80 TCP:S

    Feb 27 00:22:31 WAN   10.10.0.10:57812   10.10.1.3:80 TCP:S

    Feb 27 00:23:02 WAN   10.10.0.10:57813   10.10.1.4:80 TCP:S

    Feb 27 00:23:05 WAN   10.10.0.10:57813   10.10.1.2:80 TCP:S

    Feb 27 00:23:11 WAN   10.10.0.10:57813   10.10.1.3:80#

    although... thinking about it i may be interpreting these logs wrong... if they are logged if a rule handles it dose that mean its been aloud?? if so why is it the host not getting the webpage??



  • also note that iv just added in two new rules that allow any source and port any destination any port on both wan and lan firewall rules…

    I have also added a nat for wan interface to port 8080 to redirect to one of the web servers on port 80...

    i cannot access the web server on port 80 but i can access the web-gui on 443 from the user host on 10.10.0.10 [in wan network]



  • ok i have just seen on the logs that the firewall is passing the traffic but the client is getting time outs…. iv pulled down the firewalls on the web servers and made shore that i can still get the webpage on the LAN network and i can...

    i have nooooo idea what im doing wrong now... but i'm guessing its me doing something very stupid...

    I don't have to setup any form of routing do i??



  • Just reading again your post, I found a mistake.

    Change virtual server from 192.168.1.100 to wan ip and keep wan rule to Allow http access to balance ip and/or web servers(just like nat do).



  • i did that in respons to your first link… still with no effect... the fire wall is now passing the traffic but for some unknown reason im still getting timeouts...

    on the dash board it is showing the load balance as active...

    WebVirtualIP
    Active
    10.10.0.1:80

    iv opened up all ports...

    firewall log is showing traffic passing when i do a request with a nice green little arrow thing but odly its got a red cross when traffic comes from the  web servers to the router on port 80.... i think i have a firewall issue some where... but i cant work out where.... could it be due to there is no gateway on any of the interfaces?



  • What you get on status -> loadbalance?



  • 10.10.1.1 id down at the moment.. but the overs are up

    Pools
    Name        Mode                   Servers                           Monitor         Description
    NorthWebServers Load balancing 10.10.1.1:80 (0.00%)      webservers North Web Server Pool
                                            10.10.1.2:80 (86.90%)
                                            10.10.1.3:80 (87.10%)
                                            10.10.1.4:80 (86.76%)

    Virtual servers
    Name            Address            Servers      Status Description
    WebVirtualIP      10.10.0.1 : 80    10.10.1.1    Active      Load Balanced Web Servers North
                                                  10.10.1.2
                                                  10.10.1.3
                                                  10.10.1.4



  • It looks fine.

    you did changed pfsense gui to https, but I think you need also to select Disable webConfigurator redirect rule on system -> advanced.

    pfsense lan ip is the gateway of your websevers?

    att,
    Marcello Coutinho



  • ahhh we have the problem me thinks :P

    your question about the gateway on the web servers got me thinking and i checked the /etc/network/interfaces on the servers… it was set incorrectly :P

    Thank you for all your help!!! i am so sorry it turned out to be me being a complete idiot....


Log in to reply