Pfsense Load balancing not working in VM

Nurgle · Mar 14, 2012, 5:34 PM

I have Pfsense 2.0.1 running on a couple VMs and have been having trouble specifically with the server load balancing feature.
I have tried this on Hyper-V and VirtualBox and have the exact same issue. For this scenario let me describe the VirtualBox setup.

I have Pfsense running with 2 virtual NIC. The lan side being 192.168.80.1/24 and the wan side 192.168.12.77/24. I have a VM 2008r2 IIS webserver with on virtual NIC set for 192.168.80.50 using the 192.168.80.1 as the GW. I have completely opened up the WAN side firewall to pass all ports and protocols. At this point the web server can resolve names from the DNS server on 192.168.12.202, and open pages on the internet.

So i follow the directions for load balancing and set up a pool with the one webserver described and set up a virtual server at 192.168.12.133 both listening on port 80 using the standard http health check.

When I look at the status of the load balancing it shows that both the pool and the virtual server is active. However the 192.168.12.133 is completely unresponsive. I used nmap to port scan 192.168.12.133 from my real machine and got this:

Starting Nmap 5.51 ( http://nmap.org ) at 2012-03-14 10:31 Pacific Daylight Time
NSE: Loaded 57 scripts for scanning.
Initiating ARP Ping Scan at 10:31
Scanning 192.168.12.133 [1 port]
Completed ARP Ping Scan at 10:31, 0.61s elapsed (1 total hosts)
Nmap scan report for 192.168.12.133 [host down]
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (0 hosts up) scanned in 4.52 seconds
Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

Port scans of the 192.168.80.1 and 192.168.12.77 interfaces look normal.

Am I missing something?

Thanks.

marcelloc · Mar 20, 2012, 5:01 AM

Did you created this virtual ip/parp(firewall -> virtual ips) before applying it to a balance?

Nurgle · Mar 21, 2012, 6:25 PM

First off I have to say PFsense is awesome. Ok I figured out a bunch of things. I hope this helps people with the same problem.
1. you must create an IP alias for every virtual server.
2. make sure the subnet mask is properly set on the ip alias since it defaults to 32 which won't work.
3. Hyper-v isn't a good BSD host and you will need to create a shell script in /usr/local/etc/rd.c I like to call it something early in the alphabet like 1st.sh since I want to it execute before other shell scripts like haproxy.sh. put this in you script:
ifconfig de0 down
ifconfig de1 down
ifconfig de2 down
ifconfig de3 down
ifconfig de0 up
ifconfig de1 up
ifconfig de2 up
ifconfig de3 up
4. Use HAproxy-full instead of the standard load balancer. Just install it from the packages, it's far more full featured, than the built in one.
5. HAproxy will crash if you try to pass persistence cookies over ssl, if you see the service stopped, that's probably what you are doing. You must use source balancing for encrypted packets, and make sure the cookie fields are blank.
6. Stunnel will allow you to use persistence cookies with SSL. Install it from the packages, put it in front of HAproxy so it will decrypt the packet and send the decrypted packet to haproxy, now you can use full cookie persistence with SSL.
7. Here's a good quick and dirty tutorial for setting up HAproxy http://conheotiensinh.blogspot.com/2011/12/config-haproxy-with-pfsense-version-201.html