Problem with load balancing

Steffan

HI guys,

This is my first post, and i hope this is the right place to post it.. if not please move :)

I have been pulling my hair for the last 3 hours trying to get this to work, and i cant find a guide on google that was able to help me, so now i'm posting this hoping one of you guys would like to help me out!

Here's the thing:

i have 2 webservers, listening on port 80.
I would like load load balance between thoose two using my pfsense firewall that is in between the webservers and the internet.

right now i have a NAT rule set up that redirects everything incomming on port 80 to webserver1, this works fine, and has been for the last year or so since i set it up.

I tried creating a virtual IP, and enable load balance, changed the NAT rule to redirect to the virtuel IP instead of webserver1.
but this does not work, whenever i try på access the website with the new settings, it just times out.
there is nothing blocked on port 80 in the firewall log.

Can someone point me in the right direction? maybe even post a guide ?

If you need any screenshots, config files, or anything else feel free to ask! :)

Steffan

i have been searching the forums for 2 hours now, and still i cant figure out what is wrong here. i really hope someone in here wants to help me ?

Maybe i should make a little drawing to show my setup a little clearer:

Internet –-> (WAN - 95.xx.xx.xx) PFsense Firewall (LAN - 192.168.2.0/24) ----> switch ---> Webserver1 and webserver 2 (192.168.2.101 + 192.168.2.102)

I have created a carp VIP using the IP 192.168.2.100 on the LAN interface
I have created a load balance pool, with the two webservers.
i have created a Virtual server with the IP 192.168.2.100 and Virtual Server pool of the pool i created above.
The monitor is set to http, and the webservers are green, so they are not reported offline by the load balancer in the status page.
I have created a NAT rule, redirecting all trafik on port 80 from ANY to 192.168.2.100, and a auto generated firewall rule for this too.

I can ping the VIP 192.168.2.100, but if i try to access it in the browser, it just times out. same if i access the external (WAN) IP that should be redirected to the VIP on port 80 by the NAT rule

where did it go wrong ??

Steffan

I think i got it to work! and i just want to see if this is the correct way to do it:

In loadbalancer > Virtual server, you have to specify an IP address. i was sure this had to be the VIP i created on another config page that the NAT redirectet to, but this did not work (see previous posts) i changed the IP here to my WAN ip, and removed the NAT. then i added firewall rules that allows port 80 to the webservers internal IP. and now it works.

Is this the correct way to do it ??? it works pretty good, but i have no idear if this is correct and safe!

Steffan

I am sorry to ask again, but a simple "Yes that is correct" og "No, that's not how to do it" answer to my last reply would be great :-)
If you want screenshots, just ask

nicolas010

Hello, I have being trying to do something similar to you, I have 2 pfSense and I need them to Balance the Load of users who enters, my pfSenses are not firewalls, they work like a proxy, they give internet to users so if you could help me please, any configuration or screenshots would be nice. Thank you.

Steffan

@nicolas010:

Hello, I have being trying to do something similar to you, I have 2 pfSense and I need them to Balance the Load of users who enters, my pfSenses are not firewalls, they work like a proxy, they give internet to users so if you could help me please, any configuration or screenshots would be nice. Thank you.

Hi Nicolas,

Since someone in this forums cant tell me if my configuration is the correct way to do it, i can't help you on how to setup load balancing. (Since i don't know if my way is the correct way.) Sorry.

nicolas010

I understand, maybe you should give your post sometime, but in you say that it works, so I would like to try it if you dont mind. Thank you.

Steffan

@nicolas010:

I understand, maybe you should give your post sometime, but in you say that it works, so I would like to try it if you dont mind. Thank you.

Well, i think i have given my post plenty of time, and other post's are getting answered every day, just not mine :(
But maybe this forum is just pretty inactive, sadly..

Anyways!
I would be happy to help you! :) - Can you post a drawing/description/screenshot/something else of your setup ? where your clients are connecting from, where your servers are (Those who should be load balanced) and so on..

nicolas010

Hello! here is how I would like my network to be, if any change is needed just let me know.

So the thing is, I have plenty of users  at the bottom and right now I have 1 pfSense working and recieving all these connections, and what I want is to load balance those user, to the 2 pfSense, maybe I could put another pfSense before the other 2, that is basically, so in comparisong to your network, your two webservers would be my 2 pfSense, so would I need a third? or just those 2?, I am using pfSense 2.0.2. Thanks for your help!! :D

nicolas010

oh, BTW, I have 4 Vlans on the LAN interfaces, my pfSense gives internet to students, using captive portal, certificates, RADIUS etc. Can the pfSense load balance through Vlans?

Steffan

Oh dear, that is totally different from my setup, i only have 1 Pfsense box.

I don't think i can help you here, since i have not been playing with multiple pfsense boxes before :( but 1 thing i was thinking of as soon as i saw your drawing: Do you have 2 external IP adresses ? since you cant connect a switch to the ISP (Modem/Internet), since the modem normaly only provide 1 IP on each port and the two pfsense boxes would be fighting over it then!

nicolas010

I have many public IPs, because the network is for a university.  So I can connect 2 pfSense, but I need to load balance the users so they will know where to connect, I cannot connect the 2 pfSense right now, there is only 1 because the users need to know where to connect.

this would the network, I made some changes. Could you anyway tell me please who you configure your pfSense, ty :D

Steffan

Ok,
About the dual pfsense setup i cant help you at all.

But regarding the load balancing, maybe :)

is it your LAN clients that has to connect to a load balanced server pool?
If yes, i would do the following:

(The fields that i do not specify in this "guide" is like a description, or something that has to stay default.)
Example LAN subnet: 192.168.0.0/24
1. Create a CARP VIP with the ip of (in this example, modify to your needs): 192.168.0.100/24 on LAN interface.

2. In services > Load balancer: Create a new pool.
Mode: Load balance
Monitor: ICMP (easy for testing (but should make a propper monitor to test your application later), if your servers respond to ping)
port: The port number your applications listens to, and add your servers to the pool lets say 192.168.0.101 and 192.168.0.102.

3. In services > Load balancer: Create a new virtuel server. Port: same as in step 2, Virtual server pool: choose the pool you created in step 2. Relay protocol: TCP, IP address: (This is the part I had wrong) has to be 192.168.0.100 for internal clients, or your WAN IP if external clients should be able to visit.

4. In Firewall > Aliases create:
Name: (Something you can remember, i used in the next step!)
type: hosts
Add the IPs of the same servers you specified in your pool in step 2.

5. In Firewall > Rules create:
Interface: LAN (LAN if choosen internal clients in step 3, or WAN for external clients in step 3)
Protocol: TCP
source: Any (if choosen LAN clients in step 3, you should be able to set this to "LAN subnet", but for testing choose any!)
Destination: choose "single Host or alias" and write the name of the Alias you created in step 4.
Destination port range: port of your application, i think you can choose any to make testing easyer here!

That is what i would have done, but i cant say if this would work but it is worth a try :)
Hope this helps! - Good luck, and let me know how it works out!
Any questions, feel free to ask
(Btw, there might be some typos in my post, i did not reread it.)

nicolas010

thank you so much, I will try it later, because for now I can´t run tests, so I would let you know whatever happens, btw by internal hosts you mean the users? those users are the ones that I am creating this service for, so I think they are my internal hosts right? now this configuration where should I make it? in a third pfSense? or in any of the 2 that are in the picture? Do I have to connect these 2 directly?? meaning with a crossover cable? because carp needs it. TY.

Steffan

@nicolas010:

thank you so much, I will try it later, because for now I can´t run tests, so I would let you know whatever happens, btw by internal hosts you mean the users? those users are the ones that I am creating this service for, so I think they are my internal hosts right? now this configuration where should I make it? in a third pfSense? or in any of the 2 that are in the picture? Do I have to connect these 2 directly?? meaning with a crossover cable? because carp needs it. TY.

My guess is to config this in one of them. but if that one goes down, your load balance goes down too. i have no idear how to create load balance on two pfsense boxes at the same time..

And yes, by "Internal hosts" i mean your uers / LAN clients. they will then have to connect to the IP 192.168.0.100 to get load balanced to your servers

nicolas010

ok, I will try this configuration thanks for your time, when I do the changes I will let you know. Maybe on sunday I will make them, because I cannot turn down the machine on the week…