LoadBalancer with state failover to backup firewall
-
I know that relayd (the built in Load Balancer) does not drop any established connections when failing over to a backup firewall through testing. An established ssh session that is going through a relayd pool will keep working when failing over to a secondary firewall for example. Does haproxy or any other package with load balancing have the same ability?
-
No the packages don't (and can't, really, at least not in our GUIs). The only reason relayd works is because it's basically manipulating NAT rules, and those just work in PF states.
Packages like HAproxy also have an internal state associated with their connections and even if the configuration is sync'd to the secondary and the states move over, the HAproxy instance on the secondary has no way to obtain that connection information from the master's HAproxy daemon.
It would require the proxy package(s) such as HAproxy to have their own internal pfsync-like system to replicate the data between nodes. I'm not sure if any of them actually have that in their code, but if any of them do, then it could potentially be added to our GUI(s).
For some things like HTTP it may not matter much though, those connections aren't normally persistent so it wouldn't really be all that noticeable to the user. Of most interest would be any potential hashing/client-server association going on that could lead to a client's session getting terminated.
-
I figured that was the case. Thanks for your info on that.
That makes me want to stick with relayd for as many Load Balancing tasks as I can. Relayd without the sticky feature enabled works great. With the sticky feature enabled though relayd takes a very long time to failover when there are constant connection attempts from a client (more than minutes). For websites that need the sticky feature another package is preferred. I was hoping there was a chance for another package to have the same state failover robustness as relayd for that reason. I would have to move the load balancing to the backend for the sites I need to get around that issue when sticky is needed. I could then just use the normal port forwarding on the firewall itself.
-
Someone more familiar with the packages like haproxy, varnish, mod_proxy, etc, would need to comment on whether or not it's technically possible with the software (outside of our GUI). If it is, someone could potentially add it.
In the meantime, relayd does tend to do a decent job.