Load Balancing on a http proxy server



  • Hello!

    Basically, what I want to do is to balance 2 ADSL connections on a http proxy server.
    So, I'm searching for a simple solution (and a cheap one) to balance two PPPoE
    connections on a server that handles only http traffic (for increased total
    throughput…) Can pfSense do that?

    The ADSL connections have the same download speed and I have simple
    ADSL routers "before" the desired proxy server machine.

    Thanks in advance.



  • Yes, it can. Check out the following links:
    http://doc.pfsense.org/index.php/Chapter_4:Configuration_of_pfSense%28Firewall/NAT/etc%29
    http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
    http://pfsense.com/index.php?id=36



  • Well, my LB works (though not as I expected)…

    Here is my config:

    • 2 ADSL connections with routers "before" pfsense: 10.100.1.1/24 is the static IP/mask for WAN1 with gateway 10.100.1.100 and 10.100.2.1/24 is the static IP/mask for the WAN2 (OPT1 renamed) with 10.100.2.100 as the second gateway. I created the pools, using the IP of the gateways and a monitor IP from my ISP (i have both connections from the same ISP) - one common for both links. This is one thing I don't understand. In the wiki you say:

    For each entry in the network connection pool a source IP address, unique monitor address and the upstream gateway.

    Please give me some good example for this monitor IPs, because the failover doesn't work for me.

    When both connections are up, load balancing works, though is quite strange… I am very interested in http load balancing (my pfsense box will handle only http traffic) so I made some tests with some browsers and www.whatismyip.com , refreshing the page constantly. What I obtained?

    • Opera v8.53: 1-IP1, 2-IP1, 3-IP2, 4-IP1, 5-IP1, 6-IP2, 7-IP1, 8-IP1, 9-IP2...
    • IE v7 beta: 1-IP1, 2-IP1, 3-IP1, 4-IP1 etc.
    • Firefox: 1-IP1, 2-IP2, 3-IP1, 4-IP2, 5-IP1, 6-IP 2 etc.
      This is strange, however, if I download something with a download manager, using multiple connections, then I can achive the bandwith of both connectons. Is the same if i made multiple downloads with opera for example. The behaviour described above seemed strange...

    Anyway, my two problema right now are:

    • the failover doesn't work for me: if one link is down, then http traffic won't work (nor ping for that matter); some http requests could not be completed because the domain couldn't be resolved, so I used a dns server from my LAN, with no luck whatsoever; is there a way to achive LB with failover with my setup (presented above)? Is so, how?
    • i want to use the LB feature with the squid proxy (I have another box that will use pfsense as an upstream proxy cache) - the problem is that when I use squid, it seems that LB doesn't work - whatever the browser, www.whatismyip.com returns the same IP and with multiple downloads in the browsers, the total bandwidth coresponds with the bandwidth from only one link. :(

    Please help... I'm using RELENG_1_SNAPSHOT_03-26-2006. Tnx!



  • Add static routes for the monitor ips that you are using forcing them out the correct pipe.

    For example, if you are monitoring y.y.y.y you need a static route with the next hope gateway in place to force the ping traffic out the correct gateway.



  • Tnx for the reply. I tried what you said (adding 2 static routes for the monitor IPs) and verified with traceroute, that I can reach those monitor IPs only through the correct gateways. The problem is that, when one link is down (for example WAN), I cannot ping the monitor IP for WAN, but I can ping the monitor IP for WAN2, which is good, however, I receive "ping: sendto: No route to host" when I try to ping any other Internet hosts. Strange… Maybe I'm doing something wrong...

    Anyway, this is not my big concern, but... Squid. Why is that LB works well with direct connection for http, but when I use the proxy (pfsense) in my browser (or when I set up the proxy as transparent), the only link used is WAN? Squid is using only one link?  :-\



  • @ismail:

    Tnx for the reply. I tried what you said (adding 2 static routes for the monitor IPs) and verified with traceroute, that I can reach those monitor IPs only through the correct gateways. The problem is that, when one link is down (for example WAN), I cannot ping the monitor IP for WAN, but I can ping the monitor IP for WAN2, which is good, however, I receive "ping: sendto: No route to host" when I try to ping any other Internet hosts. Strange… Maybe I'm doing something wrong...

    Anyway, this is not my big concern, but... Squid. Why is that LB works well with direct connection for http, but when I use the proxy (pfsense) in my browser (or when I set up the proxy as transparent), the only link used is WAN? Squid is using only one link?  :-\

    Because we can only load balance traffic THROUGH the box.  I'm sure this is in the FAQ.

    –Bill





  • @sullrich:

    Same rules apply to http://faq.pfsense.com/index.php?action=artikel&cat=1&id=142&artlang=en&highlight=userland as well.

    However, the long answer is that you can utilize dual wan ftp if you use a 1:1 or port-forward the large port ranges required by the server which in most cases of newer ftp daemons is configurable.

    Isn't it a long answer in my case? (Outgoing Load Balancing for HTTP - tnx, I realize the difference between dual wan and LB after reading the faq :) )?

    I tried to redirect the port 80 from my gateway to the pfsense box, but it seems that this is not working… (maybe I'm doing something wrong). I know I can use another box as an intermediate proxy (that will have the pfsense box as the gateway), but I don't have such a system right now. What is the best way to achive what I want?

    Thanks.



  • I have a configuration similar the above one and a realy strange problem with it…

    pfsense1 IP 192.168.1.2 default gw connected to a 6MBIt PPPOE
    pfsense2 IP 192.168.1.4 transparent squid connected to a 10MBIt PPPOE

    and wants to redirect any http traffic to the squid.
    So I set up a load balance pool with one ip (192.168.1.4) as a gateway and a Firewall rule for port 80 trafic with this gw.
    Nearly everthing works great, all port 80 traffic is redirected to the 10mbit connection and incoming is limited with the squid delay pool.

    But now the strange thing,
    I tested it very seriously and in with many Bandtwith Tests in the web(but not in all), and any real world pages like ebay etc. my upstream seems to limited to 1 kb/s (normaly 100) after the first 50 kb or so.
    I rechecked it using the pfsense squid box as the default gw, and everything is right.

    Can somebody explain my this strange behavior, and maybe help.  ;)



  • if somebody finds a way to use squid with multiple wan, let me know i'm interested  8)



  • It's getting warmer… no problems with my pf box with 2 connections in the past 2 weeks; but I want to know:

    1. Could pF handle 3 connections for Outgoing Load Balancing? (all 3 with static IPs);
    2. Could you tell me what is the criteria behind choosing the "next" connection?
      I mean, if I have 3 connections: A, B, C, A with 500 kbps throughput (for example) at the moment, B with 200 kbps and C with 700 kbps... in what order pF will choose the next connection to handle the traffic?
      Is it round robind (like A,B,C,A,B,C etc.) or load based (B (is the least loaded connection), A, C) or else? In my case, all the connections are the same (same type of configuration and the same bandwidth) so I thought that the round robin way is not the most efficient one.  :-\

    Plus, in case of a connection tracking protocol, does pF use the same "line" for the traffic that belongs to the same connection? I know that there are professional routers that do Outgoing Load Balancing in multiple ways... no doubt, I'm very content about pF, but I wanted to know a little bit more about the way that pF does the trick.



    1. you can put as many IPs in the pool your hardware can handle (nics, cpu-power,…)
    2. It's plain roundrobin. You can fake some "weighting" by entering some of the gateway IPs twice in the pool (A,A,A,B if you want it weighted 3:1 for example), and yes, already established connections will remain at the same gateway they were originally initiated.

Log in to reply