Inbound Load Balancing
-
I am playing around with setting up a inbound load balancer where I will have a VIP that will share the load between two HTTP servers behind it that use 192.168.x IP addressing.
According to the docs wiki, PfSense supports round robin load balancing. Can someone tell me if it will properly handle the condition if one of the boxes goes down? Or will Pfsense keep sending every other network request to the downed box or does it ping the boxes, and remove the downed box from the pool???
Also, Any limitation to the number of devices in the pool???
-
Yes it includes link monitoring.
Not sure about limitations but I would bet that 100+ will be ok.
-
Yes it includes link monitoring.
Not sure about limitations but I would bet that 100+ will be ok.
Will it also add the device back to the pool if it should become active again?
-
-
-
For some reason I cant get this to work. I am trying to load balance incoming comnnections from my WAN IP on port 80 to my internal web servers (192.168.1.128 and 192.168.1.245) running on port 80.
I've followed the instructions here:
http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing
however, I have some questions:
- Can I load balance connections going to the WAN interface to the internal NATT'ed IP's, or do I need to setup a virtual IP on the WAN interface? If, yes, I am assuming this would be other, since I dont want CARP and dont want Proxy Arp?
- What kind of rules would I need in the firewall WAN rules. Currently I have "allow port 80 any to any".
-
Try allow all from any to any port 80
-
It still is not working. I current have allow TCP from any to any on port 80 in the WAN rules, but it does not seem to work? Anything else to check or try?
-
Can I use the normal WAN IP to load balance? Or do I need to setup a VIP off the WAN interface as the interface that sends connections to the load balances IP's on my local LAN?
What should the Gateway be for the allowed rule? Currently I have "default" not sure if it sould be the Load balance pool…
-
I finally got this working with the help of Hoba via IRC. Hoba has upated the Wiki, and I'm gonna add some final changes over the next few days.
The web interface is not really clear on whats added to the IP list. I did not have the proper monitoring parameters in the fields, so my pool was allways in a down state.
I think the Web Interface should updated so that the fields that are stored into the list are visually seperate from the other fields…
-
@rneily i am having the same problem with load balancing from my WAN IP to my internal web servers running on port 80. You said Hoba helped you out but you did not post a solution. Can you point me in the right direction as it is driving me crazy at the moment.
-
This article was updated: http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing
The original problem was, that no monitoring IP was specified (as it was not mentioned in the wiki earlier, now step 8+9) and thus the pool was always empty. Follow the wiki and you should get it going. -
i am trying to set up two load balancers with failover which seems to work. Behind the load balancers are two web servers listening to port 80. For some reason i cannot access the web servers should the monitor ip be the ip address of one of the web servers? And is it enough to open the wan interface for all traffic via port 80? Or do i have to set up addional NAT rules to accomplish this.
When i check the show states page all i can see is 10.110.1.65:8081 <- 10.110.1.205:4582 CLOSED:SYN_SENT
-
Did you create your Virtual server external IP by using the CARP IP? As you have a failoverconfig this is needed. Also make sure if using CARP that you might need advanced outbound NAT too to map the outgoing traffic to your CARP IP instead of the real WAN IP of the machine. I would suggest starting your setup without CARP/failover to see if the loadbalancer works. After that add CARP/failover and change the WAN IP of the virtual server to the shared CARP IP. I guess you haven't configured the loadbalancing correctly for CARP.
-
I followed the tutorial building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP&pfSync which worked fine but i can't seem to get the load balancer to work. I also tried my setup without carp as you suggested with one load balancer instead of two with no success.
my setup is the following
WAN IP: 10.110.1.61
LAN IP: 192.168.1.10Web Server IP's: 192.168.1.2; 192.168.1.3
i followed the howto from http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing and i set 192.168.1.2 with icmp as the monitor ip. And i allowed all traffic to pass the WAN interface. But i can't access the web servers and i can't seem to find a solution.
-
Are you sure the webservers respond to pings? if not they are assumed dead and will be excluded from the pool (just in case you have a local firewall running at the webservers too).
-
@hoba first of all thx a lot for you help i now have a working load balancer. I also successfuly configured failover with carp up till now everything works fine. My setup
load balancer1
WAN IP 10.110.1.61
LAN IP 192.168.1.10load balancer2
WAN IP 10.110.1.75
LAN IP 192.168.1.15Virtual IP'S (carp)
WAN 10.110.1.76
LAN 192.168.1.1The web servers have there gateway set to the virtual ip on the lan. My web servers work fine in till the point were i unplug the master and the backup takes over. From then on i can't access the web servers. I checked the interfaces carp0 and carp1 the master drops the interfaces and the backup takes over. I can even ping the interfaces but the webservice refuses to work do you have an idea why? The settings on both hosts are identical expect the master has the sync setting enabled. I am not using a dedicated sync interface for the sync i am using the lan interface do you think that could be a problem?
-
Enable SYNC at the Backupmachine too (the first sync option in the list at Firewall>VIP, CARP settings). This one is needed for synchronizing the states between both firewalls. The other options below this are only for config syncing and should only be set at the master.
Besides that make sure your loadbalancer uses the WAN CARP IP as external IP and not the real interface IP. Also check that your firewall rules at WAN are correct.
Another thing to try is disabling loadbalancer settings sync and manually adding the pool/virtual servers at the backup system. (I think this is something that wasn't tested extensively before though it should not cause any problems). -
I followed the tutorial building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP&pfSync which worked fine but i can't seem to get the load balancer to work. I also tried my setup without carp as you suggested with one load balancer instead of two with no success.
my setup is the following
WAN IP: 10.110.1.61
LAN IP: 192.168.1.10Web Server IP's: 192.168.1.2; 192.168.1.3
i followed the howto from http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing and i set 192.168.1.2 with icmp as the monitor ip. And i allowed all traffic to pass the WAN interface. But i can't access the web servers and i can't seem to find a solution.
uhhh, use TCP for the monitor - it'll actually test the port availability, not just the node.
–Bill
-
@Hoba i already enabled the Sync option on both machines. To me it seems to be a carp problem as i said in my previous posting everything works fine untill i unplug the network cable of the master host. The backup machine takes over the master state but nothing else seems to happen. And the two web servers behind the load balancers are not reachable. This is the output of ifconfig after the backup has taken over the master state and the web servers are not reachable:
ifconfig
fxp0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet6 fe80::2d0:b7ff:fe70:1ce1%fxp0 prefixlen 64 scopeid 0x1
inet 10.110.1.60 netmask 0xffffff00 broadcast 10.110.1.255
ether 00:d0:b7:70:1c:e1
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet6 fe80::2d0:b7ff:fe68:ba70%fxp1 prefixlen 64 scopeid 0x2
inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:d0:b7:68:ba:70
media: Ethernet autoselect (10baseT/UTP)
status: active
pflog0: flags=100 <promisc>mtu 33208
pfsync0: flags=41 <up,running>mtu 1348
pfsync: syncdev: fxp1 maxupd: 128
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
carp0: flags=49 <up,loopback,running>mtu 1500
inet 10.110.1.76 netmask 0xffffffff
carp: MASTER vhid 1 advbase 1 advskew 100
carp1: flags=49 <up,loopback,running>mtu 1500
inet 192.168.1.1 netmask 0xffffffff
carp: MASTER vhid 2 advbase 1 advskew 100perhaps it might help someone find my problem</up,loopback,running></up,loopback,running></up,loopback,running,multicast></up,running></promisc></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast>