Inbound Load Balancing is not balanced
-
I've been searching the forums and haven't found anything that addresses this issue. Basically I have pfSense in front of 3 servers (2 webservers and 1 db server). I want to load balance HTTP and HTTPS traffic that hits the 1 public IP of pfsense, and send it to the 2 webservers.
I've setup http and https pools, as well as virtual servers and firewall rules, but the problem is that when I hit the public IP I always end up on the same webserver (I have the index page show the name). Also I don't have sticky sessions turned on, and I can hit each webserver individually, so one isn't down.
Here is the process I took. What could be wrong?
1. Services -> Load Balancer -> New
1a. Name: Http Pool
1b. Description: Http Pool
1c. Type: Server
1d. Behavior: Load Balancing
1e. Port: 80
1f. Monitor: TCP
1g. Added the 2 webservers to the pool: 10.0.0.2, 10.0.0.32. Services -> Load Balancer -> New
2a. Name: Https Pool
2b. Description: Https Pool
2c. Type: Server
2d. Behavior: Load Balancing
2e. Port: 443
2f. Monitor: TCP
2g. Added the 2 webservers to the pool: 10.0.0.2, 10.0.0.33. Services -> Load Balancer -> Virtual Servers -> New
3a. Name: Virtual HTTP
3b. Description: Virtual HTTP
3c. IP Address: XXX.XXX.XXX.XXX (public IP of pfsense)
3d. Virtual Server Pool: HTTP Pool
3e. Pool Down Server: XXX.XXX.XXX.XXX (another public ip for now)4. Services -> Load Balancer -> Virtual Servers -> New
4a. Name: Virtual HTTPS
4b. Description: Virtual HTTPS
4c. IP Address: XXX.XXX.XXX.XXX (public IP of pfsense)
4d. Virtual Server Pool: HTTPS Pool
4e. Pool Down Server: XXX.XXX.XXX.XXX (another public ip for now)5. Firewall -> Aliases -> New
4a. Name: webcluster
4b. Description: webcluster
4c. Type: Host(s)
4d. Host(s): 10.0.0.2, 10.0.0.36. Firewall -> Aliases -> New
5a. Name: webports
5b. Description: webports
5c. Type: Port(s)
5d. Port(s): 80, 4437. Firewall -> Rules -> New
7a. Action: Pass
7b. Interface: WAN
7c. Protocol: TCP
7d. Source: Any
7e. Source OS: Any
7f. Destination: Type: Single Host or Alias, Address: webcluster
7g. Destination port range: from: webports, to: (blank)Thanks to anyone in advance.
-
7h: gateway: your_balancing_pool
You have to tell the rule on the WAN that it should use the balancing pool as gateway and not *
-
Ok, I just set the gateway to the balancing pool and the problem still appears to be the same. I set the firewall rules to be logged, and the log just says that it is directing the traffic to that one server.
Here is the modification I made:
7. Firewall -> Rules -> New
7a. Action: Pass
7b. Interface: WAN
7c. Protocol: TCP
7d. Source: Any
7e. Source OS: Any
7f. Destination: Type: Single Host or Alias, Address: webcluster
7g. Destination port range: from: webports, to: (blank)
7h. Gateway: HTTP Pool8. Firewall -> Rules -> New
8a. Action: Pass
8b. Interface: WAN
8c. Protocol: TCP
8d. Source: Any
8e. Source OS: Any
8f. Destination: Type: Single Host or Alias, Address: webcluster
8g. Destination port range: from: webports, to: (blank)
8h. Gateway: HTTPS Pool -
What does your poolstatus report for the servers?
-
Status -> Load Balancer -> Pools
Shows no pools at all, only the column headings are shown in the table with no rows of data.Status -> Load Balancer -> Virtual Servers
Shows the HTTP pool, and the HTTPS pool, Each server in each pool is shown as "online" in a green background color.I had shut down all the servers and booted them back up again, and the very first time I hit the public IP it did direct to webserver 1, then I refreshed and it directed to webserver 2. After that I can't get anything but webserver 2. I did check again, and "sticky sessions" are not turned on.
-
Just a little more information on the situation. I had both webservers up (web1 and web2). Both were online in the Virtual Server status page, so I took web2 down, and got directed to web1. In the status page web2 was shown as offline. Then I brought web2 backup and when it was shown as online, I refreshed the public IP and got directed to web2 again. I did the same test taking web1 down and the only indication that I could see that it was down was its offline status, otherwise from hitting the public ip I was always directed to web2 as I had been when web1 was online.
Here are snippets of the config relating to the setup:
<aliases><alias><name>webcluster</name> <address>10.0.0.2 10.0.0.3</address> <descr>web server cluster used for HTTP and HTTPS</descr> <type>host</type> <detail>web1||web2||</detail></alias> <alias><name>webports</name> <address>80 443</address> <descr>ports for webservers HTTP and HTTPS</descr> <type>port</type> <detail>HTTP||HTTPS||</detail></alias></aliases> <rule><type>pass</type> <interface>wan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> <source> <any><destination><address>webcluster</address> <port>webports</port></destination> <log><descr>Allow web traffic to webcluster</descr> <gateway>balance HTTP</gateway></log></any></os></statetimeout></max-src-states></max-src-nodes></rule> <rule><type>pass</type> <interface>wan</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> <source> <any><destination><address>webcluster</address> <port>webports</port></destination> <log><descr>Allow web traffic to webcluster on webports</descr> <gateway>balance HTTPS</gateway></log></any></os></statetimeout></max-src-states></max-src-nodes></rule> <load_balancer><lbpool><type>server</type> <behaviour>balance</behaviour> <monitorip><name>balance HTTP</name> <desc>balance HTTP from WAN to LAN cluster</desc> <port>80</port> <servers>10.0.0.2</servers> <servers>10.0.0.3</servers> <monitor>TCP</monitor></monitorip></lbpool> <lbpool><type>server</type> <behaviour>balance</behaviour> <monitorip><name>balance HTTPS</name> <desc>balance HTTPS from WAN to LAN cluster</desc> <port>443</port> <servers>10.0.0.2</servers> <servers>10.0.0.3</servers> <monitor>TCP</monitor></monitorip></lbpool> <virtual_server><name>Virtual HTTP</name> <desc>virtual server for HTTP server cluster</desc> <pool>balance HTTP</pool> <port>80</port> <sitedown>192.168.0.5</sitedown> <ipaddr>192.168.0.90</ipaddr></virtual_server> <virtual_server><name>Virtual HTTPS</name> <desc>virtual server for HTTPS server cluster</desc> <pool>balance HTTPS</pool> <port>443</port> <sitedown>192.168.0.58</sitedown> <ipaddr>192.168.0.90</ipaddr></virtual_server></load_balancer> -
I have to say I'm having a similar issue with load balancing. This morning is the first time I have really played with it. Here is my setup ina nutshell :-
2 firewalls in a carp cluster, static public IPs on the WAN, static public IPs on DMZ, and Private IPs on LAN.
NAT is only used for the LAN -> WAN connection. The DMZ servers can route to special ports / IPs on the LAN
I set up a pool containing 2 LAN IPs and setup a virtual server on the LAN carp address. The DMZ connect to the virtual server to process some fast-cgi stuff. I added a rule on the DMZ interface to use the POOL as the gateway as suggested by GruensFroeschli (although this feels more like its for outbound load balancing of WAN connections, not inbound server balancing?).
Sticky connections is off.
The server always connects to one backend server (POOL is set to load balance, not failover). If I stop the service on the LAN IP thats getting all the connections, the first couple of connections fail, then they start going to the second LAN IP.
After starting the service on the first LAN IP again, the next connection continues with the second LAN IP, then after that all connections revert back to the first LAN IP again.
I'd like to :-
a) Have it share the connections round robin style against the two LAN IPs
b) When one does go down, have all connections seamlessly go directly to the second, not have a couple of failures like I see at the moment.
Is this possible?
Regards
Ben
