Load Balancing DNS\UDP traffic with health check



  • I would like to use the pfsense as a load balancer for our 4 DNS Servers running powerdns. I spoke to hoba and billm about this request about two years ago. In this thread

    http://forum.pfsense.org/index.php/topic,1309.0.html

    Billm seem to think that it would be possible the only problem seemed to be a health check for a UDP service. Which could be done in my case with a check dig on the pfsense box. At the moment i am running two boxes with Linux LVS but would like to switch to two boxes with pfsense. Two years ago billm said he thought about 300$ sounded reasonable for this task. Would that be okay or have things changed? If you need any further information please contact me.



  • I'm still interested in doing this.

    FWIW, for others reading this thread, to implement this bounty it'll mean pulling out slb and replacing it with relayd which is a considerably more powerful and full featured load balancer.  It has checks for, http (both status code and hash), https, icmp, expect, custom scripts, ssl, and generic tcp.  It can also layer 7 proxy http (cookie session persistence) and DNS.

    –Bill



  • That sounds great how long do you think it would take to complete? I would be able to use a custom script for the DNS/UDP health check for example a nagios plugin? That would be exactly what we are looking for.



  • @wizard:

    That sounds great how long do you think it would take to complete? I would be able to use a custom script for the DNS/UDP health check for example a nagios plugin? That would be exactly what we are looking for.

    It's possibly less a question of how long it'll take to implement as much as a question of your delivery requirements.  This won't make it into the 1.2.x line (although I'd be willing to discuss a custom image - it requires a kernel patch for the 1.2 branch and we're closed for features on this branch anyway) - but will for 1.3.  As it sits, I believe I can have the code reworked for relayd this weekend.  And then can start working on adding features to it, I tend to have a short window of excitement for new projects, so I'd expect to be complete sooner rather than later.

    Anyone else interested in adding to the pool for this work?

    –Bill



  • I am not in a rush as in tomorrow  :) But it would be nice to start testing fairly soon. If it is feasible for you it would be great to have a custom image. I need to load balance a /23 network with about 400 DNS Servers how many VIP's can i add to a pfsense box. And i would also need about 400 virtual servers i was thinking about using a nagios plugin script to do the health checks. Would this be possible? it may sound stupid but in our setup every customer has his own DNS IP which would be the VIP on the Pfsense. And every customer also has his own database with his zone records inserted. So i would need a virtual server for every IP. I hope this does not sound to confusing.



  • @wizard:

    I am not in a rush as in tomorrow  :) But it would be nice to start testing fairly soon. If it is feasible for you it would be great to have a custom image. I need to load balance a /23 network with about 400 DNS Servers how many VIP's can i add to a pfsense box. And i would also need about 400 virtual servers i was thinking about using a nagios plugin script to do the health checks. Would this be possible? it may sound stupid but in our setup every customer has his own DNS IP which would be the VIP on the Pfsense. And every customer also has his own database with his zone records inserted. So i would need a virtual server for every IP. I hope this does not sound to confusing.

    Wow..holy crap, 400 vips.  I can tell you right now that we can't currently support that with CARP on one network (each CARP address uses a host id that is a one byte value - 256 possible values). There are a couple options in this config…

    1. The easiest from my perspective ;)  Use "other" vip type for the virtual addresses and route the /23 to a CARP address on your cluster.

    2. CARP interfaces are like any other interface in FreeBSD from an addressing perspective, we could add all 400+ addresses as interface aliases.  This would require some amount of code change (not sure what it entails just yet).

    Feel free to PM me if you want to get into more details of your setup and what I can do to help get you up and running.  This is certainly doable and I'm interested in making it work, you'll be the first that I'm aware of with such a large virtual address pool, so I'm sure we'll need to take into account some scaling concerns.  Among other issues like, not deleting all the carp interfaces just to add another one :)  With just a few CARP interfaces, we can do it pretty quick and only end up dropping a couple packets...with 400...ummm, you might have a noticeable outage.

    --Bill



  • Well i would like to help on the interfaces part, since i always wanted to refactor the interfaces code to not require deleting all the interfaces and recreating all them as is the case for carp and vlan currently on 1.3 lagg ppp or other clones.

    So ping me and we can talk about that. Since it is something that must be done sooner or later.

    Ermal



  • FYI, it's uncommitted code at this time, but the backend code to create a one for one replacement to slbd is written.  It requires some other infrastructure changes which are being worked on (ie. we use slbd for wan load balancing, so that part of the infrastructure needs to be fixed up prior to ripping out slbd).  I'm targetting this weekend to start committing code related to this bounty.

    –Bill



  • If supporting this bounty would give us relayd with roughly the features mentioned in

    http://forum.pfsense.org/index.php/topic,5573.msg33301.html#msg33301

    then I'd be interested in throwing in 500-1500 USD - provided it can be billed, and with the amount depending on the featureset being implemented.

    The "killer features" we're after are

    • the ability to turn on/off hosts/services in one/several pools easily through GUI (manual failover, relaydctl)
    • the ability to do failover-only host/service pools (i.e. add "failover" mode to tables in relayd, supporting redirect mode)

    The first is probably within scope of current efforts, while the second would require changes to relayd itself, and possibly pf, or alternatively some creative hacking combining single-host tables and panic hosts.

    A more competent analysis of what's possible and what it would require (funding wise) would be appreciated.

    /Eirik



  • we may throw in our bounty support as well. we are looking for load balancing sip (voip) traffic on udp. there are two things to consider: (a) one sender is sending many calls which should be load balanced among 1 or more servers, and (b) messaging for the same call should always be sent to the same server (call stickiness, if you will). the sooner this load balancing can be added (even if to 1.3), the better it would be for us and all others in our situation.


Log in to reply