Internal load balance (virtual server)

  • Is it possible to load balance (in a failover fashion) completely on the LAN side?

    All articles I read about deal with load balancing on the WAN side. The "Virtual Server" interface itself states it only listens on the WAN interface.

    Is it possible to set up a load balancer to handle the LAN side of things? A good example might be two databases in an active-passive configuration.

    pfsense LAN IP: 10.x.x.1
    db1 LAN IP: 10.x.x.10
    db2 LAN IP: 10.x.x.11
    virtual db IP: 10.x.x.12

    … so I have 10.x.x.12 set up in a pool to point to 10.x.x.10 first, and 10.x.x.11 as a failover.

    1. I tried using "Virtual Server" with 10.x.x.12, and it doesn't listen.
    2. I set up an alias "dbs" of two hosts (10.x.x.10, 10.x.x.11), and then created a NAT from 10.x.x.12 to this alias "dbs". Unfortunately, each subsequent connection might pick up each of the databases in a pool.

    In both cases I have a firewall rule set up to use the database pool as gateway.

    Any suggestions? Is this even possible?

  • I see a problem with your idea: You use the balancing pool in a firewall rule.
    But traffic from within your LAN destined to your LAN will never go over the firewall.

    An exception that "might" work (i'm not sure)
    Is if you create a normal NAT forwarding from WAN to LAN, enable NAT reflection and try to access the server via the WAN.

    client –> pfSenseLAN --> pfSenseWAN --NAT/reflection--> server

  • Thanks GruiensForeschli. The NAT didn't work. I know that NAT is resolved prior to firewall rules.

    Does anyone know how "Virtual Servers" works? If it's a matter of configuration I can try to dig into the code to do this, or set up a bounty. Is it a combination of custom NAT with gateway routing, or what's the behind-the-scenes program that handles this?

    It's interesting to note, in the NAT, it says:

    If you want this rule to apply to another IP address than the address of the interface chosen above, select it here (you need to define Virtual IP addresses first). Note if you are redirecting connections on the LAN, select the "any" option.

    … why do LAN port forwards require the "any" option, but WAN does not? Is it a limitation of the program doing the NAT? If it's that kind of limitation, then I guess there is no solution.

Log in to reply