Configuration for Pfsense



  • Hello,

    I am very new so if I wrote my message to wrong place, I apologize. I am looking for a new load-balancer system for our website. The new load balancer needs to filter the traffic. We need some help for that. Can you help me? Is there any video or something that I can check ?

    Here is the settings we are looking for

    • if an IP has more than 200 open connections to the site, or more than 100 per second, we place it in  'slow traffic' queue (1mbps allocated) for 10 minutes
    • if an IP from the 'slow traffic' queue has more than 500 connections to the site, or more than 250 per second, we block it for 1 hour"

    The reason I am looking for this is we got too many spider bots crawling (comment bots etc.) our website. We need something to block it.

    Thanks.



  • I can pay for it if somebody can help to sort this out.



  • I'm no expert in this field, but the first thing that comes to mind, is HAProxy and you can install it as a plugin.

    And becouse you have quite specific requirements, I would suggest Commercial Support: http://www.haproxy.org/#supp

    Good luck  :D

    (let us know if it solves you're issue, so other people know that this is a possibility)



  • I used this configurations on a datancenter. I asked them to give me the configs but they didn't want to sell it so it is possible. The key is I need the load balancer to detect if an ip address exceed the limit we give. If yes block it for a certain time. I want to see that ip on a list. That's all.



  • At least I need something if an IP has more than 200 open connections to the site, or more than 100 per second, we block it for 1 hour. I contacted to HAproxy and waiting for respond. Do you think pfsense itself can't do this with some configs ?



  • I don't see how pfSense would be able to handle your scenario as is, without quite a bit of custom coding.
    I'm convinced that using a real proxy like HAProxy is the right way to go. It's supported on basically all platforms/architectures and it's heavily used by small and fortune 500 companies a like.

    It would surprise me, I'f paid HAProxy support can't help you with your desired setup(and remember that you can basically reuse the entire config in future setups/hardware and etc. or maybe just share it here, because I would like to see how HAProxy would actually handle such a setup  ;D )



  • My friend managed to do

    • if an IP has more than 200 open connections to the site, or more within 100 seconds, we block it.

    but he can't find the blacklist and timeout. He just used Pfsense rules there are some advance options on pfsense so even you can do it..

    If the ip is blocked where ip addresses are listed ? and if an ip blocked how do we put a timeout ?



  • Finally we managed to sort things out. So conclusion it is possible to do this kind of configuration without paying hundreds of dollars to Haproxy. We are testing it at the moment to see if there is any problems.


Log in to reply