I would like to try PFsense for load balancing web servers, but I spent all day trying to set up a test bed on my LAN and haven't been able to get it to work. http://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers I tried setting up a new pfsense box and then setting up the virtual according to the above "how-to". For testing, I would like to set this all up on the LAN. When I do that, the virtual address is never ping-able and I can't connect to the virtual server or failover, even though the status says it is up. So I tried creating a second private network 192.168.2.X and using that as the WAN, and doing that, I was able to ping the virtual ip, but it still would not serve from the web servers no matter what. Is it possible to set up PFsense load balancing for testing all within a single (LAN) subnet, and if so how? TYVMIA
I have the basic test bed working now and wanted to document my progress; incidentally this is all inside a single ESXi5 VM Host. My LAN (the real LAN, not the PFSense test bed LAN) is 192.168.1.0/24 with the gateway 192.168.1.1 Pfsense: WAN IP 192.168.1.104 Pfsense: WAN GW: None (this was key!) Pfsense: LAN IP 192.168.2.1 Pfsense: Load Balancer Virtual IP: 192.168.1.104 Pool Server1: IP 192.168.2.10 Pool Server1: GW 192.168.2.1 Pool Server2: IP 192.168.2.20 Pool Server2: GW 192.168.2.1 Now when I access from my desktop's browser to http://192.168.1.104 I see the web content served from the pool servers! Notes: 1) The LoadBalancer Virtual server IP matches the PFSense WAN IP. 2) The pool servers use PFSense LAN IP as their Gateway. 3) With the PFSense WAN GW set to the actual LAN GW of 192.168.1.1, the Pool servers then have access to the internet, but in my Desktop Web Browser I can't access the Virtual Server IP until I set PFSense WAN GW to none. 4) If a 192.168.1.X address is added to the pool servers for local accessibility, the Virtual Host stops working. 5) The DNS for the hostname must point to the Virtual Server ip (at least in the case of my websites) 6) If using a non-standard port, it needs to be the same on both the pool and virtual servers (at least in the case of my websites)
Hey 3zzz Sorry i have been away on business and not been able to check up on posts/forums etc, i glad to see you got your test bed working if you have any other questions feel free to message me and i will attempt to get back to you ASAP
trouble with WAN config hi neofire - I finally tried to implement my cluster in a live environment yesterday but couldn't get the WAN configured correctly. No matter what, I was not able to ping the gateway from PFSense. We have a block of static ip addresses and the gateway is within that block but on the ISPs router. One issue I had was having two gateways with the exact same name. When I'd set the gateway on the assign interfaces page, I chose the gw with the provider's ip address. But on the status interface page, I saw it was using the gateway with the same name but a LAN ip address. Finding the "edit gateways" page seems to be a matter of luck, eventually I deleted the wrong gateway. But even after that was still not able to ping the gateway trying various configurations despite the ISP seeing our side connected (but not passing traffic). How should PFSense be configured when you have a CIDR block and the gateway falls within the block but is on the ISPs router? eg if our netblock is 20.20.20.92/28 gw = 20.20.20.93 assigned ips = 20.20.20.94-106 tyvmia
Hey 3zzz To be honest i have not done much with CIDR, But from what i have been reading its supposed to be simple to implement pfsense when CIDR is involved. Can you show me what firewall rules you have on the WAN interface please
thanks neofire! I have a whole bunch of rules, tried configuring everything before I plugged in - maybe that was my mistake. Should I post the XML for them? The only rules that are blocking things are "RFC 1918 networks" and a list of "banned" ip addresses that gave us trouble in the past. Everything else is set to allow / forward to various internal addresses. I'm planning to give it another shot, probably on Monday with a minimally configured PFSense and see if I can't at least get online and ping the gateway.
if you could post or send me a copy that would be great, from what i have been reading that it could most likely be a issue with firewall rules
Hi Neofire, I sent you a pm but had to truncate 13000 chars to 5000. Should I email you the whole thing? I think I see some problems in here! thanks,
hey neofire, I was thinking about it. The gateway is within the CIDR block but hosted on the ISP's side. I think this is the problem. Once I tell pfsense that we have a /28, it won't route out to an ip within that block. If so, I should tell pfsense that we have a single ip address /32 with the gateway being another /32 nearby. Then I can add the additional individual addresses that should be on our side as virtual ip addresses. Does this make sense? Another possible cause could be that I had all the ip addresses set up as virtual addresses, when they were also configured as the static CIDR addresses... Either way I'm thinking to try it with a clean install / minimal config and get online first, then add all my rules. thanks for your help!
yes, with the fresh install I saw some errors in the logs that led me to find that the VMHost was presenting two distinct mac addresses but they were bound to the same physical port. Got that sorted and now I can get it online, next I need to work out the internal configurations for some virtual hosts before I try again. thanks for your help
good to hear that you have solved the issue, its a pain sometimes how VMWare (in all its awesomeness) can still cause us some issues.
