Use pfSense to Load Balance Web Servers (1) introduces pfSense, the lab setup, VM specs and download links. This blog will demonstrate pfSense configu
Use pfSense to Load Balance Web Servers (1) introduces pfSense, the lab setup, VM specs and download links. This blog will demonstrate pfSense configuration, test and troubleshooting details.
An overview of pfSense configuration steps are as below along with key information for each step, testing and troubleshooting approach.
Step 1: Initial Configuration
Boot up pfSense VM and wait till installation is completed. Remove pfSense.iso image from the VM and reboot the VM. The following screen will show and guide you through the initial setup.
Select 2) to configure interface IPs. Please note LAN interface is the default management interface. In our case, we can access pfSense web GUI from https://10.10.10.1.
WAN interface requires default gateway address, ‘192.168.10.1’ in our case. Routing can also be modified after accessing pfSense webconfig GUI.
Step 2: Access pfSense Web GUI
Access pfSense Web GUI from https://10.10.10.1 from the management PC 10.10.10.10. The default username is ‘admin‘ and password ‘pfsense‘. User password can be changed under ‘System/User Management’ as below. Radius and LDAP authentication is also supported.
The default web GUI (HTTPS) port is 443. It can be changed to user-defined port number under’System/Advanced/Admin Access’, as below:
Step 3: Create Virtual IP
We need to create a virtual IP under ‘Firewall/Virtual IPs’, which will be used as load balancer’s virtual server IP later in Step 5. The virtual server IP will further forward traffic to the web servers in the load balancing pool. Please refer to the load balanced data flow diagram in Use pfSense to Load Balance Web Servers (1).
Create ‘IP Alias’ type virtual IP if there is single pfSense. Create ‘CARP’ type virtual IP if there are two pfSense in a cluster.CARP stands for ‘Common Address Redundancy Protocol’, functioning similar to VRRP and HSRP.
As part of testing/troubleshooting, please make sure the virtual IP is reachable from required subnet. Ping may be temporarily allowed for test purpose.Please note ‘ping’ is ICMP, neither TCP nor UDP.
Step 4: Create Load Balancer Pool
We then create load balancer pool where we can define member servers, under ‘Services/Load Balancer/Pools’. Default monitoring protocol includes ICMP, TCP, HTTP, HTTPS and SMTP. If additional protocol is required, it can be added under ‘Monitors’.
Step 5: Create Load Balancer Virtual Servers
Virtual server is created to host the load balancer’s shared IP. It uses the virtual IP we created before in Step 3. We also assign load balancer pool created in Step 4 to virtual server as below:
As part of testing/troubleshooting, please make sure no error under ‘Status/Load Balancer’ and ‘Status/System Logs/Load Balancer’. For HTTP and HTTPS traffic, if the load balancer members and/or the virtual server are not configured appropriate, the access may fallback to the pfSense web GUI.
Step 6: Tailor Firewall Rules
Since pfSense also functions as firewall, we will need to tailor the firewall rules to allow required traffic and block unwanted traffic. Firewall rules are configured under ‘Firewall/Rules’, as below:
Please note, pfSense firewall rules allow us to define traffic direction as well as application to the specified interface. For example, if we have traffic initiated from LAN to SVR; then we allow traffic from LAN net (all LAN subnet IPs) to SVR net (all SVR subnet IPs) and apply the rule to LAN interface on the pfSense. pfSense is stateful firewall by default, we don’t have to set up rules for the return traffic.
Another easy way to figure out what firewall rules are required is to block all uncertain traffic and check what traffic is blocked under ‘Status/System/Logs/Firewall’. Then pass the required traffic directly from the blocked list by clicking ‘+’, as blow:
Test Access to Load Balanced IP
We then test access to the load balanced IP. The network topology is in Use pfSense to Load Balance Web Servers (1).
User access the load balanced IPs from a computer over the Internet. When s/he access http://10.10.20.20, the following shows:
The user access is load balanced between Server 1 and Server 2 in Cluster 1 as above screenshot.
Similarly, when the user access http://10.10.20.30 or http://192.168.10.30, the following shows:
The user access is load balanced between Server 1 and Server 2 in Cluster 2 as above screenshot.
10.10.20.20 and 10.10.20.30 are examples of using internal IP as load balanced IP; while 192.168.10.30 is example of using external IP as load balanced IP.
You may need to clear cache if browser is not working as expected.
Use pfSense as Layer2 Firewall/Bridged Interface
pfSense does support Layer 2 firewall mode (also called transparent mode) by bridging the required interfaces, under ‘Interfaces/(assign)/Bridges’ as below:
Layer 2 mode will allow the load balanced IP using external IP, while member servers also use external IP subnet. Use case example is as below:
pfSense firewall bridge configuration reference is available here.
Site-R1 Cisco 7200 Router Configuration
Site-Site-R1#show run Current configuration : 1258 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Site-Site-R1 ! boot-start-marker boot-end-marker ! no aaa new-model no ip icmp rate-limit unreachable ip cef ip tcp synwait-time 5 ! no ip domain lookup ! multilink bundle-name authenticated ! interface FastEthernet0/0 ip address 22.214.171.124 255.255.255.0 duplex full ! interface Ethernet1/0 ip address 192.168.10.1 255.255.255.0 duplex full ! interface Ethernet1/1 no ip address shutdown duplex half ! interface Ethernet1/2 no ip address shutdown duplex half ! interface Ethernet1/3 no ip address shutdown duplex half ! ip route 0.0.0.0 0.0.0.0 126.96.36.199 ip route 10.10.10.0 255.255.255.0 192.168.10.10 ip route 10.10.20.0 255.255.255.0 192.168.10.10 ip route 192.168.20.0 255.255.255.0 192.168.10.10 no ip http server no ip http secure-server ! logging alarm informational no cdp log mismatch duplex ! control-plane ! gatekeeper shutdown ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! end
Last But Not Least
- Make sure routing, IP schema and etc. are well planned.
- Make sure only open minimum required ports on firewall.
- Make sure proper zone segmentation using firewall to enforce security.
- Use centrally managed authentication and authorisation, using remote user data source.