Re: [pfSense Support] round robin on inbound nat
On 7/25/05, alan walters [EMAIL PROTECTED] wrote: I know this discussion is going on a bit. But I was wondering If we really think it is practical using the method we are trying. With a basic round robin configured on the firewall. The web servers can be configured to use there own software to manage there own Virtual ipaddresses. This complicates matters. I dont like. That will allow anyone to use simple or complicated setups and be os independent. The example would be where we use ucarp on our web servers to manage there Virtual IP's then if one goes down the other IP just gets migrated to another server. We manage this ucarp on an management network so there is no traffic on our dmz zone other than the required traffic. If pfsense can round robin to this vip pool then all is fine in a failure. Unless there is some flashy cunning thing that bsd can do that I am missing. We will have a monitoring daemon that checks a servers heartbeat. If the server goes down for some reason its taken out of the pf rules table that controls load balancing. Its quite simple, elegant and doesnt require more stuff running on the server that we are redirecting to. Requring a operator to manage another setup of virtual ip's is not necessary for this task. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] round robin on inbound nat
I have done some testing today with inbound NAT and carp And round robin load balancing to test web servers. I added the following and it seems to work fine on bsd. Following presumptions # rl1= wan 192.168.2.2 = carp virtual ip Below was the test. ## ## Added a alias of two ip addresses webservers = { 192.168.1.2/32 192.168.1.3/32 } # added to following rdr rule rdr on rl1 proto tcp from any to 192.168.2.2 port 80 - $webservers port 80 round-robin sticky-address # added also the following pass rule pass in quick on $wan proto tcp from any to { 192.168.1.2/32 192.168.1.3/32 } port = 80 flags S/SA keep state queue (qWANdef, qWANacks) label USER_RULE: NAT http test -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: 22 July 2005 06:16 To: Scott Ullrich Cc: alan walters; support@pfsense.com Subject: Re: [pfSense Support] round robin on inbound nat On 7/21/05, Scott Ullrich [EMAIL PROTECTED] wrote: Use carp with the arp load balancing feature. Technically it should sync across there but there is a outstanding bug with XMLRPC that we're looking at. Scott Wrong feature :) CARPs arp load balancing will only load balance inbound to the firewall (if setup correctly) from a directly connected network. What alan wants (if I understand correctly) is the ability to put two (or more) servers on a port forward rule. That's part of the load balancing code I'm working on - not ready yet :) Try again after Aug 7th. --Bill On 7/21/05, alan walters [EMAIL PROTECTED] wrote: I would like to try and test an inbound round robin to our test web servers. Would it be possible to put a shell command In to do this. If so would this sync across a carp array. Look forward to your replies -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/53 - Release Date: 20/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FW: [pfSense Support] round robin on inbound nat
Thats fine and all but what if you loose a web server? We're currently working on what you have here in addition to a monitoring daemon which will remove servers from a pool if it stops answering requests. Scott On 7/22/05, alan walters [EMAIL PROTECTED] wrote: Sorry that was an accident. Did not mean to send it -Original Message- From: alan walters Sent: 22 July 2005 15:11 To: 'Bill Marquette'; Scott Ullrich Cc: support@pfsense.com Subject: RE: [pfSense Support] round robin on inbound nat I have done some testing today with inbound NAT and carp And round robin load balancing to test web servers. I added the following and it seems to work fine on bsd. Following presumptions # rl1= wan 192.168.2.2 = carp virtual ip Below was the test. ## ## Added a alias of two ip addresses webservers = { 192.168.1.2/32 192.168.1.3/32 } # added to following rdr rule rdr on rl1 proto tcp from any to 192.168.2.2 port 80 - $webservers port 80 round-robin sticky-address # added also the following pass rule pass in quick on $wan proto tcp from any to { 192.168.1.2/32 192.168.1.3/32 } port = 80 flags S/SA keep state queue (qWANdef, qWANacks) label USER_RULE: NAT http test -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: 22 July 2005 06:16 To: Scott Ullrich Cc: alan walters; support@pfsense.com Subject: Re: [pfSense Support] round robin on inbound nat On 7/21/05, Scott Ullrich [EMAIL PROTECTED] wrote: Use carp with the arp load balancing feature. Technically it should sync across there but there is a outstanding bug with XMLRPC that we're looking at. Scott Wrong feature :) CARPs arp load balancing will only load balance inbound to the firewall (if setup correctly) from a directly connected network. What alan wants (if I understand correctly) is the ability to put two (or more) servers on a port forward rule. That's part of the load balancing code I'm working on - not ready yet :) Try again after Aug 7th. --Bill On 7/21/05, alan walters [EMAIL PROTECTED] wrote: I would like to try and test an inbound round robin to our test web servers. Would it be possible to put a shell command In to do this. If so would this sync across a carp array. Look forward to your replies -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/53 - Release Date: 20/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] round robin on inbound nat
On 7/21/05, alan walters [EMAIL PROTECTED] wrote: I would like to try and test an inbound round robin to our test web servers. This isn't currently a feature, it's being worked on. Would it be possible to put a shell command In to do this. Please tell me if you figure something out that's easier than me writing code. If so would this sync across a carp array. Not at this time. Look forward to your replies -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/53 - Release Date: 20/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]