http://www.viktorious.nl/2012/04/22/vcloud-director-howto-load-balancing-with-free-pfsense-appliance/
vCloud Director Howto: Load balancing with free pfSense
Posted on April 22, 2012 by viktorious
After reading this article, also check the follow-up: vCloud Director Howto:
Load balancing with free pfSense – Cont’d
After doing some testing with VMware’s vCloud Director, I wanted to configure a
multi-cell vCD infrastructure with a network load balancer in front. Of course
there are various commercial products (see Eric Sloof’s excellent article on
configuring Kemp Load Master), I was actually looking for an open source
alternative.
pfSense is doing the trick! pfSense is a freeBSD based firewall solution, and
the successor of m0n0wall (maybe you know that one). You can download pfSense
at www.pfsense.org. I am using the 64 bit 2.0.1 version. You can download the
ISO from the pfSense website.
Note: This setup is intended for lab/home use :)
The scenario we’re building consist of the following virtual machines:
A pfSense based firewall and load balancer (in a virtual machine), one NIC
connected to the internet, one nic connected to the management LAN.
Two vCloud Director cells, both connected to the management LAN.
A vCenter Server, also connected to the management LAN.
First install pfSense in a virtual machine. My specs are: 1 vCPU, 256 MB RAM
and 1 GB Disk, don’t forget to add two nics. The OS type is FreeBSD 64 bit.
Mount the pfSense CD and start the VM for the installation:
Choose option 1, just boot pfSense
After a short while, press I to install the software
Choose defaults, when asked choose a Quick/Easy Install. Your disk will be
wiped, but because you’ve just created a new VM, this shouldn’t be a problem.
Choose the multi-processor kernel.
After the installation has finished, reboot the virtual machine and
disconnect the installation ISO.
Now pfSense will boot with it’s default configuration.
Now it’s time to create a basic configuration for pfSense through the
command-line. After you’ve set the IP configuration, you will have a web
interface available.
pfSense will show you two nics: ‘em0′ and ‘em1′, which are the two nics of the
virtual machine. You have to tell pfSense which interface is the WAN interface
en which is the LAN interface:
I prefer not to use the auto-detection feature, and just type em0 or em1
depending on which NIC your WAN interface is. We don’t have an optional
interface available, so just leave empty and press enter when asked. By default
your WAN interface will search for a DHCP server, your LAN interface will be
configured (by default) with IP address 192.168.1.1.
After you have completed the basic configuration your pfSense VM startup screen
will look like this:
Ok, what’s next? Choose option 2 to configure the LAN and WAN interface
according to your network settings. Keep mind that the LAN interface address,
that’s the address your vCD cells will connect to, should be configured as the
default gateway in your vCD cells. You can choose to use pfSense’s DHCP server
if necessary. In my case the WAN interface is configured with 10.0.1.254/24,
the LAN interface is configured with 192.168.1.254/24.
Ok, now it’s time install vCD and create a basic configuration. Also install a
second cell using the response.properties. More information about the vCD
installation can be found in the “vCloud Director Installation and
Configuration Guide”, available as PDF on the VMware website. The installation
isn’t covered here, there are already enough resources available!
After you have installed two vCD cells, you should be able to connect to both
cells successfully. Because vCD is stateless, it shouldn’t matter which
instance you’re connecting to. The properties of my two vCD cells are:
vCD Cell 1:
hostname: vcd1public.domain.local
ip address for the vCD website: 192.168.1.237/24
ip address for the vCD console proxy: 192.168.1.238/24
dns: 192.168.1.253 (LAN side DNS server)
gw: 192.168.1.254 (this is the LAN side IP address of pfSense!)
vCD Cell 2:
hostname: vcd1public.domain.local
ip address for the vCD website: 192.168.1.231/24
ip address for the vCD console proxy: 192.168.1.232/24
dns: 192.168.1.253 (LAN side DNS server)
gw: 192.168.1.254 (this is the LAN side IP address of pfSense!)
Now the pfSense configuration, the configuration in this case will be:
The pfSense firewall/load balancer has Public IP address 10.0.1.254
vCD website traffic will be accessible through port 444, so
https://10.0.1.254:444. (You can configure this alternative port in the vCD
interface if necessary)
Console proxy traffic will be accessible through port 443, so on
10.0.1.254:443.
The load balancer (pfSense) will balance traffic on 10.0.1.254:444 to
192.168.1.231:443 and 192.168.1.238:443. pfSense will do a port translation
here.
The load balancer (pfSense) will balance traffic on 10.0.1.254:443 to
192.168.1.231:443 and 192.168.1.238:443. I will do a little a port translation
here.
Access the pfSense webinterface on http(s)://192.168.1.254, default credentials
are admin/pfsense. Choose the load balancer option, it’s available under
services:
We have to setup the pools and virtual servers feature, it’s a nice-to-have to
set up the “monitors” option which is also available (more about that in the To
Do paragraph and the end of this article).
In the pools options you have to configure which vCloud Director cells are
available tot the load balancer. You have to define a separate pool for the web
interface and a seperate pool for the console proxy. The screendump shows the
configuration for the vCloud Director web interface pool:
Define a name for the pool, configure the portnumber (443) and add both vCloud
director cells to this pool. I’ve configured ICMP as a monitor option, this
means a ping is send to a vCD cell to check it’s up and running. Although this
is not a very thorough test (the OS of a cell is up and running, but the vCD
service is down, the load balancer will still think the cell is available),
this option is fine for this first setup.
The next step is configuring a virtual server, this means you are publishing
the cells to public site of pfSense (on 10.0.1.254). In our case
https://10.0.1.254:444 is the access point. The configuration is shown in the
screendump:
The virtual server pool is the previous configured pool, in this the
web-console of vCloud Director. There’s a very important note at the bottom of
this screen, don’t foget to add a rule to the firewall for the virtual server.
The rule for both the web-interface and the console proxy will look like this
(firewall->rules):
Important: Although these rules will work perfectly, it’s an even better idea
to specify the target vCD nodes in the firewall rules. The above configuration
can potentially open you pfSense management interface to the “wan” side of the
load balancer. An alternative is to move the pfSense management interface to
another port, e.g. port 445. You can set this option in System->Advanced->TCP
Port.
Repeat the steps, to configure the console proxy. Now your free load balancer
is up and running :) You can monitor the load balancer with the status->load
balancer option! If everything is working, it should look like this:
To do…
One thing I still want to do is to implement a more proper way in monitoring
the cells. The ICMP option (sending a ping) is not so good, because it only
monitors if the OS is up and running. pfSense has an option to configure
additional monitor options (services->load balancers->monitors). I’ve
implemented a monitor for both the vCD cell and the console proxy according to
this article by Chriss Colotti. What you’re actually doing is not sending a
ping to the cells, you’re accessing an URL. When this is successful, the cell
is up and available to the load balancer. The pfSense configuration for the vCD
web interface should look like this:
For the console proxy the configuration is quite the same, the monitor URL
should be changed to “/sdk/vimServiceVersions.xml”. In my lab this
configuration resulted in two overloaded cloud cells :( . My servers have a
rather lean & mean configuration, so I think that’s the problem. I will do some
additional testing and post the results here!
That’s it for now, your comments are alway welcome!
The follow up for this article is available now: vCloud Director Howto: Load
balancing with free pfSense – Cont’d
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
