Re: [pfSense Support] Load Balancer Interfaces
On Wed, Aug 26, 2009 at 7:42 AM, Jesse Vollmar vollm...@gmail.com wrote: It seems like this is related to that OPT interface not having the gateway specified on it. That interface is however working and sending traffic out to my ISP's gateway. At the risk of looking like the N00b that I am, I don't see how pfsense can send traffic out on an interface that has no gateway. Respond, yes; initiate, no. Can we have a look at your routing table? db
Re: [pfSense Support] Load Balancer Interfaces
On Wed, Aug 26, 2009 at 10:39 AM, David Burgess apt@gmail.com wrote: At the risk of looking like the N00b that I am, I don't see how pfsense can send traffic out on an interface that has no gateway. Respond, yes; initiate, no. Can we have a look at your routing table? db The route for that OPT1 interface is showing up it is em2. $ netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default67.38.60.77UGS 0 455460ng0 10 link#1 UC 00em0 ... 66.188.33.xxx/30 link#3 UC 00em2 66.188.33.xxx 00:1f:e1:4b:d7:f4 UHLW10em2 1185 67.38.60.7799.23.221.xxx UH 1 4955ng0 99.23.221.xxx lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancer Interfaces
On Wed, Aug 26, 2009 at 8:57 AM, Jesse Vollmar vollm...@gmail.com wrote: The route for that OPT1 interface is showing up it is em2. $ netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default67.38.60.77UGS 0 455460ng0 10 link#1 UC 00em0 ... 66.188.33.xxx/30 link#3 UC 00em2 66.188.33.xxx 00:1f:e1:4b:d7:f4 UHLW10em2 1185 67.38.60.7799.23.221.xxx UH 1 4955ng0 99.23.221.xxx lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 As expected, you have no gateway on em2. pfsense is able to route packets to any host on that network, which means it can reply to any incoming packet, or contact any machine on that network, but any traffic that doesn't match the exact networks in the first column, ie, 'the internet', will take the default gateway, ng0. For load balancing to work, and for any outbound connection initiated from your network to go out the em2 interface, you will have to enter a gateway. If this messes things up with your ISP then your ISP has a problem, or you're not setting things up properly. Enter your ISP's gateway on em2 and if that doesn't work we'll troubleshoot from there. db
Re: [pfSense Support] Load Balancer Interfaces
On Wed, Aug 26, 2009 at 11:19 AM, David Burgessapt@gmail.com wrote: As expected, you have no gateway on em2. pfsense is able to route packets to any host on that network, which means it can reply to any incoming packet, or contact any machine on that network, but any traffic that doesn't match the exact networks in the first column, ie, 'the internet', will take the default gateway, ng0. For load balancing to work, and for any outbound connection initiated from your network to go out the em2 interface, you will have to enter a gateway. If this messes things up with your ISP then your ISP has a problem, or you're not setting things up properly. Enter your ISP's gateway on em2 and if that doesn't work we'll troubleshoot from there. db I have entered the ISP's gateway (They actually have two due to us using multiple subnets) and when I do, pfsense can only ping that address. Packets to any other network won't go through. When I remove it, I can ping any internet host from em2. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancer Interfaces
On Wed, Aug 26, 2009 at 9:24 AM, Jesse Vollmar vollm...@gmail.com wrote: On Wed, Aug 26, 2009 at 11:19 AM, David Burgessapt@gmail.com wrote: I have entered the ISP's gateway (They actually have two due to us using multiple subnets) and when I do, pfsense can only ping that address. Packets to any other network won't go through. When I remove it, I can ping any internet host from em2. pfsense's GUI ping utility lies WRT interface selection. Try unplugging the WAN and ping some internet hosts. db
Re: [pfSense Support] Load balancer
On Sat, Feb 7, 2009 at 10:47 AM, Tim Nelson tnel...@rockbochs.com wrote: I have to admit it took me a bit to find it as well. For whatever reason, when looking by category, it assumes you want to edit the category. I simply had to change the url from http://doc.pfsense.org/index.php?title=Category:Load_balancingaction=edit to http://doc.pfsense.org/index.php?title=Category:Load_balancing . Odd. Maybe something could be done to make the wiki more user friendly? For any links that don't exist, including categories that don't have a description, it assumes a click is an edit. Since we've had to lock things down considerably to prevent spam, that leaves the page inaccessible if you aren't logged in. Someone needs to go through and add a description for the categories that don't have one. If you'd like to help, email wikiad...@pfsense.org and we'll get an account created for you. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Load balancer
Where can I find details about the pfsense balancer? Things like how a request is handled and config options maybe even a howto? -Original Message- From: Gary Buckmaster [mailto:g...@centipedenetworks.com] Sent: 06 February 2009 19:57 To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer Hiren Joshi wrote: Hello all, I'm using pfsense to firewall at the moment but pass all the http traffic to an internal load balancer (nginx). My question is, would it be possible to replace nginx with pfsense and how would the two compare in terms of performance? Many thanks, Josh. We use pfSense to load balance 65 million requests daily to a cluster of HTTP servers on fairly minimal hardware. Performance for us has been excellent. I can't speak to nginx, never heard of it and I've not had reason to look past pfSense for our needs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load balancer
A good start is here: http://doc.pfsense.org/index.php?title=Category:Load_balancing Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Hiren Joshi j...@moonfruit.com wrote: Where can I find details about the pfsense balancer? Things like how a request is handled and config options maybe even a howto? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Load balancer
Thanks for the quick reply... I just couldn't find it on the wiki! -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: 07 February 2009 15:32 To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer A good start is here: http://doc.pfsense.org/index.php?title=Category:Load_balancing Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Hiren Joshi j...@moonfruit.com wrote: Where can I find details about the pfsense balancer? Things like how a request is handled and config options maybe even a howto? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load balancer
I have to admit it took me a bit to find it as well. For whatever reason, when looking by category, it assumes you want to edit the category. I simply had to change the url from http://doc.pfsense.org/index.php?title=Category:Load_balancingaction=edit to http://doc.pfsense.org/index.php?title=Category:Load_balancing . Odd. Maybe something could be done to make the wiki more user friendly? Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Hiren Joshi j...@moonfruit.com wrote: Thanks for the quick reply... I just couldn't find it on the wiki! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load balancer
Hiren Joshi wrote: Hello all, I'm using pfsense to firewall at the moment but pass all the http traffic to an internal load balancer (nginx). My question is, would it be possible to replace nginx with pfsense and how would the two compare in terms of performance? Many thanks, Josh. We use pfSense to load balance 65 million requests daily to a cluster of HTTP servers on fairly minimal hardware. Performance for us has been excellent. I can't speak to nginx, never heard of it and I've not had reason to look past pfSense for our needs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancer Question
The documentation site is very helpful in this regard: http://devwiki.pfsense.org/OutgoingLoadBalancing or http://devwiki.pfsense.org/IncomingLoadBalancing choose your poison. Joel Robison wrote: Hi ALL! I have a few questions about the load balancer function: 1. Can I round-robin udp packets? for instance I would like to setup and internal(LAN side) VIP that will be in front of 2 dns servers. 2. Will it allow me to load balance internally? i.e not a on the WAN side but on the LAN side. I am assuming both of the above are yes it will, but I was wondering if anyone had done this and would be able to offer me a few pointers or guide me though the process. Something unrelated to the above questions, is there a FAQ about asterisk and pfsense? -Joel Robison Systems Administrator - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, Same here, I even have the same thing working on 1.1 PFsense for another customer. Is there a way to down grade from 1.2 RC2 to 1.1? Thanks, Lee Bill Marquette wrote: Strange, other than the sticky address (which should be more a nuisance than anything) not getting set on the secondary, I'm not seeing anything obvious that would prevent the connection from working. The only other thing I can think to look at is whether the rulesets (/tmp/rules.debug) are the same between the two machines (with exception to a few subtle differences they should be). You can try tcpdump'ing on the secondary and making sure the tcp traffic is making it to the external interface. If it is, check the inside and see what's actually getting passed through. Lastly, double check the firewall logs, you might be seeing blocks for some reason. FWIW, I have similar setups working just fine (minus pfsense as the frontend), so this is likely a pfsense bug or a config issue of some sort. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, All is carp, when the primary is off, I can ping the address still. Primary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin sticky-address rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin sticky-address Secondary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin Thanks, Lee Bill Marquette wrote: Hmm, what does the output of pfctl -sn -aslb look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
Re: [pfSense Support] Load Balancer + Failover
Lee Hetherington wrote: Hi Bill, Same here, I even have the same thing working on 1.1 PFsense for another customer. Is there a way to down grade from 1.2 RC2 to 1.1? It would be MUCH better to help us figure out if there is indeed a regression in this from 1.2 to 1.0.1. Going back to 1.0.1 is strongly discouraged, there are serious problems with it under some circumstances. can you try the exact same config (restore a backup) that's working on 1.0.1 on a 1.2 system in a test environment? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Chris, Its two different systems, in the 1.1 system I have the hosts behind the balancer being natted by the pfsense box, where as on the 1.2 they are direct routed, and natted upstream using a PIX 515e. Ive tried tcp dump on the secondary as discussed with Bill, I can see the packets hitting both interfaces, but tcpdump produces so much crap i cant really see whats going on, however its an issue that when the primary balancer isnt available the whole thing bar pings and routing dies... Thanks, Lee Chris Buechler wrote: Lee Hetherington wrote: Hi Bill, Same here, I even have the same thing working on 1.1 PFsense for another customer. Is there a way to down grade from 1.2 RC2 to 1.1? It would be MUCH better to help us figure out if there is indeed a regression in this from 1.2 to 1.0.1. Going back to 1.0.1 is strongly discouraged, there are serious problems with it under some circumstances. can you try the exact same config (restore a backup) that's working on 1.0.1 on a 1.2 system in a test environment? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hmm, what does the output of pfctl -sn -aslb look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, All is carp, when the primary is off, I can ping the address still. Primary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin sticky-address rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin sticky-address Secondary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin Thanks, Lee Bill Marquette wrote: Hmm, what does the output of pfctl -sn -aslb look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Strange, other than the sticky address (which should be more a nuisance than anything) not getting set on the secondary, I'm not seeing anything obvious that would prevent the connection from working. The only other thing I can think to look at is whether the rulesets (/tmp/rules.debug) are the same between the two machines (with exception to a few subtle differences they should be). You can try tcpdump'ing on the secondary and making sure the tcp traffic is making it to the external interface. If it is, check the inside and see what's actually getting passed through. Lastly, double check the firewall logs, you might be seeing blocks for some reason. FWIW, I have similar setups working just fine (minus pfsense as the frontend), so this is likely a pfsense bug or a config issue of some sort. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, All is carp, when the primary is off, I can ping the address still. Primary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin sticky-address rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin sticky-address Secondary: # pfctl -sn -aslb rdr inet proto tcp from any to 10.2.48.1 port = smtp - { 10.5.49.1, 10.5.49.2 } port 25 round-robin rdr inet proto tcp from any to 10.2.48.1 port = http - { 10.5.49.1, 10.5.49.2 } port 80 round-robin Thanks, Lee Bill Marquette wrote: Hmm, what does the output of pfctl -sn -aslb look like on both boxes? The other obvious question is, are the virtual addresses that front end your load balance pool CARP addresses? If they aren't, then the secondary won't take them over on failover regardless of the load balance config. --Bill On 10/10/07, Lee Hetherington [EMAIL PROTECTED] wrote: Hi Bill, The config was sync'd ok, I can see it on both boxes. Below is a ps -ax from the secondary machine: # ps -ax |grep slb 60083 ?? Ss 0:00.51 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 65097 p0 RV 0:00.00 grep slb (tcsh) Looks to me like its running? I tried editing the config and saving it like you suggest, and the ps -ax was then: # ps -ax | grep slb 65407 ?? Ss 0:00.00 /usr/local/sbin/slbd -c/var/etc/slbd.conf -r5000 Still nothing however when I reboot the primary... Lee Bill Marquette wrote: Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail:
Re: [pfSense Support] Load Balancer + Failover
Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer + Failover
Can you confirm that the load balancer config sync'd over to the secondary? Also, assuming it did, can you do a 'ps -ax |grep slb' from the shell? I suspect it never started slbd after sync (as an interim workaround, you could try going to the load balancer page on the secondary and editing/saving the config). --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Bill, Sorry, inbound... we have 2x Web Servers behind the PFsense boxes so we are load balancing 443 and 80 TCP Lee On Tue, 9 Oct 2007 08:47:27 -0500, Bill Marquette [EMAIL PROTECTED] wrote: Inbound or outbound load balancing? --Bill On 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Im using 1.2 RC2 on Intel boxes. I have the load balancer setup and working, the two machines are syncing settings and the carp is working properly. However, if I reboot the primary firewall the secondary takes over pings, but the load balancing doesnt work again until the primary is back online. Everything seems to be ok, when the primary disappears, the ping drops 1 packet, then the secondary carries on and everything runs ok. The servers on the lan interface of the firewall can route out to the internet fine whilst running with only the secondary firewall. The only thing not to work is the load balancer. Anyone have any ideas? I have it wired as: INTERNET -- PIX 515 PAIR -- 2X CISCO 3550-EMI -- PFSENSE PAIR -- 2X CISCO 3550-EMI -- LAN Each of the pix/pfsense are connected to seperate switches, which are in turn linked together. Thanks in advance, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Message scanned for all known viruses by Mailsauce. Email protection solutions from E-Sauce. For more information please visit http://www.mailsauce.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer problems
Try one of the 1.2.1 beta's. Many issues resolved, all around better product. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer problems
1. Upgrade to 1.2-BETA-1 2. See http://doc.pfsense.org/index.php/MultiWanVersion1.2 On 6/7/07, Dave Cabot [EMAIL PROTECTED] wrote: I'm trying to get the load balancer to work, but it causes the system to do a hard lockup. Hardware Compaq SFF P2 (400Mhz, 256MB ram) I'm using the internal ethernet card plus two in the PCI slots. They come up as fxp0, fxp1, fxp2. They are all on IRQ 11. I know there's documentation indicating that that is a problem, but pls let me further explain. I get the lockup at the same spot each time. I follow all the directions on setting up a load balancer. http://www.netlife.co.za/content/view/34/34/ When I do the final step (Add the rule to LAN) it locks up hard. Everytime. All three cards are connected and handling data just fine. That's why I'm not convinced that it's an IRQ problem. I'm using pfSense 1.0.1. Clean install, everytime. Any suggestions? Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load Balancer Behaviour
You most likely don't run a latest snapshot but a releaseversion which has a different gui. Please make sure you are on a version from http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/ which has the gui mentioned at http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing . Holger -Original Message- From: Quirino Santilli [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 10:32 AM To: support@pfsense.com Subject: [pfSense Support] Load Balancer Behaviour Scott (pfsense support), please help me, when adding a load balancer pool I can't see the interface name (WAN for example) preceding the |(Wan check ip). This is a fresh install with the latest snapshot and I can't figure hot why is going in this sense for me. I tried recreating the pools, but there's no way. Can you please help me? 10x in advance. r3N0oV4 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit Version: AVK 17.4197 from 24.04.2007 Virus news: www.antiviruslab.com Virus checked by G DATA AntiVirusKit Version: AVK 17.4207 from 24.04.2007 Virus news: www.antiviruslab.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancer Behaviour?
On 4/19/07, Quirino Santilli [EMAIL PROTECTED] wrote: I was finally configuring pfSense as a multi-wan / load-balancing / fail-over firewall for my company when i found something strange. Looking at the howto at this address http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing i found that the load-balancer had a behaviour field that in my 1.0.1 installation is not available. To make you believe I'm not fooling, you can find attached the interface that comes out in my installation and the one available on the howto. Can you tell me why? Upgrade to a recent snapshot. http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load Balancer
Hi Holger, 1. I take back my words. WAN interface fires icmp poll too, but strange that the icmp poll fired by OPT1 is found in the states table but not for the one fired by the WAN interface. I found this on a reject log in firewall log. I configured the firewall rule for WAN interface to accept echo reply and it functions now. It is strange that the OPT1 interface did not reject the echo reply though. 2. To make sure again, as long as the firewall rules make use of one of the 3 pools (instead of all 3 pools), everything will be ok? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 7:25 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer Regarding 1: we'll check this Regarding 2: Yes, you are right. You typicall want to even create 3 pools for this: one loadbalanced (WAN+OPT1), one failover WAN to OPT1 and one failover OPT1 to WAN. Then just create firewallrules to make use of either of the pools. This way you can have services that run on both or prefer the one or other connection. Holger Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 11:36 An: support@pfsense.com Betreff: [pfSense Support] Load Balancer Hi, I have some questions concerning Load Balancer and Failover, hope that someone can help. 1. I have configured the load balancer for 2 physical interfaces (WAN OPT1). I monitor the states table and realized that the icmp packets for monitoring purpose were fired only from the OPT1 interface, none from the WAN interface. Is this what it is supposed to do? Logically, to monitor whether each interface is online or offline, the icmp should be fired from each interface respectively. 2. If I want the WAN and OPT1 interface to function both for load balancing as well as failover, do I create 2 gateway pool, one with Load Balancing behaviour and other with Fail Over behaviour? Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load Balancer
Hi Holger, we built it on 31st Jan 2007. Has there been significant change since then? -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 7:42 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer 1. What Version of pfSense are you running? If it's not a recent snapshot please upgrade. 2. Yes, that is correct. Holger -Ursprüngliche Nachricht- Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 12:36 An: support@pfsense.com Betreff: RE: [pfSense Support] Load Balancer Hi Holger, 1. I take back my words. WAN interface fires icmp poll too, but strange that the icmp poll fired by OPT1 is found in the states table but not for the one fired by the WAN interface. I found this on a reject log in firewall log. I configured the firewall rule for WAN interface to accept echo reply and it functions now. It is strange that the OPT1 interface did not reject the echo reply though. 2. To make sure again, as long as the firewall rules make use of one of the 3 pools (instead of all 3 pools), everything will be ok? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 7:25 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer Regarding 1: we'll check this Regarding 2: Yes, you are right. You typicall want to even create 3 pools for this: one loadbalanced (WAN+OPT1), one failover WAN to OPT1 and one failover OPT1 to WAN. Then just create firewallrules to make use of either of the pools. This way you can have services that run on both or prefer the one or other connection. Holger Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 11:36 An: support@pfsense.com Betreff: [pfSense Support] Load Balancer Hi, I have some questions concerning Load Balancer and Failover, hope that someone can help. 1. I have configured the load balancer for 2 physical interfaces (WAN OPT1). I monitor the states table and realized that the icmp packets for monitoring purpose were fired only from the OPT1 interface, none from the WAN interface. Is this what it is supposed to do? Logically, to monitor whether each interface is online or offline, the icmp should be fired from each interface respectively. 2. If I want the WAN and OPT1 interface to function both for load balancing as well as failover, do I create 2 gateway pool, one with Load Balancing behaviour and other with Fail Over behaviour? Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load Balancer
new snapshots come out at least once a week and sometimes sooner. each one has bug fixes and enhancements in it. I usually upgrade everytime a new snapshot comes out. -Sean From: [EMAIL PROTECTED] To: support@pfsense.com Date: Fri, 9 Mar 2007 22:19:23 +0800 Subject: RE: [pfSense Support] Load Balancer Hi Holger, we built it on 31st Jan 2007. Has there been significant change since then? -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 7:42 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer 1. What Version of pfSense are you running? If it's not a recent snapshot please upgrade. 2. Yes, that is correct. Holger -Ursprüngliche Nachricht- Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 12:36 An: support@pfsense.com Betreff: RE: [pfSense Support] Load Balancer Hi Holger, 1. I take back my words. WAN interface fires icmp poll too, but strange that the icmp poll fired by OPT1 is found in the states table but not for the one fired by the WAN interface. I found this on a reject log in firewall log. I configured the firewall rule for WAN interface to accept echo reply and it functions now. It is strange that the OPT1 interface did not reject the echo reply though. 2. To make sure again, as long as the firewall rules make use of one of the 3 pools (instead of all 3 pools), everything will be ok? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 7:25 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer Regarding 1: we'll check this Regarding 2: Yes, you are right. You typicall want to even create 3 pools for this: one loadbalanced (WAN+OPT1), one failover WAN to OPT1 and one failover OPT1 to WAN. Then just create firewallrules to make use of either of the pools. This way you can have services that run on both or prefer the one or other connection. Holger Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 11:36 An: support@pfsense.com Betreff: [pfSense Support] Load Balancer Hi, I have some questions concerning Load Balancer and Failover, hope that someone can help. 1. I have configured the load balancer for 2 physical interfaces (WAN OPT1). I monitor the states table and realized that the icmp packets for monitoring purpose were fired only from the OPT1 interface, none from the WAN interface. Is this what it is supposed to do? Logically, to monitor whether each interface is online or offline, the icmp should be fired from each interface respectively. 2. If I want the WAN and OPT1 interface to function both for load balancing as well as failover, do I create 2 gateway pool, one with Load Balancing behaviour and other with Fail Over behaviour? Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
RE: [pfSense Support] Load Balancer
Ok, Thanks Holger -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 10:44 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer For sure. I remember that there has been a rule issue with pings that also resulted in wan quality rrd graph showing constant packetloss which was fixed and your problem seems to be similiar. Holger -Ursprüngliche Nachricht- Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 15:19 An: support@pfsense.com Betreff: RE: [pfSense Support] Load Balancer Hi Holger, we built it on 31st Jan 2007. Has there been significant change since then? -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 7:42 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer 1. What Version of pfSense are you running? If it's not a recent snapshot please upgrade. 2. Yes, that is correct. Holger -Ursprüngliche Nachricht- Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 12:36 An: support@pfsense.com Betreff: RE: [pfSense Support] Load Balancer Hi Holger, 1. I take back my words. WAN interface fires icmp poll too, but strange that the icmp poll fired by OPT1 is found in the states table but not for the one fired by the WAN interface. I found this on a reject log in firewall log. I configured the firewall rule for WAN interface to accept echo reply and it functions now. It is strange that the OPT1 interface did not reject the echo reply though. 2. To make sure again, as long as the firewall rules make use of one of the 3 pools (instead of all 3 pools), everything will be ok? Regards, Kelvin -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 7:25 PM To: support@pfsense.com Subject: AW: [pfSense Support] Load Balancer Regarding 1: we'll check this Regarding 2: Yes, you are right. You typicall want to even create 3 pools for this: one loadbalanced (WAN+OPT1), one failover WAN to OPT1 and one failover OPT1 to WAN. Then just create firewallrules to make use of either of the pools. This way you can have services that run on both or prefer the one or other connection. Holger Von: Kelvin Chiang [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 9. März 2007 11:36 An: support@pfsense.com Betreff: [pfSense Support] Load Balancer Hi, I have some questions concerning Load Balancer and Failover, hope that someone can help. 1. I have configured the load balancer for 2 physical interfaces (WAN OPT1). I monitor the states table and realized that the icmp packets for monitoring purpose were fired only from the OPT1 interface, none from the WAN interface. Is this what it is supposed to do? Logically, to monitor whether each interface is online or offline, the icmp should be fired from each interface respectively. 2. If I want the WAN and OPT1 interface to function both for load balancing as well as failover, do I create 2 gateway pool, one with Load Balancing behaviour and other with Fail Over behaviour? Regards, Kelvin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
This is probably a question which doesn't require an answer, but I am a little leary about updating to the http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ I was curious of how to go about the udpate. I see two files which look like they might be the update files. One is Pfsense.img and the other is fullupdate. Please advise. I haven't done any updates yet. We have RC2 built Aug1 of 2006. No updates have yet been applied. Thanks -- Heath Henderson -- From: Scott Ullrich [EMAIL PROTECTED] Reply-To: support@pfsense.com Date: Tue, 19 Sep 2006 01:38:10 -0400 To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer problem http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
On 9/19/06, Heath Henderson [EMAIL PROTECTED] wrote: This is probably a question which doesn't require an answer, but I am a little leary about updating to the http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ I was curious of how to go about the udpate. I see two files which look like they might be the update files. One is Pfsense.img and the other is fullupdate. Please advise. I haven't done any updates yet. We have RC2 built Aug1 of 2006. No updates have yet been applied. Hmm, there is a README in the same directory that explains quite a bit. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
On 9/19/06, Bill Marquette [EMAIL PROTECTED] wrote: Hmm, there is a README in the same directory that explains quite a bit. README?! What's that!? Shouldn't I just be asking questions and not READING!? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load balancer problem
You guys crack me up! :) Honestly, I'm surprised you have as much patience as you do! -Tim -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 19, 2006 9:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer problem On 9/19/06, Bill Marquette [EMAIL PROTECTED] wrote: Hmm, there is a README in the same directory that explains quite a bit. README?! What's that!? Shouldn't I just be asking questions and not READING!? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
Thanks, I will plan this for end of day then. I have a hdd install so I should be ok. Thanks again. -- Heath Henderson [EMAIL PROTECTED] 1800 288 7750 -- From: Holger Bauer [EMAIL PROTECTED] Reply-To: support@pfsense.com Date: Tue, 19 Sep 2006 16:59:30 +0200 To: support@pfsense.com Conversation: [pfSense Support] Load balancer problem Subject: RE: [pfSense Support] Load balancer problem If you run off a hdd full installation upload the full update file at systemfirmware. It will apply the update and reboot after that. You won't lose your configuration, just a downtime for the reboot. If you run from a cf-card and used the embedded image to start with you have to reflash the card. The version you are running doesn't support updates. Updates for embedded builds was introduced some versions ago. The new version however will now be upgradable. Please note that the new image has a size of 128 mb so you need at least a 128 mb cf-card. This was needed to support updates for these platforms. If you run this kind of install the future upgradeprocess will be the same like for the full install but you have to upload the mini update file. Holger -Original Message- From: Heath Henderson [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 19, 2006 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer problem This is probably a question which doesn't require an answer, but I am a little leary about updating to the http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ I was curious of how to go about the udpate. I see two files which look like they might be the update files. One is Pfsense.img and the other is fullupdate. Please advise. I haven't done any updates yet. We have RC2 built Aug1 of 2006. No updates have yet been applied. Thanks -- Heath Henderson -- From: Scott Ullrich [EMAIL PROTECTED] Reply-To: support@pfsense.com Date: Tue, 19 Sep 2006 01:38:10 -0400 To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer problem http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
Thanks, I couldn't get the readme to open. I did however get the snapshot files downloaded earlier so I am good to go now. Thanks for the suggestion though. -- Heath Henderson [EMAIL PROTECTED] 1800 288 7750 -- From: Bill Marquette [EMAIL PROTECTED] Reply-To: support@pfsense.com Date: Tue, 19 Sep 2006 10:55:53 -0500 To: support@pfsense.com Subject: Re: [pfSense Support] Load balancer problem On 9/19/06, Heath Henderson [EMAIL PROTECTED] wrote: This is probably a question which doesn't require an answer, but I am a little leary about updating to the http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ I was curious of how to go about the udpate. I see two files which look like they might be the update files. One is Pfsense.img and the other is fullupdate. Please advise. I haven't done any updates yet. We have RC2 built Aug1 of 2006. No updates have yet been applied. Hmm, there is a README in the same directory that explains quite a bit. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
On 9/19/06, Catalin Epure [EMAIL PROTECTED] wrote: I have settled the load balancer section to use 2 isp connections. For some reason the log looks like this: Sep 19 03:10:13 slbd[297]: Service Balancer changed status, reloading filter policy Sep 19 03:10:13 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP Sep 19 03:10:08 slbd[297]: Service Balancer changed status, reloading filter policy Sep 19 03:10:08 slbd[297]: ICMP poll failed for IP.IP.IP.IP, marking service DOWN Sep 18 23:52:38 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 23:52:38 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP Sep 18 23:52:33 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 23:52:33 slbd[297]: ICMP poll failed for IP.IP.IP.IP, marking service DOWN Sep 18 23:39:47 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 23:39:47 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP Sep 18 23:39:42 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 23:39:42 slbd[297]: ICMP poll failed for IP.IP.IP.IP, marking service DOWN Sep 18 21:39:59 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 21:39:59 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP Sep 18 21:39:54 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 21:39:54 slbd[297]: ICMP poll failed for IP.IP.IP.IP, marking service DOWN Sep 18 21:25:51 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 21:25:51 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP Sep 18 21:25:46 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 21:25:46 slbd[297]: ICMP poll failed for IP.IP.IP.IP, marking service DOWN Sep 18 20:48:16 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 20:48:16 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP Sep 18 20:48:11 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 20:48:11 slbd[297]: ICMP poll failed for IP.IP.IP.IP, marking service DOWN Sep 18 20:20:59 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 20:20:59 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP Sep 18 20:20:54 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 20:20:54 slbd[297]: ICMP poll failed for IP.IP.IP.IP, marking service DOWN Sep 18 19:27:07 slbd[297]: Service Balancer changed status, reloading filter policy Sep 18 19:27:07 slbd[297]: ICMP poll succeeded for IP.IP.IP.IP, marking service UP And so on... I don't know why one of the internet connections seems to be down to pfSenese. And belive me, is not. Is there any chance to increase the timeout for the sevice check or the no. of retrays? Catalin -- AkerBraila SA e-mail server This message was scanned for spam and viruses by BitDefender For more information please visit http://linux.bitdefender.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] What version? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
On 9/19/06, Catalin Epure [EMAIL PROTECTED] wrote: v.1 R.C.2 Catalin Please upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ and see if this solves the problems. Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer
Fails in what way? You mean, when a WAN goes down you get disconnected (to be expected)? --Bill On 7/14/06, Tunge2 [EMAIL PROTECTED] wrote: hello, We installed the load balancer on our PFsense RELENG_1_SNAPSHOT-07-09-2006 machine. The load balance seams to work great at web traffic (if we shutdown the WAN connection, OPT takes it over nicely:) that's a fantastic function, keep up the great work) But if i try to build up any SSH or telnet connection, to internal or an external connection it fails. The log files are not showing any thing uses full Greetings - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer
You won't find one until that work is complete. How it should work is not how it currently works - it's a functioning work in progress. --Bill On 8/8/05, alan walters [EMAIL PROTECTED] wrote: Just looking for a quick blah on how the incoming load balancer should work - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]