From PFSenseDocs

Contents 1 How to setup inbound Load Balancing 1.1 Failover 1.2 Set up Load Balancing Pool 1.3 Set up virtual server 1.4 Additional Notes 1.4.1 Sticky connections 1.4.2 Failover and Recovery 1.4.3 Lack of NAT Reflection

How to setup inbound Load Balancing

Inbound load balancing is useful for supporting multiple servers, but appearing externally as a single system. This means you can distribute the load of a website across several physical servers, in a semi-intelligent way that recognizes if a server goes down, etc.

This guide was created using pfSense 1.2

Failover

The failover behaviour is not directly supported as set up from the Pools screen for inbound connections. It seems this works just the same as the Load Balancing behaviour.

However, you can use the Pool down server on the virual servers page to fail requests over to another server. For example, with a two-server setup (live and hot-standby), you can put the primary server in the pool, and set the secondary server as the Pool down server. It is not possible to do 3 or more levels of failover.

Set up Load Balancing Pool

The first thing to do is create a pool (Services > Load Balancer > Add).

Set what you'd like for Name and Description, and pick Server as the Type. Set the port as appropriate (eg, for web, use 80), and then add the IP addresses of the server(s) that serve content for the site. Note that all servers must be listening on the same port. The port that external clients (from the WAN) connect to can be different from this port.

Note that if you have more than one server, they must be synchronized (or using shared storage) and serving the same content. If you are running a web application server that uses server-side sessions, the sessions must be shared across all servers. For example, you may want to use a session state server, or store all session data in a shared database.

Any servers that you add to the list will be have traffic load balanced between them, and they will be monitored. If a server goes down, traffic will no longer be sent to it.

Set up virtual server

The next step is to send traffic to the pool, by adding a new Virtual Server (Services > Load balancer > Virtual Servers > Add ). Enter what you'd like for the Name and Description, and enter the WAN IP address clients will use for the IP address.

The Port is the TCP port that clients will connect to on the WAN interface. This can be different from the port the servers in your pool are listening on.

Select the Virtual Pool you created previously, and enter a Pool down server if you like. The Pool down server may be serve the same content as the rest of the servers in the pool (eg, in a two-server live/hot-standby setup), or it may be a server that always returns a static "Sorry, this site is offline" message. [future howto: add information on how to run a "site offline" server on the pfsense machine]. If you do not enter a Pool down server, or if the server is unavailable, connections to the virtual server will simply time out.

Additional Notes

Sticky connections

Sticky connections can somewhat alleviate the problems of shared sessions, but they are not as reliable as using shared session storage. For the scenario where a client requests a web page and then all the content (images, scripts) on that page, if you have sticky connections enabled the client will grab the page and all the images and scripts from the same server. However, depending on how long it is until they request the next page, they may or may not go to the same server a second time [what is the exact time this takes?].

Failover and Recovery

pfSense constantly tries to connect to all the servers in the pool (every 5 seconds by default). If it detects one as being offline, it immediately stops sending traffic there. It continues trying to connect, and when it detects it back online, it resumes sending traffic. If it sends a client request to a server that is down (eg. before pfSense detects that it is down), that client request will time out.

If all the servers go down, it will start sending traffic to the Pool down server. Once a pool server is back up, it will again start to send traffic to the pool server(s), but note that some traffic may still go to the Pool down server for a short period of time, especially if Sticky connections is turned on. Because of this, if the Pool down server is serving the same content as the pool server(s), it is important that it shares content/sessions with the pool server(s) just as multiple pool servers would do.

Lack of NAT Reflection

pfSense 1.2 implements server load balancing entirely in pf using NAT. It does not, however, automatically add NAT reflection rules even when NAT reflection is enabled in the Advanced section. (That parameter applies only to Port Forward NAT rules.) This means that you will not be able to connect to your virtual server from the same network on which your real servers reside.

You can add the reflection rules manually in the "Outbound" NAT section, however. For more details on why you cannot connect internally and what rules need to be added manually, see Redirection and Reflection section of the pf manual.