Netgate is offering COVID-19 aid for pfSense software users, learn more.

Virtual Servers

To configure a Virtual Server to handle client connections:

  • Navigate to Services > Load Balancer

  • Click the Virtual Servers tab

  • Click fa-plus Add to add a new Virtual Server

  • Configure the Virtual Server options as explained below:


    A name for the Virtual Server. This is for reference, but must also adhere to the same limits as an alias or interface name. Letters and numbers only, the only allowed separator is an underscore. No spaces or slashes.


    An optional longer description for the Virtual Server. This is for reference purposes only, and does not have any formatting limits.

    IP Address

    This is where IP addresses are entered for use by the Virtual Server. This is usually the WAN IP address or a Virtual IP address on WAN. It must be a static IP address. A CARP VIP may also be used for a high availability setup. For more information on high availability and CARP VIPs, refer to High Availability. An IP Alias VIP may be used, or a Proxy ARP VIP (TCP mode only). Furthermore, an Alias may also be used here to specify multiple IP addresses upon which this Virtual Server may accept connections.


    In TCP mode, the IP addresses specified here are not bound at the OS level, meaning that relayd as a daemon is not bound and listening on these ports directly.


    This is the port upon which the Virtual Server will accept connections. It can be different from the port used by the pool servers internally. An alias can be used to define multiple ports, however, if the same port alias must be used here and in the Pool configuration.

    Virtual Server Pool

    This is where the previously configured pool is selected. The connections to the IP Address and Port defined on this screen will be directed to the IP addresses and ports configured in the pool.

    Fall Back Pool

    This is the alternate pool that clients are directed to if all the servers in the primary pool are down. If there is no alternate server, leave this set to None, though the result will be inaccessibility if all the servers in the pool are down. If nothing else, to avoid having the server be down entirely, setup a simple web server to return a basic maintenance page for any request and use it as the fall back pool.

    Relay Protocol

    The Relay Protocol can be either TCP or DNS, depending on what this relay will be doing.

    • In TCP mode, relayd acts like an enhanced port forward, directing connections as though they were hitting a traditional NAT rule. Servers will see the original source IP address of the client, it does not act as a proxy.

    • In DNS mode, relayd acts as a DNS proxy. It will balance the load over multiple DNS servers, but the original client IP address is lost. Pool servers will see the firewall as the source of the DNS query. Keep this in mind when setting up views or source-based query restrictions on DNS servers involved in load balancing.

  • Click Submit

  • Click Apply Changes


If all Virtual Server Pool members and Fall Back Pool members are down, relayd will act as though the Load Balancer is not handling connections for the Virtual Server IP address and port. If the IP address and port used are also used by another service or NAT rule, it could be accidentally exposed to clients.