Netgate is offering COVID-19 aid for pfSense software users, learn more.
To configure a Virtual Server to handle client connections:
Navigate to Services > Load Balancer
Click the Virtual Servers tab
Click Add to add a new Virtual Server
Configure the Virtual Server options as explained below:
A name for the Virtual Server. This is for reference, but must also adhere to the same limits as an alias or interface name. Letters and numbers only, the only allowed separator is an underscore. No spaces or slashes.
An optional longer description for the Virtual Server. This is for reference purposes only, and does not have any formatting limits.
- IP Address
This is where IP addresses are entered for use by the Virtual Server. This is usually the WAN IP address or a Virtual IP address on WAN. It must be a static IP address. A CARP VIP may also be used for a high availability setup. For more information on high availability and CARP VIPs, refer to High Availability. An IP Alias VIP may be used, or a Proxy ARP VIP (TCP mode only). Furthermore, an Alias may also be used here to specify multiple IP addresses upon which this Virtual Server may accept connections.
In TCP mode, the IP addresses specified here are not bound at the OS level, meaning that
relaydas a daemon is not bound and listening on these ports directly.
This is the port upon which the Virtual Server will accept connections. It can be different from the port used by the pool servers internally. An alias can be used to define multiple ports, however, if the same port alias must be used here and in the Pool configuration.
- Virtual Server Pool
This is where the previously configured pool is selected. The connections to the IP Address and Port defined on this screen will be directed to the IP addresses and ports configured in the pool.
- Fall Back Pool
This is the alternate pool that clients are directed to if all the servers in the primary pool are down. If there is no alternate server, leave this set to None, though the result will be inaccessibility if all the servers in the pool are down. If nothing else, to avoid having the server be down entirely, setup a simple web server to return a basic maintenance page for any request and use it as the fall back pool.
- Relay Protocol
The Relay Protocol can be either TCP or DNS, depending on what this relay will be doing.
In TCP mode,
relaydacts like an enhanced port forward, directing connections as though they were hitting a traditional NAT rule. Servers will see the original source IP address of the client, it does not act as a proxy.
In DNS mode,
relaydacts as a DNS proxy. It will balance the load over multiple DNS servers, but the original client IP address is lost. Pool servers will see the firewall as the source of the DNS query. Keep this in mind when setting up views or source-based query restrictions on DNS servers involved in load balancing.
Click Apply Changes
If all Virtual Server Pool members and Fall Back Pool members are
relayd will act as though the Load Balancer is not handling
connections for the Virtual Server IP address and port. If the IP address and
port used are also used by another service or NAT rule, it could be
accidentally exposed to clients.