Netgate is offering COVID-19 aid for pfSense software users, learn more.
Web Server Load Balancing Example Configuration¶
This section shows how to configure the Load Balancer from start to finish for load balanced environment with two web servers.
Example network environment¶
Figure Server Load Balancing Example Network shows the example environment configured in this section. It consists of a single firewall, using its WAN IP address for the pool, with two web servers on a DMZ segment.
To configure the pool:
Navigate to Services > Load Balancer
Click the Pools tab
Click Add to create a new pool
Configure the pool as shown in Figure Pool Configuration, which uses the following settings:
Web server Pool
- Pool Members
Add both web servers (
10.6.0.12) using an HTTP Monitor
Configuring virtual server¶
Click the Virtual Servers tab
Click Add to add a new virtual server
Configure the Virtual Server as shown in Figure Virtual Server Configuration, which uses the following settings:
- IP Address
The firewall’s WAN IP address,
- Virtual Server Pool
- Fall Back Pool
Click Apply Changes
In this example, if both of the pool servers are down, the Virtual Server is inaccessible. The firewall will act as if no Virtual Server is configured. If something on the firewall is bound to port 80, clients will reach that instead. This includes the built-in Web GUI redirect for port 80, so that should be disabled under System > Advanced on the Admin Access tab.
Configuring firewall rules¶
Firewall rules must be configured to allow access to the servers in the pool. The rules must allow the traffic to the internal IP addresses and port being used, and no rules are necessary for the outside IP Address and Port used in the virtual server configuration.
Create an alias containing all the servers in the pool, so access can be allowed with a single firewall rule.
Navigate to Firewall > Aliases
Click Add to add an alias.
Use the following settings:
The IP addresses of both web servers:
Click Apply Changes
Figure Alias for Web Servers shows the alias used for this example configuration, containing the two web servers.
Next, create a firewall rule using that alias: * Navigate to Firewall > Rules * Change to the tab for the interface where connections will enter (e.g. WAN) * Click Add to start a new rule at the top of the list * Use the following settings:
- Destination Type
Single Host or Alias
- Destination Address
- Destination Port Range
Allow to Web Server
Click Apply Changes
Figure Adding Firewall Rule for Web Servers shows a snippet of the firewall rule added for this configuration. The options not shown are left at their defaults.
Figure Firewall Rule for Web Servers shows the rule as it appears in the list.
Viewing load balancer status¶
Now that the load balancer is configured, to view its status, browse to Status > Load Balancer and click the Virtual Servers tab. This page displays the status of the server as a whole, typically listed as either Active or Down.
The Pools tab shows an individual status for each member of a Pool (as shown in Figure Pool Status). The row for a server is green if it is online, and red if the server is offline.
Additionally, each server in the pool has a checkbox next to it. Servers that are checked are active in the pool, and unchecked servers are disabled in the pool, the same as moving them between the enabled and disabled list on the pool editing page. To disable a server: Uncheck it, then click Save.
If the web server service is stopped on one of the servers, or if the server is removed from the network entirely if using ICMP monitors, the status updates to Offline and the server is removed from the pool.
Verifying load balancing¶
To verify load balancing,
curl is the best option to ensure the
web browser cache and persistent connections do not affect the
results of testing.
curl is available for every OS imaginable and
can be downloaded from the curl website. To use it, simply run:
In that command, replace
198.51.100.6 with either the IP address or hostname
of the site. This must be tested from outside the network (e.g. from a
remote network or client on WAN). The following illustrates an example of
testing with curl from the WAN side:
# curl http://198.51.100.6 This is server www2 - 10.6.0.12 # curl http://198.51.100.6 This is server www1 - 10.6.0.11
When initially testing load balancing, configure each server to return a page specifying its hostname, IP address, or both, so it is made obvious which server is responding to the request. If sticky connections is not enabled, a different server will respond to each request.