Netgate is offering COVID-19 aid for pfSense software users, learn more.

Web Server Load Balancing Example Configuration

This section shows how to configure the Load Balancer from start to finish for load balanced environment with two web servers.

Example network environment


Server Load Balancing Example Network

Figure Server Load Balancing Example Network shows the example environment configured in this section. It consists of a single firewall, using its WAN IP address for the pool, with two web servers on a DMZ segment.

Configuring pool

To configure the pool:

  • Navigate to Services > Load Balancer

  • Click the Pools tab

  • Click fa-plus Add to create a new pool

  • Configure the pool as shown in Figure Pool Configuration, which uses the following settings:




    Load Balance


    Web server Pool





    Pool Members

    Add both web servers ( and using an HTTP Monitor

  • Click Save


Pool Configuration

Configuring virtual server


Virtual Server Configuration

  • Click the Virtual Servers tab

  • Click fa-plus Add to add a new virtual server

  • Configure the Virtual Server as shown in Figure Virtual Server Configuration, which uses the following settings:




    Web Server

    IP Address

    The firewall’s WAN IP address,



    Virtual Server Pool


    Fall Back Pool


  • Click Submit

  • Click Apply Changes


In this example, if both of the pool servers are down, the Virtual Server is inaccessible. The firewall will act as if no Virtual Server is configured. If something on the firewall is bound to port 80, clients will reach that instead. This includes the built-in Web GUI redirect for port 80, so that should be disabled under System > Advanced on the Admin Access tab.

Configuring firewall rules

Firewall rules must be configured to allow access to the servers in the pool. The rules must allow the traffic to the internal IP addresses and port being used, and no rules are necessary for the outside IP Address and Port used in the virtual server configuration.

Create an alias containing all the servers in the pool, so access can be allowed with a single firewall rule.

  • Navigate to Firewall > Aliases

  • Click fa-plus Add to add an alias.

  • Use the following settings:






    The IP addresses of both web servers: and

  • Click Save

  • Click Apply Changes

Figure Alias for Web Servers shows the alias used for this example configuration, containing the two web servers.


Alias for Web Servers

Next, create a firewall rule using that alias: * Navigate to Firewall > Rules * Change to the tab for the interface where connections will enter (e.g. WAN) * Click fa-level-up Add to start a new rule at the top of the list * Use the following settings:







Destination Type

Single Host or Alias

Destination Address


Destination Port Range



Allow to Web Server

  • Click Save

  • Click Apply Changes

Figure Adding Firewall Rule for Web Servers shows a snippet of the firewall rule added for this configuration. The options not shown are left at their defaults.


Adding Firewall Rule for Web Servers

Figure Firewall Rule for Web Servers shows the rule as it appears in the list.


Firewall Rule for Web Servers

Viewing load balancer status

Now that the load balancer is configured, to view its status, browse to Status > Load Balancer and click the Virtual Servers tab. This page displays the status of the server as a whole, typically listed as either Active or Down.

The Pools tab shows an individual status for each member of a Pool (as shown in Figure Pool Status). The row for a server is green if it is online, and red if the server is offline.

Additionally, each server in the pool has a checkbox next to it. Servers that are checked are active in the pool, and unchecked servers are disabled in the pool, the same as moving them between the enabled and disabled list on the pool editing page. To disable a server: Uncheck it, then click Save.


Pool Status

If the web server service is stopped on one of the servers, or if the server is removed from the network entirely if using ICMP monitors, the status updates to Offline and the server is removed from the pool.

Verifying load balancing

To verify load balancing, curl is the best option to ensure the web browser cache and persistent connections do not affect the results of testing. curl is available for every OS imaginable and can be downloaded from the curl website. To use it, simply run:

curl http://mysite

In that command, replace with either the IP address or hostname of the site. This must be tested from outside the network (e.g. from a remote network or client on WAN). The following illustrates an example of testing with curl from the WAN side:

# curl
This is server www2 -
# curl
This is server www1 -

When initially testing load balancing, configure each server to return a page specifying its hostname, IP address, or both, so it is made obvious which server is responding to the request. If sticky connections is not enabled, a different server will respond to each request.