HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   Question about PFSense Load Balancer (http://www.howtoforge.com/forums/showthread.php?t=54965)

3zzz 17th November 2011 01:31

Question about PFSense Load Balancer
 
Greetings all,

I have read the "HowTo" here and I am interested in trying this for a new production network:
http://www.howtoforge.com/how-to-use...ur-web-servers

I noticed the author writes "if this is your edge firewall I would recommend a physical machine"

Is this so that PFsense will have dedicated CPU resources to handle the load balancing? Are there other considerations?

I had been considering putting everything onto VMWare ESXi hosts including a PFSense cluster, based on the 2 tutorials here http://doc.pfsense.org/index.php/Tutorials

1) Installing pfSense in VMware
&
2) "Building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP & pfsync / pfSense CARP & pfsync failover-simulation"

But maybe I'll need to run separate hardware for the PFSense cluster?
Will be trying some experiments over the next week or 2 to see if I can figure this out... appreciate any advice, TVMIA

3zzz 17th November 2011 19:13

Quote:

Originally Posted by 3zzz (Post 267688)
Are there other considerations?

Well I realized security is also a consideration. If the physical box is hooked to the WAN, we'll need to make sure there are no open ports other than to PFSense. But assuming we use NAT to all the other VMs, how much of a concern is this really?

mmidgett 17th November 2011 19:28

I think the thinking behind this is not to put all your eggs in one basket. Depending on your network load and the power of your cpu it is defiantly doable. Just think if your esxi server dies so does all your network but if this is use in a colocation rack and your trying to save space then for temp solution I don't think that you have a problem. Also most pfsense servers need not to be more than 1ghz. If your not running lots of vpn connections then 500mhz will do.

3zzz 17th November 2011 19:45

Thanks mmidgett!

Quote:

Originally Posted by mmidgett (Post 267755)
Just think if your esxi server dies so does all your network

Well I was thinking to have 2 identical physical esxi servers, on each would be PFsense and synched copies of all the VMs (or perhaps shared storage?)

I will set up VMs from each in a pool so that if primary fails and secondary takes over, half the pool will still be there to serve clients.

Quote:

Originally Posted by mmidgett (Post 267755)
but if this is use in a colocation rack and your trying to save space then for temp solution I don't think that you have a problem.

More of a long term permanent solution if i get it to work as i'm thinking...

Quote:

Originally Posted by mmidgett (Post 267755)
Also most pfsense servers need not to be more than 1ghz. If your not running lots of vpn connections then 500mhz will do.

That's great - I don't plan on much vpn at all, but hope to push 100mbps+ from the setup.

neofire 28th November 2011 02:36

Hey 3zzz

The Reasons i Suggested a physical machine if pfsense is going to be edge firewall, (and mmidgett nailed one of the reasons) is purely from Disaster Recovery point a view ( all eggs in one basket situation ) and the other reason is security and expandability, i have seen one situation where a client had a VM firewall on the same host as his production VMs and (his firewall was setup quite poorly) and some one managed to hack and gain access to his VMware ESXi Console, and cause considerable damage to his environment

In regards to expandability, if you want to build a DMZ for example i personally like other hardware to control this and not have my esxi touching the dmz at all

if you have any more questions or concerns feel free to ask

3zzz 28th November 2011 20:55

Quote:

Originally Posted by neofire (Post 268416)
Hey 3zzz

The Reasons i Suggested a physical machine if pfsense is going to be edge firewall, (and mmidgett nailed one of the reasons) is purely from Disaster Recovery point a view ( all eggs in one basket situation ) and the other reason is security and expandability, i have seen one situation where a client had a VM firewall on the same host as his production VMs and (his firewall was setup quite poorly) and some one managed to hack and gain access to his VMware ESXi Console, and cause considerable damage to his environment

if you have any more questions or concerns feel free to ask

Thanks neofire!!
I think I will have 2 identical machines for redundancy; seems for my purposes it'll be cheaper than shared storage.
For security I will limit access to ESXi to the local network only, and use pfsense to block LAN addresses from spoofing over the WAN so I would hope ESXi is not accessible to hackers unless they first gain access to a LAN machine.

Well thanks for your advice, I'll let you know how it goes!

neofire 29th November 2011 00:52

Sounds like you got it all sorted, Hope it works out and it would be good to hear how you go

i am posting a Fail over HowTo this week ( i have a bit of catch up to do ) and hopefully a few more will go up with different pfsense configurations

3zzz 29th November 2011 19:46

well tbh i am struggling to figure out what kind of storage i will need for my vmhosts in production. I figure we'll have about 6-8 VMs running on each.

Will I notice performance issues or would we get by just fine with onboard SATA drives?
Or will we have to spend more for
onboard SAS drives
onboard RAID (w SATA or SAS drives)
external SAN (3ware raids with SATA drives)
or something more?

From reading it sounds like you really have to test it and see... I can imagine my boss won't like shelling out all that cash for a vmhost server if we then test it and see that performance is poor and we need to spend another $5K+ for SAN... I'm thinking to go with a couple onboard SAS drives for the heavy access servers and SATA for the lighter ones, and see how it goes...
thanks for any suggestions!
3

neofire 30th November 2011 06:02

All it depends on your Virtual Requirements, How many VMs will you run, what applications do you want to virtualize, how many Virtual Hosts you need to run etc

can i ask what your intending to build i might be able to recommend some things

3zzz 30th November 2011 06:19

Quote:

Originally Posted by neofire (Post 268563)
can i ask what your intending to build i might be able to recommend some things

thanks neofire!

we have an existing system with a web server that is almost constantly overloaded, it's a quad core. it's not very redundant. We also have a couple other servers that don't do much. So I want to put those inside the ESXi host, and turn the web server into 2 or 3 VM web servers load balanced with PFSense. With 12 cores on the VMhost, hopefully this will perform better than the current web server.

Then if all goes according to plan, add a second identical VMhost with all identical VMs and set it up with the PFSense failover setup.

By doing all this I hope we will
a) improve the performance of the site by spreading the load over several VMs
b) have a redundant system so there will be no downtime due to hardware failures
c) free up valuable rack space by going from 3 towers to 2 1Us
d) move our systems towards VM for backups, clones and hardware independence


All times are GMT +2. The time now is 02:07.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.