HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   HOWTO-Related Questions (
-   -   PFsense load balancing how? (

3zzz 23rd November 2011 03:02

PFsense load balancing how?
I would like to try PFsense for load balancing web servers, but I spent all day trying to set up a test bed on my LAN and haven't been able to get it to work.

I tried setting up a new pfsense box and then setting up the virtual according to the above "how-to". For testing, I would like to set this all up on the LAN. When I do that, the virtual address is never ping-able and I can't connect to the virtual server or failover, even though the status says it is up.

So I tried creating a second private network 192.168.2.X and using that as the WAN, and doing that, I was able to ping the virtual ip, but it still would not serve from the web servers no matter what.

Is it possible to set up PFsense load balancing for testing all within a single (LAN) subnet, and if so how?

3zzz 23rd November 2011 23:52


Originally Posted by 3zzz (Post 268099)
Is it possible to set up PFsense load balancing for testing all within a single (LAN) subnet, and if so how?

I have the basic test bed working now and wanted to document my progress;
incidentally this is all inside a single ESXi5 VM Host.
My LAN (the real LAN, not the PFSense test bed LAN) is with the gateway

Pfsense: WAN IP
Pfsense: WAN GW: None (this was key!)
Pfsense: LAN IP
Pfsense: Load Balancer Virtual IP:

Pool Server1: IP
Pool Server1: GW
Pool Server2: IP
Pool Server2: GW

Now when I access from my desktop's browser to I see the web content served from the pool servers!

1) The LoadBalancer Virtual server IP matches the PFSense WAN IP.
2) The pool servers use PFSense LAN IP as their Gateway.
3) With the PFSense WAN GW set to the actual LAN GW of, the Pool servers then have access to the internet, but in my Desktop Web Browser I can't access the Virtual Server IP until I set PFSense WAN GW to none.
4) If a 192.168.1.X address is added to the pool servers for local accessibility, the Virtual Host stops working.
5) The DNS for the hostname must point to the Virtual Server ip (at least in the case of my websites)
6) If using a non-standard port, it needs to be the same on both the pool and virtual servers (at least in the case of my websites)

neofire 28th November 2011 02:21

Hey 3zzz

Sorry i have been away on business and not been able to check up on posts/forums etc, i glad to see you got your test bed working if you have any other questions feel free to message me and i will attempt to get back to you ASAP

3zzz 24th May 2012 20:59

trouble with WAN config
hi neofire -
I finally tried to implement my cluster in a live environment yesterday but couldn't get the WAN configured correctly. No matter what, I was not able to ping the gateway from PFSense.

We have a block of static ip addresses and the gateway is within that block but on the ISPs router.

One issue I had was having two gateways with the exact same name. When I'd set the gateway on the assign interfaces page, I chose the gw with the provider's ip address. But on the status interface page, I saw it was using the gateway with the same name but a LAN ip address. Finding the "edit gateways" page seems to be a matter of luck, eventually I deleted the wrong gateway. But even after that was still not able to ping the gateway trying various configurations despite the ISP seeing our side connected (but not passing traffic).

How should PFSense be configured when you have a CIDR block and the gateway falls within the block but is on the ISPs router?
eg if our netblock is
gw =
assigned ips =


neofire 25th May 2012 02:31

Hey 3zzz

To be honest i have not done much with CIDR,

But from what i have been reading its supposed to be simple to implement pfsense when CIDR is involved.

Can you show me what firewall rules you have on the WAN interface please

3zzz 25th May 2012 20:41

thanks neofire!
I have a whole bunch of rules, tried configuring everything before I plugged in - maybe that was my mistake. Should I post the XML for them?
The only rules that are blocking things are "RFC 1918 networks" and a list of "banned" ip addresses that gave us trouble in the past. Everything else is set to allow / forward to various internal addresses.
I'm planning to give it another shot, probably on Monday with a minimally configured PFSense and see if I can't at least get online and ping the gateway.

neofire 28th May 2012 07:06

if you could post or send me a copy that would be great, from what i have been reading that it could most likely be a issue with firewall rules

3zzz 29th May 2012 19:57


Originally Posted by neofire (Post 279789)
if you could post or send me a copy that would be great, from what i have been reading that it could most likely be a issue with firewall rules

Hi Neofire, I sent you a pm but had to truncate 13000 chars to 5000. Should I email you the whole thing? I think I see some problems in here! thanks, :)

3zzz 30th May 2012 19:45

hey neofire,

I was thinking about it. The gateway is within the CIDR block but hosted on the ISP's side. I think this is the problem. Once I tell pfsense that we have a /28, it won't route out to an ip within that block.

If so, I should tell pfsense that we have a single ip address /32 with the gateway being another /32 nearby. Then I can add the additional individual addresses that should be on our side as virtual ip addresses.

Does this make sense?
Another possible cause could be that I had all the ip addresses set up as virtual addresses, when they were also configured as the static CIDR addresses...

Either way I'm thinking to try it with a clean install / minimal config and get online first, then add all my rules.

thanks for your help!

neofire 5th June 2012 16:38

Did you have any luck with a fresh install ??

All times are GMT +2. The time now is 14:31.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.