Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th November 2011, 00:31
3zzz 3zzz is offline
Junior Member
 
Join Date: Jan 2008
Location: California
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Question about PFSense Load Balancer

Greetings all,

I have read the "HowTo" here and I am interested in trying this for a new production network:
http://www.howtoforge.com/how-to-use...ur-web-servers

I noticed the author writes "if this is your edge firewall I would recommend a physical machine"

Is this so that PFsense will have dedicated CPU resources to handle the load balancing? Are there other considerations?

I had been considering putting everything onto VMWare ESXi hosts including a PFSense cluster, based on the 2 tutorials here http://doc.pfsense.org/index.php/Tutorials

1) Installing pfSense in VMware
&
2) "Building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP & pfsync / pfSense CARP & pfsync failover-simulation"

But maybe I'll need to run separate hardware for the PFSense cluster?
Will be trying some experiments over the next week or 2 to see if I can figure this out... appreciate any advice, TVMIA
Reply With Quote
The Following User Says Thank You to 3zzz For This Useful Post:
nutrition (17th November 2011)
Sponsored Links
  #2  
Old 17th November 2011, 18:13
3zzz 3zzz is offline
Junior Member
 
Join Date: Jan 2008
Location: California
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by 3zzz View Post
Are there other considerations?
Well I realized security is also a consideration. If the physical box is hooked to the WAN, we'll need to make sure there are no open ports other than to PFSense. But assuming we use NAT to all the other VMs, how much of a concern is this really?
Reply With Quote
  #3  
Old 17th November 2011, 18:28
mmidgett mmidgett is offline
Senior Member
 
Join Date: Aug 2006
Location: Mooresville, North Carolina - USA
Posts: 112
Thanks: 5
Thanked 14 Times in 13 Posts
Default

I think the thinking behind this is not to put all your eggs in one basket. Depending on your network load and the power of your cpu it is defiantly doable. Just think if your esxi server dies so does all your network but if this is use in a colocation rack and your trying to save space then for temp solution I don't think that you have a problem. Also most pfsense servers need not to be more than 1ghz. If your not running lots of vpn connections then 500mhz will do.
Reply With Quote
  #4  
Old 17th November 2011, 18:45
3zzz 3zzz is offline
Junior Member
 
Join Date: Jan 2008
Location: California
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default

Thanks mmidgett!

Quote:
Originally Posted by mmidgett View Post
Just think if your esxi server dies so does all your network
Well I was thinking to have 2 identical physical esxi servers, on each would be PFsense and synched copies of all the VMs (or perhaps shared storage?)

I will set up VMs from each in a pool so that if primary fails and secondary takes over, half the pool will still be there to serve clients.

Quote:
Originally Posted by mmidgett View Post
but if this is use in a colocation rack and your trying to save space then for temp solution I don't think that you have a problem.
More of a long term permanent solution if i get it to work as i'm thinking...

Quote:
Originally Posted by mmidgett View Post
Also most pfsense servers need not to be more than 1ghz. If your not running lots of vpn connections then 500mhz will do.
That's great - I don't plan on much vpn at all, but hope to push 100mbps+ from the setup.
Reply With Quote
  #5  
Old 28th November 2011, 01:36
neofire neofire is offline
Member
 
Join Date: Feb 2011
Location: Brisbane, QLD Australia
Posts: 35
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hey 3zzz

The Reasons i Suggested a physical machine if pfsense is going to be edge firewall, (and mmidgett nailed one of the reasons) is purely from Disaster Recovery point a view ( all eggs in one basket situation ) and the other reason is security and expandability, i have seen one situation where a client had a VM firewall on the same host as his production VMs and (his firewall was setup quite poorly) and some one managed to hack and gain access to his VMware ESXi Console, and cause considerable damage to his environment

In regards to expandability, if you want to build a DMZ for example i personally like other hardware to control this and not have my esxi touching the dmz at all

if you have any more questions or concerns feel free to ask
Reply With Quote
  #6  
Old 28th November 2011, 19:55
3zzz 3zzz is offline
Junior Member
 
Join Date: Jan 2008
Location: California
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by neofire View Post
Hey 3zzz

The Reasons i Suggested a physical machine if pfsense is going to be edge firewall, (and mmidgett nailed one of the reasons) is purely from Disaster Recovery point a view ( all eggs in one basket situation ) and the other reason is security and expandability, i have seen one situation where a client had a VM firewall on the same host as his production VMs and (his firewall was setup quite poorly) and some one managed to hack and gain access to his VMware ESXi Console, and cause considerable damage to his environment

if you have any more questions or concerns feel free to ask
Thanks neofire!!
I think I will have 2 identical machines for redundancy; seems for my purposes it'll be cheaper than shared storage.
For security I will limit access to ESXi to the local network only, and use pfsense to block LAN addresses from spoofing over the WAN so I would hope ESXi is not accessible to hackers unless they first gain access to a LAN machine.

Well thanks for your advice, I'll let you know how it goes!
Reply With Quote
  #7  
Old 28th November 2011, 23:52
neofire neofire is offline
Member
 
Join Date: Feb 2011
Location: Brisbane, QLD Australia
Posts: 35
Thanks: 0
Thanked 1 Time in 1 Post
Default

Sounds like you got it all sorted, Hope it works out and it would be good to hear how you go

i am posting a Fail over HowTo this week ( i have a bit of catch up to do ) and hopefully a few more will go up with different pfsense configurations
Reply With Quote
  #8  
Old 29th November 2011, 18:46
3zzz 3zzz is offline
Junior Member
 
Join Date: Jan 2008
Location: California
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Wink

well tbh i am struggling to figure out what kind of storage i will need for my vmhosts in production. I figure we'll have about 6-8 VMs running on each.

Will I notice performance issues or would we get by just fine with onboard SATA drives?
Or will we have to spend more for
onboard SAS drives
onboard RAID (w SATA or SAS drives)
external SAN (3ware raids with SATA drives)
or something more?

From reading it sounds like you really have to test it and see... I can imagine my boss won't like shelling out all that cash for a vmhost server if we then test it and see that performance is poor and we need to spend another $5K+ for SAN... I'm thinking to go with a couple onboard SAS drives for the heavy access servers and SATA for the lighter ones, and see how it goes...
thanks for any suggestions!
3
Reply With Quote
  #9  
Old 30th November 2011, 05:02
neofire neofire is offline
Member
 
Join Date: Feb 2011
Location: Brisbane, QLD Australia
Posts: 35
Thanks: 0
Thanked 1 Time in 1 Post
Default

All it depends on your Virtual Requirements, How many VMs will you run, what applications do you want to virtualize, how many Virtual Hosts you need to run etc

can i ask what your intending to build i might be able to recommend some things
Reply With Quote
  #10  
Old 30th November 2011, 05:19
3zzz 3zzz is offline
Junior Member
 
Join Date: Jan 2008
Location: California
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

Quote:
Originally Posted by neofire View Post
can i ask what your intending to build i might be able to recommend some things
thanks neofire!

we have an existing system with a web server that is almost constantly overloaded, it's a quad core. it's not very redundant. We also have a couple other servers that don't do much. So I want to put those inside the ESXi host, and turn the web server into 2 or 3 VM web servers load balanced with PFSense. With 12 cores on the VMhost, hopefully this will perform better than the current web server.

Then if all goes according to plan, add a second identical VMhost with all identical VMs and set it up with the PFSense failover setup.

By doing all this I hope we will
a) improve the performance of the site by spreading the load over several VMs
b) have a redundant system so there will be no downtime due to hardware failures
c) free up valuable rack space by going from 3 towers to 2 1Us
d) move our systems towards VM for backups, clones and hardware independence
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Load Balancer please Installation/Configuration 0 21st November 2010 20:20
A High-Availability Load Balancer With HAProxy/Heartbeat on RHEL 5.4 vikas027 HOWTO-Related Questions 1 17th October 2010 19:41
libWand.so.10 error Taxick Installation/Configuration 8 3rd May 2009 01:27
Question about load balancer hardware Drkoop81 HOWTO-Related Questions 1 4th December 2008 23:55
Howto suggestion suse PhP ver 4 + Ver 5 wwparrish Suggest HOWTO 11 7th August 2006 13:29


All times are GMT +2. The time now is 16:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.