Hi Eugen, what a great article. Many thanks for sharing this.
greetings m. 2012/7/23 Eugen Leitl <eu...@leitl.org> > > > http://www.viktorious.nl/2012/04/22/vcloud-director-howto-load-balancing-with-free-pfsense-appliance/ > > vCloud Director Howto: Load balancing with free pfSense > Posted on April 22, 2012 by viktorious > > After reading this article, also check the follow-up: vCloud Director > Howto: Load balancing with free pfSense – Cont’d > > After doing some testing with VMware’s vCloud Director, I wanted to > configure a multi-cell vCD infrastructure with a network load balancer in > front. Of course there are various commercial products (see Eric Sloof’s > excellent article on configuring Kemp Load Master), I was actually looking > for an open source alternative. > > pfSense is doing the trick! pfSense is a freeBSD based firewall solution, > and the successor of m0n0wall (maybe you know that one). You can download > pfSense at www.pfsense.org. I am using the 64 bit 2.0.1 version. You can > download the ISO from the pfSense website. > > Note: This setup is intended for lab/home use :) > > The scenario we’re building consist of the following virtual machines: > > A pfSense based firewall and load balancer (in a virtual machine), one > NIC connected to the internet, one nic connected to the management LAN. > Two vCloud Director cells, both connected to the management LAN. > A vCenter Server, also connected to the management LAN. > > First install pfSense in a virtual machine. My specs are: 1 vCPU, 256 MB > RAM and 1 GB Disk, don’t forget to add two nics. The OS type is FreeBSD 64 > bit. Mount the pfSense CD and start the VM for the installation: > > Choose option 1, just boot pfSense > After a short while, press I to install the software > Choose defaults, when asked choose a Quick/Easy Install. Your disk > will be wiped, but because you’ve just created a new VM, this shouldn’t be > a problem. Choose the multi-processor kernel. > After the installation has finished, reboot the virtual machine and > disconnect the installation ISO. > Now pfSense will boot with it’s default configuration. > > Now it’s time to create a basic configuration for pfSense through the > command-line. After you’ve set the IP configuration, you will have a web > interface available. > > pfSense will show you two nics: ‘em0′ and ‘em1′, which are the two nics of > the virtual machine. You have to tell pfSense which interface is the WAN > interface en which is the LAN interface: > > I prefer not to use the auto-detection feature, and just type em0 or em1 > depending on which NIC your WAN interface is. We don’t have an optional > interface available, so just leave empty and press enter when asked. By > default your WAN interface will search for a DHCP server, your LAN > interface will be configured (by default) with IP address 192.168.1.1. > > After you have completed the basic configuration your pfSense VM startup > screen will look like this: > > Ok, what’s next? Choose option 2 to configure the LAN and WAN interface > according to your network settings. Keep mind that the LAN interface > address, that’s the address your vCD cells will connect to, should be > configured as the default gateway in your vCD cells. You can choose to use > pfSense’s DHCP server if necessary. In my case the WAN interface is > configured with 10.0.1.254/24, the LAN interface is configured with > 192.168.1.254/24. > > Ok, now it’s time install vCD and create a basic configuration. Also > install a second cell using the response.properties. More information about > the vCD installation can be found in the “vCloud Director Installation and > Configuration Guide”, available as PDF on the VMware website. The > installation isn’t covered here, there are already enough resources > available! > > After you have installed two vCD cells, you should be able to connect to > both cells successfully. Because vCD is stateless, it shouldn’t matter > which instance you’re connecting to. The properties of my two vCD cells are: > > vCD Cell 1: > > hostname: vcd1public.domain.local > ip address for the vCD website: 192.168.1.237/24 > ip address for the vCD console proxy: 192.168.1.238/24 > dns: 192.168.1.253 (LAN side DNS server) > gw: 192.168.1.254 (this is the LAN side IP address of pfSense!) > > vCD Cell 2: > > hostname: vcd1public.domain.local > ip address for the vCD website: 192.168.1.231/24 > ip address for the vCD console proxy: 192.168.1.232/24 > dns: 192.168.1.253 (LAN side DNS server) > gw: 192.168.1.254 (this is the LAN side IP address of pfSense!) > > Now the pfSense configuration, the configuration in this case will be: > > The pfSense firewall/load balancer has Public IP address 10.0.1.254 > vCD website traffic will be accessible through port 444, so > https://10.0.1.254:444. (You can configure this alternative port in the > vCD interface if necessary) > Console proxy traffic will be accessible through port 443, so on > 10.0.1.254:443. > The load balancer (pfSense) will balance traffic on 10.0.1.254:444 to > 192.168.1.231:443 and 192.168.1.238:443. pfSense will do a port > translation here. > The load balancer (pfSense) will balance traffic on 10.0.1.254:443 to > 192.168.1.231:443 and 192.168.1.238:443. I will do a little a port > translation here. > > Access the pfSense webinterface on http(s)://192.168.1.254, default > credentials are admin/pfsense. Choose the load balancer option, it’s > available under services: > > We have to setup the pools and virtual servers feature, it’s a > nice-to-have to set up the “monitors” option which is also available (more > about that in the To Do paragraph and the end of this article). > > In the pools options you have to configure which vCloud Director cells are > available tot the load balancer. You have to define a separate pool for the > web interface and a seperate pool for the console proxy. The screendump > shows the configuration for the vCloud Director web interface pool: > > Define a name for the pool, configure the portnumber (443) and add both > vCloud director cells to this pool. I’ve configured ICMP as a monitor > option, this means a ping is send to a vCD cell to check it’s up and > running. Although this is not a very thorough test (the OS of a cell is up > and running, but the vCD service is down, the load balancer will still > think the cell is available), this option is fine for this first setup. > > The next step is configuring a virtual server, this means you are > publishing the cells to public site of pfSense (on 10.0.1.254). In our case > https://10.0.1.254:444 is the access point. The configuration is shown in > the screendump: > > The virtual server pool is the previous configured pool, in this the > web-console of vCloud Director. There’s a very important note at the bottom > of this screen, don’t foget to add a rule to the firewall for the virtual > server. The rule for both the web-interface and the console proxy will look > like this (firewall->rules): > > Important: Although these rules will work perfectly, it’s an even better > idea to specify the target vCD nodes in the firewall rules. The above > configuration can potentially open you pfSense management interface to the > “wan” side of the load balancer. An alternative is to move the pfSense > management interface to another port, e.g. port 445. You can set this > option in System->Advanced->TCP Port. > > Repeat the steps, to configure the console proxy. Now your free load > balancer is up and running :) You can monitor the load balancer with the > status->load balancer option! If everything is working, it should look like > this: > > To do… > > One thing I still want to do is to implement a more proper way in > monitoring the cells. The ICMP option (sending a ping) is not so good, > because it only monitors if the OS is up and running. pfSense has an option > to configure additional monitor options (services->load > balancers->monitors). I’ve implemented a monitor for both the vCD cell and > the console proxy according to this article by Chriss Colotti. What you’re > actually doing is not sending a ping to the cells, you’re accessing an URL. > When this is successful, the cell is up and available to the load balancer. > The pfSense configuration for the vCD web interface should look like this: > > For the console proxy the configuration is quite the same, the monitor URL > should be changed to “/sdk/vimServiceVersions.xml”. In my lab this > configuration resulted in two overloaded cloud cells :( . My servers have a > rather lean & mean configuration, so I think that’s the problem. I will do > some additional testing and post the results here! > > That’s it for now, your comments are alway welcome! > > The follow up for this article is available now: vCloud Director Howto: > Load balancing with free pfSense – Cont’d > _______________________________________________ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list