Re: [pfSense Support] tuning incoming load balancer
Bill Marquette wrote: On 9/25/07, Bill Marquette <[EMAIL PROTECTED]> wrote: no, it says the IP is already in the list and refuses to add it; I guess that javascript could be changed to say "are you sure" and make it possible. Hmmm, the hackathon is coming up in a couple weeks. I'll take a look at this there (it won't make the 1.2 release). I removed this check. Please test with a snapshot newer than October 19th, 8PM US Eastern time -RC3 definitely allows you to add the same server multiple times in the "Load Balancer Pool - Edit" page. thanks for that. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
Bill Marquette wrote: > On 9/25/07, Bill Marquette <[EMAIL PROTECTED]> wrote: >>> no, it says the IP is already in the list and refuses to add it; I guess >>> that javascript could be changed to say "are you sure" and make it possible. >> Hmmm, the hackathon is coming up in a couple weeks. I'll take a look >> at this there (it won't make the 1.2 release). > > I removed this check. Please test with a snapshot newer than October > 19th, 8PM US Eastern time I am going to be building a new pfsense box in a few days so will test snapshot and post a response. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
On 9/25/07, Bill Marquette <[EMAIL PROTECTED]> wrote: > > no, it says the IP is already in the list and refuses to add it; I guess > > that javascript could be changed to say "are you sure" and make it possible. > > Hmmm, the hackathon is coming up in a couple weeks. I'll take a look > at this there (it won't make the 1.2 release). I removed this check. Please test with a snapshot newer than October 19th, 8PM US Eastern time --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
Bill Marquette wrote: > Yep, again, the load balance itself is performed in kernel. pf itself > doesn't really care about icmp unreachables (and that only addresses > the issue of Apache going down, not of the whole box crashing). OK, thanks for that clarification. BTW, we've been testing with and without the "stickiness" set and as far as we can tell 1.2RC2 doesn't actually do the round-robin load balancing, or just does the failover. I'd raise a bug but thought I'd check first. >>> I suppose the main questions here are how important it is that you ... > We could probably do to the nearest second (I'd suggest that the .. >> I am happy to have a hack at the code and/or be a beta tester for this. > I'll likely hit on this during the hackathon, I'll shoot you an email > in mid October. great! thanks again Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
On 9/25/07, Paul M <[EMAIL PROTECTED]> wrote: > p.s. does the load balancer have any sort of session affinity? Not really. Under System->Advanced you can turn on sticky sessions, but that only works for a user as long as they still has active TCP states on the firewall to an existing server. We can probably enhance this to support bitmask and source-hash (see http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html#end for descriptions) as well as increasing the state tracking timeout (assuming this is in FreeBSD 6.2 - which uses an older version of pf) for the sticky sessions. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
On 9/25/07, Paul M <[EMAIL PROTECTED]> wrote: > >> 2/ why didn't pfsense pick up the dead unit when I connected and know to > >> redirect, or at least only fail the once? > > Nope. The load balancing is performed by pf which has no concept of > > dead servers. The actual monitoring is performed in userland and the > > rules modified based on detection of dead servers. > > It'd be nice if it also picked up the icmp dest unreachable, but that > might involve a bit of work! Yep, again, the load balance itself is performed in kernel. pf itself doesn't really care about icmp unreachables (and that only addresses the issue of Apache going down, not of the whole box crashing). > > same server multiple times (I'm pretty sure the ratio load balancing > > works, I'm not sure if we actually allow for it in the UI). > > no, it says the IP is already in the list and refuses to add it; I guess > that javascript could be changed to say "are you sure" and make it possible. Hmmm, the hackathon is coming up in a couple weeks. I'll take a look at this there (it won't make the 1.2 release). > > Well, pfSense is a firewall, not a load balancer. It was "easy" to > > add simple load balancing features, going any further would be a > > significant undertaking and in my opinion would distract from the > > goals of pfSense. > > yes, I agree that trying to add a complex load balancing solution (such > as LVS) would detract from pfsense, I am just wondering where a > comfortable position would lie, even "haproxy" or "balance" might be too > much? haproxy and balance (as long as you understand that they're proxies and as such you'll lose source address info at the webserver) would make for fine packages. I'm personally not interested in creating such a package (and the original load balance code was sponsored so had restrictions), but I'd be more then willing to give pointers to someone wanting to work on packaging either of these. > > I suppose the main questions here are how important it is that you > > have more frequent polling (which btw, will increase the load on the > > web servers since we'll be hitting them more frequently), how > > important the "better" load balancing features are to you, and how > > much you're willing to spend. > > I think being able to tune the time would be most practical to the > nearest tenth of a second (above, say, 5s could have a granularity of > 1s), we're likely to be a high traffic site so it'd represent a > negligible impact overall. We could probably do to the nearest second (I'd suggest that the minimum we could safely do with our current monitoring solution is likely to be 2 seconds) - it'll be a box wide setting as the polling timing isn't specified on a virtual server basis. > I am happy to have a hack at the code and/or be a beta tester for this. I'll likely hit on this during the hackathon, I'll shoot you an email in mid October. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
p.s. does the load balancer have any sort of session affinity? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
Bill Marquette wrote: >> Thus I would like to ask >> 1/ how quickly should pfsense discover one of the units in the pool is dead? > > 5 seconds thanks for that. From my limited testing that's what I observed. I'm told we can live with that. I must admit to being lazy^W overworked, trying to find a usable solution without having to roll a full HA strategy for now ;-) >> 2/ why didn't pfsense pick up the dead unit when I connected and know to >> redirect, or at least only fail the once? > Nope. The load balancing is performed by pf which has no concept of > dead servers. The actual monitoring is performed in userland and the > rules modified based on detection of dead servers. It'd be nice if it also picked up the icmp dest unreachable, but that might involve a bit of work! >> 3/ can I tune the timers, can I add weights to favour one server over > Nope. I might be convinced to make the timers a tunable. And I > believe someone did try to do ratio style load balancing by adding the > same server multiple times (I'm pretty sure the ratio load balancing > works, I'm not sure if we actually allow for it in the UI). no, it says the IP is already in the list and refuses to add it; I guess that javascript could be changed to say "are you sure" and make it possible. > Well, pfSense is a firewall, not a load balancer. It was "easy" to > add simple load balancing features, going any further would be a > significant undertaking and in my opinion would distract from the > goals of pfSense. yes, I agree that trying to add a complex load balancing solution (such as LVS) would detract from pfsense, I am just wondering where a comfortable position would lie, even "haproxy" or "balance" might be too much? > I suppose the main questions here are how important it is that you > have more frequent polling (which btw, will increase the load on the > web servers since we'll be hitting them more frequently), how > important the "better" load balancing features are to you, and how > much you're willing to spend. I think being able to tune the time would be most practical to the nearest tenth of a second (above, say, 5s could have a granularity of 1s), we're likely to be a high traffic site so it'd represent a negligible impact overall. I am happy to have a hack at the code and/or be a beta tester for this. If we do go fully live with pfsense I anticipate a favourable reception asking senior management to pay for pfsense support as they were expecting to have to pay for a commercial option! regards Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
On 9/24/07, Paul M <[EMAIL PROTECTED]> wrote: > Hi, > Having successfully used pfsense as a clustered firewall with CARP for > external and internal shared IPs, I am trying its load balancing feature > to manage a pool of web servers. > > So, created a pool with 2 httpd's, and it works. However, when I killed > httpd on one box, I got a few errors when connecting from outside world > for about five seconds, and then pfsense failed over to the other box. > > Thus I would like to ask > 1/ how quickly should pfsense discover one of the units in the pool is dead? 5 seconds > 2/ why didn't pfsense pick up the dead unit when I connected and know to > redirect, or at least only fail the once? Nope. The load balancing is performed by pf which has no concept of dead servers. The actual monitoring is performed in userland and the rules modified based on detection of dead servers. > 3/ can I tune the timers, can I add weights to favour one server over > another, can I make the load balancer interrogate the web servers to > determine their loading and not just that there's a tcp listener? Nope. I might be convinced to make the timers a tunable. And I believe someone did try to do ratio style load balancing by adding the same server multiple times (I'm pretty sure the ratio load balancing works, I'm not sure if we actually allow for it in the UI). > I am sure I am asking too much of pfsense loadbal, but I just need to > get an idea of whether it will be useful initially under I need to go > get a fully-featured complex load bal. Well, pfSense is a firewall, not a load balancer. It was "easy" to add simple load balancing features, going any further would be a significant undertaking and in my opinion would distract from the goals of pfSense. I suppose the main questions here are how important it is that you have more frequent polling (which btw, will increase the load on the web servers since we'll be hitting them more frequently), how important the "better" load balancing features are to you, and how much you're willing to spend. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]