miarch
asked on
pfsense failover webservers
Pfsense version: 2.0.1-RELEASE (amd64)
We are testing setting up fail-over webservers via pfsense.
Current setup: 2 working test webservers "A" an "B" on the lan, port 80.
(2 WAN connections)
2 pools: pool1 includes only "A", pool2 includes only "B".
1 virtual server, tried both with external ip as well as lan ip. Lists A as pool, B as fall back.
Working monitor, using http.
Test1:
setup virtual server with external address, listening to port 83, duplicate virtual server for second external ip, also port 83.
Added firewall rules to allow traffic ports 83 on external ips for both wan ip's/adapters;
allow port 83 to virtual server; allow port 80 to webservers A & B.
Result:
When connecting externally to external ips port 83, it works at first. When turning off A, pfsense loadbalancing status shows A correctly to be offline, B still online.
Externally now unable to connect external ips port 83. Deleted webbrowser cache etc. same result. Disable sticky connection same result.
Test 2:
setup virtual server with internal address, listening to port 83, NAT for external ips port 83 forward to virtual server.
Added firewall rules to allow traffic ports 83 on external ips for both wan ip's/adapters;
allow port 83 to virtual server; allow port 80 to webservers A & B.
Result:
When connecting externally to external ips port 83, it doesn't work. Error in browser: "nc: getaddrinfo: hostnamenor servname provided or not known".
Deleted webbrowser cache etc. same result. Disable sticky connection same result.
What am I missing?
We are testing setting up fail-over webservers via pfsense.
Current setup: 2 working test webservers "A" an "B" on the lan, port 80.
(2 WAN connections)
2 pools: pool1 includes only "A", pool2 includes only "B".
1 virtual server, tried both with external ip as well as lan ip. Lists A as pool, B as fall back.
Working monitor, using http.
Test1:
setup virtual server with external address, listening to port 83, duplicate virtual server for second external ip, also port 83.
Added firewall rules to allow traffic ports 83 on external ips for both wan ip's/adapters;
allow port 83 to virtual server; allow port 80 to webservers A & B.
Result:
When connecting externally to external ips port 83, it works at first. When turning off A, pfsense loadbalancing status shows A correctly to be offline, B still online.
Externally now unable to connect external ips port 83. Deleted webbrowser cache etc. same result. Disable sticky connection same result.
Test 2:
setup virtual server with internal address, listening to port 83, NAT for external ips port 83 forward to virtual server.
Added firewall rules to allow traffic ports 83 on external ips for both wan ip's/adapters;
allow port 83 to virtual server; allow port 80 to webservers A & B.
Result:
When connecting externally to external ips port 83, it doesn't work. Error in browser: "nc: getaddrinfo: hostnamenor servname provided or not known".
Deleted webbrowser cache etc. same result. Disable sticky connection same result.
What am I missing?
ASKER
More detailed config:
Test 1
pool 1: contains 1 server 10.0.10.2:80
pool 2: contains 1 server 10.0.10.3:80
virtual server 1 on external ip 173.194.66.94:83 - points to pool1 with pool2 as fall back.
virtual server 2 on external ip 74.125.132.94:83 - points to pool 1 with pool2 as fall back.
Firewall allows 173.194.66.94:83, 74.125.132.94:83, 10.0.10.3:80, 10.0.10.2:80 from anywhere.
Sticky connection is turned off.
On start of test, both pools are up. Can access the website from outside of my network on either virtual server.
Once I turn off pool1, pfsense correctly displays pool1 to be down. But I am unable to then access the website outside of my network, on port 83, on either virtual server, so there appears to be no automatic fall back.
Yes, I can then still access pool2 on it's internal ip:80 from inside my network.
Test 2: Yes, that error having to do with dns makes sense. Not sure how to address it, though. I think I will focus on test 1.
Test 1
pool 1: contains 1 server 10.0.10.2:80
pool 2: contains 1 server 10.0.10.3:80
virtual server 1 on external ip 173.194.66.94:83 - points to pool1 with pool2 as fall back.
virtual server 2 on external ip 74.125.132.94:83 - points to pool 1 with pool2 as fall back.
Firewall allows 173.194.66.94:83, 74.125.132.94:83, 10.0.10.3:80, 10.0.10.2:80 from anywhere.
Sticky connection is turned off.
On start of test, both pools are up. Can access the website from outside of my network on either virtual server.
Once I turn off pool1, pfsense correctly displays pool1 to be down. But I am unable to then access the website outside of my network, on port 83, on either virtual server, so there appears to be no automatic fall back.
Yes, I can then still access pool2 on it's internal ip:80 from inside my network.
Test 2: Yes, that error having to do with dns makes sense. Not sure how to address it, though. I think I will focus on test 1.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok will have to continue after the long weekend here in Alberta :-)
ASKER
Thanks, I got it working after a long fight with my apache2 and iptables on the machines itself. Had to also remove the complete website and make a simple index.html.
Yes, testing it the other way around totally helped, as with that I could really test every element until I got it finally working.
btw, I ended up going with test2, where the virtual server has the external ip.
Now when I put pool 2 as fallback and then turn off pool1 it indeed automagically falls over to pool2.
Cool stuff
Ruben
Yes, testing it the other way around totally helped, as with that I could really test every element until I got it finally working.
btw, I ended up going with test2, where the virtual server has the external ip.
Now when I put pool 2 as fallback and then turn off pool1 it indeed automagically falls over to pool2.
Cool stuff
Ruben
"Externally now unable to connect external ips port 83"
if this is true, stopping one of the web servers willdefinitely not prevent the othe one from working using the previously working private address
"nc: getaddrinfo: hostnamenor servname provided or not known"
this cannot be related to a firewall problem. most likely you are using a dead or stale dns entry to access your machines