pFSense LoadBalancer/Failover
pFSense LoadBalancer/Failover
PF
Packet Filter (PF) is a stateful firewall developed for BSD
systems. PF is comparable to iptables, ipfw and ipfilter in its functionality.
PFSense
PFSense is based on the PF software, designed as an open source
firewall/router computer software distribution based on FreeBSD. PFSense is
noted for its reliability and cost effectiveness as compared to much expensive
paid solutions. The management interface is web-based so minimum knowledge of
FreeBSD is required.
Some features of pfsense as mentioned on http://en.wikipedia.org/wiki/PfSense
Functionality and connectivity
|
|
Firewall and routing
|
|
Scenario
pfsense will act as a front-end
firewall/loadbalancer for our servers. All the services will be running at
backend without any direct access from customer. For this scenario we will be
using the following major services of pfsense
- Multi-WAN
- CARP/pfsync
- Loadbalancing/Failover
- VLANs
Multi-WAN
Using this feature we can assign multiple Gateways for our
servers. We will be using two gateways from two separate classes to provide
redundancy for the default gateway.
CARP/pfsync
CARP stands for Common Address Redundancy Protocol. The
Common Address Redundancy Protocol (CARP) allows multiple
hosts to share the same IP address. In some
configurations, this may be used for Failover or Load balancing[1].
As an example consider two pfsense servers that are
completely identical. Now we need an arrangement in which a user accessing a
service on one of these server to never face any downtime regardless of the
state of the pfsense mahcines.
We can use CARP in this situation to provide a failover
scenario.
Network Configuration
Firewall 1
|
Firewall 2
|
|
WAN IP
|
203.100.100.22
|
203.100.100.23
|
SYNC IP
|
203.100.100.138
|
203.100.100.139
|
LAN IP
|
192.168.1.2
|
192.168.1.3
|
The 2 IP addresses below will be shared between the
firewalls.
WAN Virtual IP: 203.100.100.27
LAN Virtual IP: 192.168.1.1
LAN Virtual IP: 192.168.1.1
The Sync IP will be used to synchronize both the firewalls
settings. In case the Master server is down the slave will take its place
seamlessly and WAN/LAN Virtual IPs will remain routable.
The VHID/Skew are very important in CARP protocol. An IP
with the lowest Skew number will be consider a Master server whereas all the
higher numbered ones will be Slave servers.
Load Balancing
PFsense
provides a built in load balancing mechanism. You need at least two servers for
load balancing. There are two portions of configuration for the server load
balancer.
Virtual
Server Pools
Here you
define
- the list of servers to be used
- which port they listen on
- the monitoring method to be used
Virtual
Servers
Here you
define
- the IP and port to listen on
- the appropriate pool to direct the incoming traffic to that IP and port
Example
For example we want to create a load balancer for our
webservers. First we will create a pool called WebServers with the IPs of our
target servers.
- Web-I: 192.168.1.7
- Web-II: 192.168.1.8
- Web-III: 192.168.1.9
We will specify a port to which the traffic has to be
forwarded [port 80 in this case].
Also select a monitoring method which will let the server
know if one of the machines is down and the traffic will not be forwarded to
that machine. For monitoring we have options TCP,ICMP, HTTP. We choose the ICMP
method for monitoring.
Now we create a Virtual IP which will act as front end
server and will be receiving all the requests and then distribute them among
the servers. We will assign this IP to listen on group WebServers on port 80.
Final Design
Support[2]
Subscription Details
You are purchasing a one year subscription, including 5
hours of professional services. pfSense will provide any assistance desired, on
as many installations as you have, within that time limit. Additional hours can
be purchased if needed, at a lower per-hour rate. The first purchase includes a
contribution to fund ongoing development of the pfSense project. The
subscription is renewed annually at a discounted rate, which comes with 5
additional hours.
If you do not use all your hours in a given year, they will
be rolled over to subsequent years if you maintain an active subscription.
Pricing
The base 5 hour annual subscription is $600 USD. Additional
blocks of hours can be purchased if needed, at the following rates (all prices
USD). Base subscription with 5 hours - $600, part of which is a
contribution to pfSense project maintenance fund.
Additional Hours
Only available to customers with an active support subscription[3].
Additional Hours
Only available to customers with an active support subscription[3].
·
5 hours - $500
·
10 hours - $900
·
20 hours - $1700
·
50 hours - $4000
Some Available Packages for pfSense
Name
|
Category
|
Version
|
Description
|
Apache with mod_security-dev
|
Network Management
|
2.4.6 pkg v0.3
|
ModSecurity is a web application firewall that can work
either embedded or as a reverse proxy.
It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address. Backup your location config before updating form 0.2.x to 0.3 package version. |
Cron
|
Services
|
0.1.8
|
The cron utility is used to manage commands on a schedule.
|
freeradius2
|
System
|
2.1.12_1/2.2.0 pkg v1.6.7_2
|
A free implementation of the RADIUS protocol.
Support: MySQL, PostgreSQL, LDAP, Kerberos FreeRADIUS and FreeRADIUS2 settings are not compatible so don't use them together or try to update On pfSense docs there is a how-to which could help you on porting users. |
haproxy
|
Services
|
1.4.24 pkg v 1.2.4
|
The Reliable, High Performance TCP/HTTP Load Balancer
This package implements both TCP and HTTP balance features from Haproxy. Supports acl's for smart backend switching. |
iperf
|
Network Management
|
2.0.5
|
Iperf is a tool for testing network throughput, loss, and
jitter.
|
OpenBGPD
|
NET
|
STABLE
0.9 platform: 1.3 |
OpenBGPD is a FREE implementation of the Border Gateway
Protocol, Version 4. It allows ordinary machines to be used as routers
exchanging routes with other systems speaking the BGP protocol.
|
nmap
|
Security
|
nmap-6.25_1 pkg v1.2
|
NMap is a utility for network exploration or security
auditing. It supports ping scanning (determine which hosts are up), many port
scanning techniques (determine what services the hosts are offering), version
detection (determine what application/service is runing on a port), and
TCP/IP fingerprinting (remote host OS or device identification). It also
offers flexible target and port specification, decoy/stealth scanning, SunRPC
scanning, and more. Most Unix and Windows platforms are supported in both GUI
and command line modes. Several popular handheld devices are also supported,
including the Sharp Zaurus and the iPAQ.
Package info |
NRPE v2
|
Services
|
2.12_3 v2.2
|
NRPE is an addon for Nagios that allows you to execute
plugins on remote Linux/Unix hosts. This is useful if you need to monitor
local resources/attributes like disk usage, CPU load, memory usage, etc. on a
remote host.
|
snort
|
Security
|
2.9.4.6 pkg v. 2.6.1
|
Snort is an open source network intrusion prevention and
detection system (IDS/IPS). Combining the benefits of signature, protocol,
and anomaly-based inspection.
|
pfBlocker
|
Firewall
|
Release
1.0.2 platform: 2.0 |
Introduce Enhanced Aliastable Feature to pfsense.
Assign many IP urls lists from sites like I-blocklist to a single alias and then choose rule action to take. This package also Block countries and IP ranges. pfBlocker replaces Countryblock and IPblocklist |
Comments
Post a Comment