Load balancer inside firewall or not...

1337

This is for our colo server setup we are working on. We are looking to set up load balancers (haproxy) after the firewalls (pfsense in fail-over config).

Is it a good idea or a bad idea to run a load balancer on the same machine as the firewall?

From a performance point of view I think the firewall servers (pfsense on bare metal) can handle the traffic in either case. Right now the firewalls each have a single 6-core Xeon @ 2.6GHz, 32GB RAM and SSDs. Otherwise I can throw higher GHz, another CPU and more cores at the problem.

I also wonder about SSL for load balancers. Is it best to use SSL passthrough or SSL termination?

travisdh1

@Pete-S If you're going to be using pfSense, why not use the built-in load balancer? https://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers

1337

@travisdh1 said in Load balancer inside firewall or not...:

@Pete-S If you're going to be using pfSense, why not use the built-in load balancer? https://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers

Not a bad idea. As I understand it's a load-balancer called relayd. Maybe it's good enough for what I need, otherwise HAproxy is also built in. You just need to enable the package first before it's settings shows up.

scottalanmiller

Load balancers typically use very few resources. So you should be relatively flexible.

JaredBusch

I am using HAProxy only as a proxy right now in a couple places (for Exchange on prem). But the load balancing setup is super simple.

I like it.

coliver

HAProxy is really powerful. We use quite a few of them here.

wrx7m

You would put the HAProxy behind the firewall, right?

scottalanmiller

@wrx7m said in Load balancer inside firewall or not...:

You would put the HAProxy behind the firewall, right?

Generally, yes. Because you don't want to load balance things that you want to block.

JaredBusch

@scottalanmiller said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

You would put the HAProxy behind the firewall, right?

Generally, yes. Because you don't want to load balance things that you want to block.

Right. For example, my firewall only sends ports 443 and 80 to haproxy.

Dashrender

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

JaredBusch

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

This is clearly a load balancer for the backend services. Not the WAN link..

JaredBusch

@Pete-S said in Load balancer inside firewall or not...:

I also wonder about SSL for load balancers. Is it best to use SSL passthrough or SSL termination?

It has to terminate, or else it cannot load balance.

Dashrender

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

wrx7m

Wasn't pfsense in production, I guess I would say, "frowned upon"?

1337

@Dashrender said in Load balancer inside firewall or not...:

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.

Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.

wrx7m

@Pete-S said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.

Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.

Will you also have HA for the load balancers?

1337

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Maybe, I don't care. Pfsense is just a customized freebsd installation with a gui as far as I'm concerned. And freebsd is solid.

travisdh1

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

1337

@wrx7m said in Load balancer inside firewall or not...:

@Pete-S said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.

Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.

Will you also have HA for the load balancers?

Yes, but I'm not sure how I will set it up. If firewall-1 goes down (completely or NIC failure) then firewall-2 will take over and that also means loadbalancer-2 will take over.

wrx7m

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

If you wanted to run a VM as your firewall, is there something that would be recommended?