Load balancer inside firewall or not...
-
HAProxy is really powerful. We use quite a few of them here.
-
You would put the HAProxy behind the firewall, right?
-
@wrx7m said in Load balancer inside firewall or not...:
You would put the HAProxy behind the firewall, right?
Generally, yes. Because you don't want to load balance things that you want to block.
-
@scottalanmiller said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
You would put the HAProxy behind the firewall, right?
Generally, yes. Because you don't want to load balance things that you want to block.
Right. For example, my firewall only sends ports 443 and 80 to haproxy.
-
Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?
-
@Dashrender said in Load balancer inside firewall or not...:
Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?
The OP clearly stated that the firewalls were already going to be setup for failover.
This is clearly a load balancer for the backend services. Not the WAN link..
-
@Pete-S said in Load balancer inside firewall or not...:
I also wonder about SSL for load balancers. Is it best to use SSL passthrough or SSL termination?
It has to terminate, or else it cannot load balance.
-
@JaredBusch said in Load balancer inside firewall or not...:
@Dashrender said in Load balancer inside firewall or not...:
Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?
The OP clearly stated that the firewalls were already going to be setup for failover.
Aww I didn't know what this meant, exactly
after the firewalls (pfsense in fail-over config).
But in seeing your response - OK yeah, the firewalls will be in fail-over config...
-
Wasn't pfsense in production, I guess I would say, "frowned upon"?
-
@Dashrender said in Load balancer inside firewall or not...:
@JaredBusch said in Load balancer inside firewall or not...:
@Dashrender said in Load balancer inside firewall or not...:
Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?
The OP clearly stated that the firewalls were already going to be setup for failover.
Aww I didn't know what this meant, exactly
after the firewalls (pfsense in fail-over config).
But in seeing your response - OK yeah, the firewalls will be in fail-over config...
Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.
Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.
-
@Pete-S said in Load balancer inside firewall or not...:
@Dashrender said in Load balancer inside firewall or not...:
@JaredBusch said in Load balancer inside firewall or not...:
@Dashrender said in Load balancer inside firewall or not...:
Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?
The OP clearly stated that the firewalls were already going to be setup for failover.
Aww I didn't know what this meant, exactly
after the firewalls (pfsense in fail-over config).
But in seeing your response - OK yeah, the firewalls will be in fail-over config...
Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.
Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.
Will you also have HA for the load balancers?
-
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Maybe, I don't care. Pfsense is just a customized freebsd installation with a gui as far as I'm concerned. And freebsd is solid.
-
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Yes it is.
-
@wrx7m said in Load balancer inside firewall or not...:
@Pete-S said in Load balancer inside firewall or not...:
@Dashrender said in Load balancer inside firewall or not...:
@JaredBusch said in Load balancer inside firewall or not...:
@Dashrender said in Load balancer inside firewall or not...:
Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?
The OP clearly stated that the firewalls were already going to be setup for failover.
Aww I didn't know what this meant, exactly
after the firewalls (pfsense in fail-over config).
But in seeing your response - OK yeah, the firewalls will be in fail-over config...
Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.
Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.
Will you also have HA for the load balancers?
Yes, but I'm not sure how I will set it up. If firewall-1 goes down (completely or NIC failure) then firewall-2 will take over and that also means loadbalancer-2 will take over.
-
@travisdh1 said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Yes it is.
If you wanted to run a VM as your firewall, is there something that would be recommended?
-
@wrx7m said in Load balancer inside firewall or not...:
@travisdh1 said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Yes it is.
If you wanted to run a VM as your firewall, is there something that would be recommended?
VyOS
-
@travisdh1 said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
@travisdh1 said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Yes it is.
If you wanted to run a VM as your firewall, is there something that would be recommended?
VyOS
Oh yeah. I remember that now. Thanks.
-
@travisdh1 said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Yes it is.
I disagree, pfSense is an absolutely solid choice.
VyOS is even better, but there is nothing wrong with pfSense.
It is how some people use it that causes problems.
-
@JaredBusch said in Load balancer inside firewall or not...:
@travisdh1 said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Yes it is.
I disagree, pfSense is an absolutely solid choice.
VyOS is even better, but there is nothing wrong with pfSense.
It is how some people use it that causes problems.
Do you have some points on how people's use causes problems? TIA
-
@JaredBusch said in Load balancer inside firewall or not...:
@travisdh1 said in Load balancer inside firewall or not...:
@wrx7m said in Load balancer inside firewall or not...:
Wasn't pfsense in production, I guess I would say, "frowned upon"?
Yes it is.
I disagree, pfSense is an absolutely solid choice.
VyOS is even better, but there is nothing wrong with pfSense.
It is how some people use it that causes problems.
And maybe the hardware they put it on. An old decommissioned desktop PC might not be the best option for a firewall.
