Load balancer inside firewall or not...

JaredBusch

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

This is clearly a load balancer for the backend services. Not the WAN link..

JaredBusch

@Pete-S said in Load balancer inside firewall or not...:

I also wonder about SSL for load balancers. Is it best to use SSL passthrough or SSL termination?

It has to terminate, or else it cannot load balance.

Dashrender

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

wrx7m

Wasn't pfsense in production, I guess I would say, "frowned upon"?

1337

@Dashrender said in Load balancer inside firewall or not...:

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.

Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.

wrx7m

@Pete-S said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.

Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.

Will you also have HA for the load balancers?

1337

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Maybe, I don't care. Pfsense is just a customized freebsd installation with a gui as far as I'm concerned. And freebsd is solid.

travisdh1

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

1337

@wrx7m said in Load balancer inside firewall or not...:

@Pete-S said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

@JaredBusch said in Load balancer inside firewall or not...:

@Dashrender said in Load balancer inside firewall or not...:

Are you looking to load balance two ISP connections or two servers inside your network providing access to the outside?

The OP clearly stated that the firewalls were already going to be setup for failover.

Aww I didn't know what this meant, exactly

after the firewalls (pfsense in fail-over config).

But in seeing your response - OK yeah, the firewalls will be in fail-over config...

Yes, one firewall will do the work and the other one will be in standby. All firewall states are synced between them. If the first one fails the other one will take over all the IPs and duties.

Load balancer will send the request that passes the firewall to different webservers. If one webserver dies the other one(s) will do the job.

Will you also have HA for the load balancers?

Yes, but I'm not sure how I will set it up. If firewall-1 goes down (completely or NIC failure) then firewall-2 will take over and that also means loadbalancer-2 will take over.

wrx7m

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

If you wanted to run a VM as your firewall, is there something that would be recommended?

travisdh1

@wrx7m said in Load balancer inside firewall or not...:

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

If you wanted to run a VM as your firewall, is there something that would be recommended?

VyOS

wrx7m

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

If you wanted to run a VM as your firewall, is there something that would be recommended?

VyOS

Oh yeah. I remember that now. Thanks.

JaredBusch

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

I disagree, pfSense is an absolutely solid choice.

VyOS is even better, but there is nothing wrong with pfSense.

It is how some people use it that causes problems.

wrx7m

@JaredBusch said in Load balancer inside firewall or not...:

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

I disagree, pfSense is an absolutely solid choice.

VyOS is even better, but there is nothing wrong with pfSense.

It is how some people use it that causes problems.

Do you have some points on how people's use causes problems? TIA

1337

@JaredBusch said in Load balancer inside firewall or not...:

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

I disagree, pfSense is an absolutely solid choice.

VyOS is even better, but there is nothing wrong with pfSense.

It is how some people use it that causes problems.

And maybe the hardware they put it on. An old decommissioned desktop PC might not be the best option for a firewall.

wrx7m

@Pete-S said in Load balancer inside firewall or not...:

@JaredBusch said in Load balancer inside firewall or not...:

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

I disagree, pfSense is an absolutely solid choice.

VyOS is even better, but there is nothing wrong with pfSense.

It is how some people use it that causes problems.

And maybe the hardware they put it on. An old decommissioned desktop PC might not be the best option for a firewall.

#truestory

scottalanmiller

@JaredBusch said in Load balancer inside firewall or not...:

@travisdh1 said in Load balancer inside firewall or not...:

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

Yes it is.

I disagree, pfSense is an absolutely solid choice.

VyOS is even better, but there is nothing wrong with pfSense.

It is how some people use it that causes problems.

Old PCs, silly consumer hardware or hobby hardware... typically we see pfSense in some pretty weird spots.

If you are doing a VM, then pfSense makes way more sense as there isn't any concern about weird or bad hardware choices.

black3dynamite

@wrx7m said in Load balancer inside firewall or not...:

Wasn't pfsense in production, I guess I would say, "frowned upon"?

PfSense is awesome. Avoid turning into a UTM so it can stay stable.