Tuesday, December 2, 2014

pfsense load balancing

I had the case where I wanted to access my server remotely via SSH when my server was behind my pfsense firewall.
The problem was, I often swap between a wired and wireless connection. I could port forward two different ports, one to the wired network and one to the wireless, but that is one more thing to remember. So I thought I would investigate pfsense load balancing functions so I wouldn't have to remember if I left it on wired or wireless.

First is to set static IPs for the servers wireless and wired connections so I could reference them later. You can do this in the Status > DHCP leases menu.

Second I needed to allow SSH from the WAN to the LAN network. I created a Firewall rule to allow this. You could create two rules to allow SSH to each static IP, but I have other devices on my network, so I just opened it from the WAN port to the whole network. by using the /24 address of the destination.

Now to the fun stuff, load balancing.

You need to create a pool containing the servers you want to load balance to, and a virtual server to forward a port to and use the pool.

In Services > Load Balancer > Pool, click the plus to create a new pool.
Since you wanted pfsense to know what is available, wired or wireless, and send traffic to whatever is available we want to select 'Load Balance'. Give it a description. The servers are listening on port 22 for SSH so we want to balance across that port. Add the static IPs that you set earlier and save.

Now in Services > Load Balancer > Virtual Server, click the plus to create a new virtual server.
Give it a name, the IP address is your WAN IP (or alias for the WAN IP) I wanted to use a non standard port, so chose port 1023, and you select the pool to use, in my case 'Server_SSH_Pool' and save,

Apply changes. I rebooted the server to be sure.

Now get onto the same network that your WAN connects to and try to SSH.


where username is the username of an SSH user on the two servers in the load balancer pool.

It should ask you for the password and you should be in.
log out, change the server to connect to the LAN via its other network interface wired or wireless. Then back on machine on your WAN try to SSH again to the same address.

You should now be able to get in from your WAN by using the one IP address and port 1023, no matter if your server is connected to the LAN via wired or wireless. (or a second NIC, it doesn't have to be wired and wireless) You are just load balancing across two different IPs so those could be different servers as well - that's how you load balance HTTP web requests to different web servers to handle load, my case just needed SSH instead.