News
Seven days of Black Friday madness — great deal from Serverspace!
Serverspace Black Friday
VB
October 24, 2022
Updated June 7, 2023

How to install HAProxy load balancer on PFsense

Web server

Using another OS?

Select the desired version or distribution.

What is PfSense

PfSense is powerful FreeBSD-based software complex. Usually it's using as gateway, firewall, traffic-forwarder, proxy etc. Albeit is FreeBSD "under-the-hood" installed, browser-access is enough for almost all management operations. This simplicity coupled with power and customization abilities is PfSense "killer-features" for a long time.

What is HAProxy

HAProxy is well-known open source load balancer. Originally it was designed for installation on Linux server, but now HAProxy could be installed on much enterprise-level routers, virtual machines etc. In this article I will describe how to install HAProxy on PfSense firewall.

Infrastructure preparing

To show how HAProxy working you need to prepare at least three servers - two as "content contained" server, third as PfSense firewall and HAProxy balancer. So, to do this:

  • Login in your ServerSpace client area and create isolated LAN;

pic1 pic2

  • Deploy three servers, one of them under PfSense, others under OS related to your content requirements. Be attentive, all servers should be located in some datacenter. Finally, you should see servers list like this;

pic3

  • Power all three servers off and connect them to the private network;

pic4 pic5

  • Login to your PfSense server (credentials could be seen at the server status tab in client area), then go to Interfaces > Assignments page and assign LAN interface to the free port;

pic6

  • Go to Interfaces > LAN page and make settings according to the information on the server Settings tab;

pic8

  • Cause 80 and 443 ports will be used by backend servers, I'll change PfSense web-interface port. Go to PfSense firewall settings and make a rule to pass traffic to any unused port, then assign this port at System > Advanced page as web-interface port;

pic10

pic11

  • Go to PfSense interface via "new" port, open firewall settings again and make a rule to allow all "intranet" traffic;

pic12

  • PfSense preparing is finished, now time to connect content servers to the LAN. Two methods to do this is available. You can change network interfaces configuration files and add new interface manually, but the simplest way is just rebuilt the server OS via client area after connect to the LAN. Result will be the same, "private" IPs of all three servers is accessible to each other;

pic13

pic14

HAProxy installation

To install and configure HAProxy on PfSense server plis follow these steps:

  • Open your gateway web-interface, go to System > Package Manager > Available Packages page, find and install the lastest available version of HAProxy;

pic15

  • Time to create backend. Visit Services > HAProxy > Backend page and make settings related to your backend  servers IPs;

pic17 pic18 pic19

  • Create a frontend. Just go to Services > HAProxy > Frontend, set WAN-address as a frontend-listener and "point" it to the previously created backend;

pic21

pic22

  • Go to Services > HAProxy > Settings, set the simultaneous connections limit and enable the service;

pic23

Project files placing and HAProxy cheching

Just look at this article, and deploy the website as prepared in "Website deployment" paragraph. Then check as described in "Balancer checking" paragraph. Result should be similar.

Security tuning

To improve security, you could totally disable any traffic to the content servers via "public" interface, except traffic that comes from your own IP. Return back to the ServerSpace client area, then open each backend server's settings and add two firewall rules - allow traffic from your own IP and deny others. Be careful, to avoid access losing you should place "positive" rules before "negative".

Conclusion

After reading this matherial you knew what is PfSense and how to install and secure HAProxy plgin on it.

Vote:
3 out of 5
Аverage rating : 3.7
Rated by: 3
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.