What is PfSense
PfSense is powerful FreeBSD-based software complex. Usually it's using as gateway, firewall, traffic-forwarder, proxy etc. Albeit is FreeBSD "under-the-hood" installed, browser-access is enough for almost all management operations. This simplicity coupled with power and customization abilities is PfSense "killer-features" for a long time.
What is HAProxy
HAProxy is well-known open source load balancer. Originally it was designed for installation on Linux server, but now HAProxy could be installed on much enterprise-level routers, virtual machines etc. In this article I will describe how to install HAProxy on PfSense firewall.
Infrastructure preparing
To show how HAProxy working you need to prepare at least three servers - two as "content contained" server, third as PfSense firewall and HAProxy balancer. So, to do this:
- Login in your ServerSpace client area and create isolated LAN;
- Deploy three servers, one of them under PfSense, others under OS related to your content requirements. Be attentive, all servers should be located in some datacenter. Finally, you should see servers list like this;
- Power all three servers off and connect them to the private network;
- Login to your PfSense server (credentials could be seen at the server status tab in client area), then go to Interfaces > Assignments page and assign LAN interface to the free port;
- Go to Interfaces > LAN page and make settings according to the information on the server Settings tab;
- Cause 80 and 443 ports will be used by backend servers, I'll change PfSense web-interface port. Go to PfSense firewall settings and make a rule to pass traffic to any unused port, then assign this port at System > Advanced page as web-interface port;
- Go to PfSense interface via "new" port, open firewall settings again and make a rule to allow all "intranet" traffic;
- PfSense preparing is finished, now time to connect content servers to the LAN. Two methods to do this is available. You can change network interfaces configuration files and add new interface manually, but the simplest way is just rebuilt the server OS via client area after connect to the LAN. Result will be the same, "private" IPs of all three servers is accessible to each other;
HAProxy installation
To install and configure HAProxy on PfSense server plis follow these steps:
- Open your gateway web-interface, go to System > Package Manager > Available Packages page, find and install the lastest available version of HAProxy;
- Time to create backend. Visit Services > HAProxy > Backend page and make settings related to your backend servers IPs;
- Create a frontend. Just go to Services > HAProxy > Frontend, set WAN-address as a frontend-listener and "point" it to the previously created backend;
- Go to Services > HAProxy > Settings, set the simultaneous connections limit and enable the service;
Project files placing and HAProxy cheching
Just look at this article, and deploy the website as prepared in "Website deployment" paragraph. Then check as described in "Balancer checking" paragraph. Result should be similar.
Security tuning
To improve security, you could totally disable any traffic to the content servers via "public" interface, except traffic that comes from your own IP. Return back to the ServerSpace client area, then open each backend server's settings and add two firewall rules - allow traffic from your own IP and deny others. Be careful, to avoid access losing you should place "positive" rules before "negative".
Conclusion
After reading this matherial you knew what is PfSense and how to install and secure HAProxy plgin on it.