Feature #1181
closedAllow a way to add protocols (such as udp) to a load balancer
0%
Description
I've been trying to configure load balanced DNS with pfsense 2.0. It occurred to me fairly quickly that this might not be obviously possible considering I see no mention of UDP anywhere in the load balancer config. But I proceeded looking into it anyway.
So I created a pool:
Name: DNS
Mode: Load Balance
Desc: Load Balanced DNS
Port: 53
Monitor: TCP (Yeah, I know actual requests are generally UDP, but checking TCP port is available is a nice simple way to do it without doing real lookups)
Servers in pool: 192.168.120.11, 192.168.120.12
I then configured a virtual server:
Name: DNS
Desc: Load Balanced DNS
IP Address: 192.168.120.254 (one of my VIPs)
Port: 53
Virtual Server Pool: DNS
Fail Back Pool: None
After realising i'd forgotten a few firewall rules I tried to DNS from one of my hosts... And failed, not really unexpected.
However, I could telnet to port 53 of my load balancer (ie. a tcp connection) and it worked.
Further investigation suggests that the relayd.conf created by the above is:
table <DNS> { 192.168.120.11, 192.168.120.12 } redirect "DNS" { listen on 192.168.120.254 port 53 forward to <DNS> port 53 check tcp timeout 1000 }
That's pretty simple. Reading the relayd.conf man page redirection section suggests:
listen on address [ip-proto] port port [interface name] Specify an address and a port to listen on. pf(4) will redirect incoming connections for the specified target to the hosts in the main or backup table. The port argument can optionally specify a port range instead of a single port; the format is min-port:max- port. The optional argument ip-proto can be used to specify an IP protocol like tcp or udp; it defaults to tcp. The rule can be optionally restricted to a given interface name.
So that explains why my load balancer doesn't work. The rule created by default will default to tcp.
An example on the same man page suggests that:
redirect "dns" { listen on dns.example.com tcp port 53 listen on dns.example.com udp port 53 forward to <dnshosts> port 53 check tcp }
Is a simple way to load balance DNS with relayd... so what i'm trying to do it ALMOST there, I just have no way to make pfsense also listen for udp on port 53. Everything else is already seemingly in place.
So my feature request is simply, can a way be added to select additional protocols (or even just other protocols) to listen on within a load balancer? Perhaps in some sort of initially hidden advanced section like some of the firewall rules advanced options.
This seems like a fairly trivial addition, however I did look at the code and realised that I haven't touched PHP for a while and it scared me so I closed it again.
Updated by Jim Pingle over 12 years ago
- Status changed from New to Closed
DNS support was added to the load balancer in 2.0.1, so this should be fine in the GUI now. It's been tested and used in production as well.
relayd doesn't support working with any other udp protocols besides DNS, so this is as far as we can go.
Updated by Roland Kletzing over 7 years ago
unfortunately, to have working loadbalanced dns nowadays, you need to balance udp + tcp aswell. see http://www.networkworld.com/article/2231682/cisco-subnet/cisco-subnet-allow-both-tcp-and-udp-port-53-to-your-dns-servers.html
in it`s current state (2.3.3) pfsense+relayd can`t do that