After reading this article, also check the follow-up: vCloud Director Howto: Load balancing with free pfSense – Cont’d
After doing some testing with VMware’s vCloud Director, I wanted to configure a multi-cell vCD infrastructure with a network load balancer in front. Of course there are various commercial products (see Eric Sloof’s excellent article on configuring Kemp Load Master), I was actually looking for an open source alternative.
pfSense is doing the trick! pfSense is a freeBSD based firewall solution, and the successor of m0n0wall (maybe you know that one). You can download pfSense at www.pfsense.org. I am using the 64 bit 2.0.1 version. You can download the ISO from the pfSense website.
Note: This setup is intended for lab/home use 🙂
The scenario we’re building consist of the following virtual machines:
- A pfSense based firewall and load balancer (in a virtual machine), one NIC connected to the internet, one nic connected to the management LAN.
- Two vCloud Director cells, both connected to the management LAN.
- A vCenter Server, also connected to the management LAN.
First install pfSense in a virtual machine. My specs are: 1 vCPU, 256 MB RAM and 1 GB Disk, don’t forget to add two nics. The OS type is FreeBSD 64 bit. Mount the pfSense CD and start the VM for the installation:
- Choose option 1, just boot pfSense
- After a short while, press I to install the software
- Choose defaults, when asked choose a Quick/Easy Install. Your disk will be wiped, but because you’ve just created a new VM, this shouldn’t be a problem. Choose the multi-processor kernel.
- After the installation has finished, reboot the virtual machine and disconnect the installation ISO.
- Now pfSense will boot with it’s default configuration.
Now it’s time to create a basic configuration for pfSense through the command-line. After you’ve set the IP configuration, you will have a web interface available.
pfSense will show you two nics: ’em0′ and ’em1′, which are the two nics of the virtual machine. You have to tell pfSense which interface is the WAN interface en which is the LAN interface:
I prefer not to use the auto-detection feature, and just type em0 or em1 depending on which NIC your WAN interface is. We don’t have an optional interface available, so just leave empty and press enter when asked. By default your WAN interface will search for a DHCP server, your LAN interface will be configured (by default) with IP address 192.168.1.1.
After you have completed the basic configuration your pfSense VM startup screen will look like this:
Ok, what’s next? Choose option 2 to configure the LAN and WAN interface according to your network settings. Keep mind that the LAN interface address, that’s the address your vCD cells will connect to, should be configured as the default gateway in your vCD cells. You can choose to use pfSense’s DHCP server if necessary. In my case the WAN interface is configured with 10.0.1.254/24, the LAN interface is configured with 192.168.1.254/24.
Ok, now it’s time install vCD and create a basic configuration. Also install a second cell using the response.properties. More information about the vCD installation can be found in the “vCloud Director Installation and Configuration Guide”, available as PDF on the VMware website. The installation isn’t covered here, there are already enough resources available!
After you have installed two vCD cells, you should be able to connect to both cells successfully. Because vCD is stateless, it shouldn’t matter which instance you’re connecting to. The properties of my two vCD cells are:
vCD Cell 1:
- hostname: vcd1public.domain.local
- ip address for the vCD website: 192.168.1.237/24
- ip address for the vCD console proxy: 192.168.1.238/24
- dns: 192.168.1.253 (LAN side DNS server)
- gw: 192.168.1.254 (this is the LAN side IP address of pfSense!)
vCD Cell 2:
- hostname: vcd1public.domain.local
- ip address for the vCD website: 192.168.1.231/24
- ip address for the vCD console proxy: 192.168.1.232/24
- dns: 192.168.1.253 (LAN side DNS server)
- gw: 192.168.1.254 (this is the LAN side IP address of pfSense!)
Now the pfSense configuration, the configuration in this case will be:
- The pfSense firewall/load balancer has Public IP address 10.0.1.254
- vCD website traffic will be accessible through port 444, so https://10.0.1.254:444. (You can configure this alternative port in the vCD interface if necessary)
- Console proxy traffic will be accessible through port 443, so on 10.0.1.254:443.
- The load balancer (pfSense) will balance vCD website traffic on 10.0.1.254:444 to 192.168.1.231:443 and 192.168.1.238:443. pfSense will do a port translation here.
- The load balancer (pfSense) will balance Console Proxy traffic on 10.0.1.254:443 to 192.168.1.232:443 and 192.168.1.238:443. I will do a little a port translation here.
Access the pfSense webinterface on http(s)://192.168.1.254, default credentials are admin/pfsense. Choose the load balancer option, it’s available under services:
We have to setup the pools and virtual servers feature, it’s a nice-to-have to set up the “monitors” option which is also available (more about that in the To Do paragraph and the end of this article).
In the pools options you have to configure which vCloud Director cells are available tot the load balancer. You have to define a separate pool for the web interface and a seperate pool for the console proxy. The screendump shows the configuration for the vCloud Director web interface pool:
Define a name for the pool, configure the portnumber (443) and add both vCloud director cells to this pool. I’ve configured ICMP as a monitor option, this means a ping is send to a vCD cell to check it’s up and running. Although this is not a very thorough test (the OS of a cell is up and running, but the vCD service is down, the load balancer will still think the cell is available), this option is fine for this first setup.
The next step is configuring a virtual server, this means you are publishing the cells to public site of pfSense (on 10.0.1.254). In our case https://10.0.1.254:444 is the access point. The configuration is shown in the screendump:
The virtual server pool is the previous configured pool, in this the web-console of vCloud Director. There’s a very important note at the bottom of this screen, don’t foget to add a rule to the firewall for the virtual server. The rule for both the web-interface and the console proxy will look like this (firewall->rules):
Important: Although these rules will work perfectly, it’s an even better idea to specify the target vCD nodes in the firewall rules. The above configuration can potentially open you pfSense management interface to the “wan” side of the load balancer. An alternative is to move the pfSense management interface to another port, e.g. port 445. You can set this option in System->Advanced->TCP Port.
Repeat the steps, to configure the console proxy. Now your free load balancer is up and running 🙂 You can monitor the load balancer with the status->load balancer option! If everything is working, it should look like this:
To do…
One thing I still want to do is to implement a more proper way in monitoring the cells. The ICMP option (sending a ping) is not so good, because it only monitors if the OS is up and running. pfSense has an option to configure additional monitor options (services->load balancers->monitors). I’ve implemented a monitor for both the vCD cell and the console proxy according to this article by Chriss Colotti. What you’re actually doing is not sending a ping to the cells, you’re accessing an URL. When this is successful, the cell is up and available to the load balancer. The pfSense configuration for the vCD web interface should look like this:
For the console proxy the configuration is quite the same, the monitor URL should be changed to “/sdk/vimServiceVersions.xml”. In my lab this configuration resulted in two overloaded cloud cells :(. My servers have a rather lean & mean configuration, so I think that’s the problem. I will do some additional testing and post the results here!
That’s it for now, your comments are alway welcome!
The follow up for this article is available now: vCloud Director Howto: Load balancing with free pfSense – Cont’d
8 Comments
Gianni
Good article and usefull!!! Im testing ipvsadm+keepalive to do similar failover/balancing.
I have a doubt, perhaps it is a typo, u write 192.168.1.238 instead of 237?
regards
Gianni
viktorious
You’re right! There was a minor mistake in the article, I’ve changed it…everything should be ok now. Thanks for your message.
ran
hi, is it also possible to just run the pfsense from the cloud if i have a huge cloud hosting?
viktorious
What scenario are you thinking about? Do you want to use pfsense as a loadbalancer for this cloud infrastructure or as VM within the cloud? For production scenarios I would recommend a supported option, pfsense is only community supported…
Abhinav
Thanks for the wonderful article.
We tried using pfSense for Load Balancing between 2 vSphere SSO VMs.
It works absolutely fine if we test it using a web browser, but for some reason the Inventory Service installer doesnt like it.
Our setup:
SSO VM1 : 192.168.1.10
SSO VM1 : 192.168.1.11
Gateway for both VMs: 192.168.1.1 (LAN interface of pfSense)
https://:7444/lookupservice/sdk works fine in web browser.
Any thoughts ?
viktorious
I presume you’re running the SSO nodes in HA mode? Maybe you will need some kind of session affinity; after the initial connection is made, I think the Inventory Service has to connect to the same node each time.
I am wondering if this helps!
Pingback: Load balancing the vSphere Web Client | Virtual Lifestyle
Pingback: vUnhandledException » VCPA-CIA Objective 1.2 – Configure vCloud Director for scalability