0

I am building out a new high availability environment with 2 HAProxy load balancing servers and 2 NGINX web servers all on CentOS 7. I have everything setup and working with both load balancers but am not sure how to route incoming WAN traffic so that if one HAProxy server is down, the other will take over. I have read a few articles about setting up HAProxy HA but they all refer to setting up a Virtual IP. Is this something I need to setup in CentOS or is this something that should be setup in my PfSense firewall.

My Setup:

pfSense Firewall (192.168.1.1)

--

LB01 (192.168.1.5)

LB02 (192.168.1.6)

--

NGINX01 (192.168.1.20)

NGINX02 (192.168.1.21)

JoeyZero
  • 101
  • 3

2 Answers2

1

On BSD systems the HA protocol you're looking for is called CARP (Common Address Redundancy Protocol) and it would be implemented in a pair of firewalls that each have a physical interface dedicated to maintaining a shared state. The "virtual IP" would be shared between them - at any given moment, one of them them would be primary and the other would be monitoring it. If the primary failed to deliver regular updates, the secondary will take over the virtual interface (by spoofing its MAC address)

Here's more detail at the pfSense site

quadruplebucky
  • 5,041
  • 18
  • 23
  • Ok, so I just need to setup the CARP Virtual IP settings on each HAProxy server and then just direct incoming WAN traffic from PfSense to that Virtual IP? – JoeyZero Jun 15 '17 at 23:13
  • I misunderstood what you are trying to do, I think. The HA proxys are running CentOS so they'd use VRRP (very similar to CARP) to provide a virtual IP. You still have a pfSense box and a single switch line as a point of failue so I'm not sure why but follow the HAproxy guides. – quadruplebucky Jun 15 '17 at 23:34
  • Thanks! Yea, PfSense HA is on my list for this year as well. I just have to figure out how to accomplish it in my colo. I understand how to route everything after the PfSense boxes, just not sure how to route the incoming WAN connection (single drop coming into my colo) to the two PfSense boxes. All of the diagrams seem to be based on a DSL gateway device. – JoeyZero Jun 16 '17 at 18:34
1

Everything can be done with round robin dns. Or for example, AWS Route 53 gives you the option of routing to an ip in a list based on latency. The downed pfsense box would have a super high latency (timeout) and the requests would then be routed to the next pfsense box.

Binary Computer Solutions
  • 11
  • 2