OpenBSD loadbalancing and failover with relayd, pf and carp.

Wow, OpenBSD is such a good network operating system! Besides the great firewall pf(4), the excellent virtual network interface carp(4), there is a tool (ships with OpenBSD) called relayd(8). The last tool makes loadbalancing available for OpenBSD.

First setup a carp device as described on both OpenBSD machines.

Now uncomment these two rules in /etc/pf.conf:

rdr-anchor "relayd/*"
anchor "relayd/*"

And add these rules to enable full TCP state takeover. This means any OpenBSD machine may go down/reboot/fail while all existing connections will be taken over by the other. I have tried listening to a stream of music through this setup, it works like a charm!

pcn0 is the interface connected to your network, pcn1 is the interface that has a cross cable to the other openbsd machine. (pcn1 exists solely for pfsync, I consider the cross cable very reliable.)

pass quick on { pcn1 } proto pfsync keep state (no-sync)
pass on { pcn0 pcn1 } proto carp keep state

And edit /etc/relayd.conf to look something like this on both hosts.

ext_addr="192.168.1.123"
webhost1="192.168.1.2"
webhost2="192.168.1.3"

table <webhosts> { $webhost1 $webhost2 }
relay www {
  listen on $ext_addr port http
  forward to <webhosts> port http mode loadbalance check http "/" code 200
}

Add this line to /etc/rc.conf.local on both machines for starting relayd at boot time.

relayd_flags=""

Reload pf and start relayd on both machines:

# pfctl -F all -f /etc/pf.conf
# relayd

You now have a highly available, failover loadbalancer!

Comments

A disadvantage of this method

A disadvantage of this method is that subsequent connections from the same internal address is not always translated into the same address translation. This can cause interference, such as browsing Web sites that track user access by IP address. An alternative method is to use the source-hash method so that every internal address is always translated into the same address translation. To do this, the pool of addresses is a CIDR network block.
Alex
Blackjack For Fun

Liked the article, very

Liked the article, very informative. Added it to my library:
http://fosslib.tsakf.net/record/301

About Consultancy Articles Contact




References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning [email protected]