Configuring server load balancing in pfSense involves two steps. First, you must create one or more virtual-server pools. Second, you must create one or more virtual server (the server to which clients will actually connect).

To begin server load balancing configuration, navigate to Services | Load Balancer. There are four tabs available: Pools, Virtual Servers, Monitors, and Settings. Configuration begins on the Pools tab; on this tab, click on the Add button to add a server pool.

On the pool configuration page, enter an appropriate name in the Name edit box. The next field is the Mode drop-down box; the choices are as follows:

• Load Balancing: This will balance the load across all servers in the pool
• Failover: The first server in the pool is used unless it fails; then it fails over to other servers in the pool

You may enter a brief, non-parsed description in the Description edit box. In the Port edit box, you must type the port on which the servers are listening (for example, port 80 for a web server). In the Retry edit box, you can specify how many times a server is to be retried before declaring it is down.

In the Add item to the pool section, you can add servers to the pool. The Monitor drop-down box allows you to choose the protocol used for monitoring the server (the default is ICMP), while the Server IP Address edit box is where you enter the IP address of each of the servers. Click the Add to pool button to add servers to the pool. As you do, the Enabled (default) listbox under Current Pool Members will become populated with servers. You can move pool members from the Enabled (default) box to the Pool Disabled box by selecting a server and clicking on the Move to disabled list button. Selecting a server in the Pool Disabled box and clicking on the Move to enabled list button does the opposite. You can remove a server from either list by selecting it and clicking on the Remove button underneath the corresponding box. When you are done configuring the server pool, click on the Save button.

The next step is virtual server configuration. Click on the Virtual Server tab, which will display a table with all of the configured virtual servers. Click on the Add button beneath the table to the right to add a new server.

On the virtual server configuration page, you must assign a name to the server in the Name edit box. The Description field allows you to enter a non-parsed description. The IP Address edit box is where you specify the address on which the server listens; this is normally the WAN IP address, but your configuration may be different. You can also specify an alias in this field.

The Port edit box is where you specify the port to which clients will connect. If it is blank, listening ports from the pool will be used. All connections made to this port will be forwarded to the server pool. As with the IP address field, you can specify an alias here.

The Virtual Server Pool drop-down box is where you specify the pool to which clients will be directed. You should specify the server configured during the first step. The Fall Back Pool allows you to specify a fall-back in case all the servers in the main server pool are down. It could contain another list of servers that serve the same content as servers in the main pool, but more likely, it will contain a server (or servers) that relay a This server is down message. Finally, the Relay Protocol drop-down box determines the protocol with which the virtual server communicates with the backend. TCP is the default choice, but DNS is also an option. Click on the Save button when you're done configuring the virtual server and click on the Apply Changes button on the main Load Balancer page.

Clicking on the Settings tabs reveals some global settings. The Timeout field represents the global timeout for checks (in milliseconds). If the field is left blank, the default value of 1 second is used. The Interval field allows you to set the interval at which a pool member will be checked (in seconds). The default is 10 seconds. Finally, Prefork allows you to set the number of processes forked in advance by the relayd daemon. The default is 5 processes.

Now the server and server pool are configured, but you still need to create firewall rules to allow access to each of the servers in the server pool. This rule should be placed on whatever interface the server is waiting for connections on (usually the WAN interface). To make the process easier, you can create an alias for all the servers and then create a single rule for the entire server pool.

To do this, navigate to Firewall | Aliases, and click on the Add button. Enter a name for the alias in the Name field (for example, SERVER_POOL) and in the Description field, enter a brief description. Leave the type in the Type drop-down at its default value of Host(s). Then begin entering the server IP addresses in the IP or FQDN field along with the CIDR, clicking on the Add Host button to add each server. Click on the Save button when you are done adding servers. Then click on the Apply Changes on the main Aliases page.

You still need to create a firewall rule, which you can do by navigating to Firewall | Rules and adding a rule for the interface which will accept incoming connections. The destination, for this rule, of course, should be the alias defined in the previous step (I used SERVER_POOL).

There are two options relevant to load balancing that can be found by navigating to System | Advanced. Both options are on the Miscellaneous tab. Use sticky connections, if checked, will alter the default behavior of pfSense when there are successive connections from the same client. Normally, these connections would be directed to different servers in the server pool in round-robin fashion, but if this option is checked, successive requests will be directed to the same server as the first. The adjacent edit box determines the timeout period for sticky connections, in seconds. The default is zero, in which case the sticky connection expires as soon as the last state that refers to the connection expires. Changing this option restarts the load balancing service. This is not a perfect solution for cases in which all requests from the same client must go to the same server; a request that takes place at a long enough interval (longer than the timeout period) after the last state expired will be directed to the next web server. As a result, pfSense may not be the ideal solution for these cases.

The second option is the Enable default gateway switching checkbox. If this is checked, then if the default gateway goes down, the default gateway will be switched to another available one. This is not necessary in most cases, as gateway groups ensure another gateway is available if the default gateway goes down.

If you want to monitor your load balancing pool, navigate to Status | Load Balancer. The Pools tab will show any configured load balancer pools. The table shows the name and mode (load balancing or failover) of each pool, the IP addresses of each server in the pool under Servers, the Monitor type, and the Description that was entered. The listing of servers under the Servers column will also show the percentage of the load covered by each server in the pool. There is also a checkbox corresponding to each server, unchecking the checkbox corresponding to a server and clicking on Save will remove the server from the pool, while clicking on Reset will result in connections to the server pool being reset.

Clicking on the Virtual Servers tab will display a different table. The table lists the name of each virtual server, the address of each virtual server, as well as the IP address of each of the servers in the server pool under Servers. The Status value of the virtual server will be displayed in the table (up or down), as well as the description.