With pfSense, you can manage load balancing on backend servers via HAProxy.
Note that the "Load Balancer" option is no longer available since pfSense 2.5 and that pfSense recommends the "HAProxy" plugin which allows you to do the same thing better.
In this tutorial, you will see how to distribute the load on 2 web servers in the LAN network which will be accessible from the pfSense WAN interface via a single address.
To get started, install 2 web servers on the pfSense LAN network.
In our case, we simply installed the "Web Server (IIS)" role on 2 servers on Windows Server 2016.
Once the IIS web server is installed, open the Internet Information Services (IIS) Manager, select the default website "Default Web Site" and click "Explore" (in the right column).
The "C:\inetpub\wwwroot" folder of the default website appears.
Edit the "iisstart.htm" file (displayed by default when accessing a website hosted on IIS) with notepad.
Add "Server 1 - " at the beginning of the page title ("<title>" tag).
On your 2nd web server, add "Server 2 - " at the beginning of the page title ("<title>" tag).
Previously, before pfSense version 2.5, you could use the "Load Balancer" option which was available natively.
However, since version 2.5, you will have to use its equivalent "HAProxy".
To do this, you must install the "HAProxy" plugin from the pfSense package manager.
Go to: System -> Package Manager.
Go to the "Available Packages" tab, type "haproxy" in the search box and click: Search.
Next, install the "haproxy" package.
Click "Confirm" to start installing the "pfSense-pkg-haproxy" package.
Wait while the "pfSense-pkg-haproxy" package is installed.
The "pfSense-pkg-haproxy" package has been installed.
To begin, you need to tell HAProxy which servers will be accessible via the pfSense machine.
To do this, go to: Services -> HAProxy.
Next, go to the "Backend" tab.
Note that you will not be able to use pfSense port 80 on its default WAN interface, because this is used for access to this web interface.
To free this port 80, simply go to "System -> Advanced" and indicate another port number in the "TCP port" box.
In our case, we will not change the pfSense port number and we will configure HAProxy to use TCP port 8080.
In the HAProxy "Backend" tab, click: Add.
Specify a name for this server pool.
For example: WebServers.
Next, click the arrow going down to add a server to this pool.
Add your 1st web server by specifying:
Then, click the down arrow again to add a 2nd server to this pool.
Add this 2nd web server in the same way:
In the "Loadbalancing options (when multiple servers are defined)" section, you will be able to specify how pfSense should handle load balancing:
If you wish, you can control access, as well as modify the inactivity time limits for new attempts.
To ensure that the web servers used in the background are still functional, select "Health check method: HTTP".
Note that in other cases you could check the functioning of servers: LDAP (for Active Directory), MySQL or PostgreSQL (for database servers), SMTP (for email sending servers) , ...
By default, pfSense will use the HTTP keyword "OPTIONS".
However, if you have protected access to your website, it is possible that you have blocked this keyword for security reasons.
In this case, select "Http check method: GET" which will use the "GET" keyword usually used by any web browser.
By default, since the connection goes through pfSense, the servers in the background will believe that the client is still pfSense.
To make the background servers see the real client's IP address, you need to check the "Use Client-IP to connect to backend servers" box.
However, enabling this option may cause issues with the pfSense captive portal (if applicable), as well as other pfSense features.
It is therefore not recommended to enable it if you do not really need it.
Click Save.
Click Apply Changes.
Your Backend server pool appears grayed out. Which means that these are not yet accessible via a front-end server.
Firewall 7/30/2025
Firewall 8/8/2025
Firewall 6/4/2025
Firewall 7/9/2025
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment