

High availability load balancing with HAProxy and CARP on FreeBSD - komljen
http://www.techbar.me/2013/01/high-availability-load-balancing-with-haproxy-on-freebsd/

======
rcoder
A number of years ago, I set up a similar configuration with two OpenBSD boxes
(which support PF and CARP out of the box) running Apache + mod_proxy_balancer
for really granular load balancing and routing. It was a super-flexible and
cheap way to route traffic to a mid-sized app server cluster, and generally
worked really well.

We did have some network issues after the new topology went live that we
unexpectedly tracked down to the LB pair, for one simple reason: CARP
generates a lot of multicast traffic. Depending on how your hosts and network
are configured, this can easily get routed out into a fairly large portion of
your local network, and use a lot of bandwidth/router capacity with no
benefit.

So, if you're setting up a CARP pair/cluster of your own, pay close attention
to your multicast setup. Ideally, put the CARP multicast traffic on a
dedicated subnet and watch your router and switch stats to make sure you
aren't flooding the rest of your network with multicast spam.

~~~
INTPenis
Also if you're setting up in a virtual environment keep in mind that it
requires promiscuous mode enabled.

This stopped the show for me once when setting up two OpenBSD load balancers
in a shared virtual environment. I was told that to enable promiscuous mode on
a single port group they would also have to enable it on the physical ESX host
adapter for each ESX host since the pair was separated on different physical
hosts.

If that is true then I would never enable it. However networking isn't my
strong side so I can't verify this.

------
druiid
Carp/ucarp are pretty fun. Additionally keepalived in linux implements vrrp
and some additional nice features such as scripting what to do on failover of
resources.

An addendum to this guide might be to add in connection tracking across the
master/slave nodes. In *BSD this is implemented with pfsync. In linux it would
be iptables connection tracking.

More on pfsync: <http://www.openbsd.org/faq/pf/carp.html#pfsyncop> Linux
conntrackd: <http://conntrack-tools.netfilter.org/>

Edit: Oh, and everyone always forgets about using LVS for load-balancing and
failover. There's endless documentation on the web about that, and it's not a
proxy service like haproxy (which is both good and bad).

~~~
komljen
You are right, connection tracking is must have in production environments, I
will try both pfsync and iptables. Thanks

~~~
druiid
Well pfsync is only for freebsd pf. If you use linux instead then you'll be
using iptables + conntrackd.

They're both powerful systems with a different way of thinking about the idea
of packet filtering and mangling!

~~~
seiji
(pf is actually taken from openbsd and ported to freebsd every few release
cycles, so pf/pfsync/carp is an openbsd-ism made available to others by the
generosity of using the BSD license.)

~~~
X-Istence
The PF that is currently in 9.1 is a few releases behind from OpenBSD and most
likely will stick that way because of major changes. In FreeBSD the PF is now
fully multi-core aware and thus granularly locked providing a lot of extra
performance, this does mean that importing the latest changes from OBSD into
FBSD is going to be more difficult!

~~~
druiid
Interesting, didn't know that! How do the multi-core abilities of PF compare
to how Linux handles iptables (interrupt handling, which multi-core depends on
your kernel supporting it)?

~~~
X-Istence
I don't know. I don't use iptables. The last time I deployed Linux was for an
Android Continuous Integration server since the SDK won't run on the BSD's.

------
smallegan
Is this load balancing or just a redundant online backup? The way I read this
was that all traffic goes to one server until it fails and then it flows to
the backup. If this is the case and you got a huge influx of traffic it seems
like it would crash server 1 and then 2. Or am I misunderstanding it?

~~~
stevekemp
You're slightly misunderstanding things.

The article describes two things:

1\. Having a virtual IP which can move around between two physical hosts, such
that it is "always available". (It will clearly go away if both hosts crash).

2\. Using HAProxy to route incoming requests, from the single virtual IP, to
_both_ back-end webservers.

This means in the expected & typical scenario where both hosts are online both
webservers will handle half the load. When one host fails the other will
handle all traffic.

~~~
komljen
Ok, if both load balancers go away it will crash. When master or backup is up,
both webservers in background can take all load (100%), because just one
loadbalancer will work in one time.

------
zaphoyd
Does anyone know how CARP on FreeBSD compares to keepalived on Linux?

~~~
stevekemp
CARP compares well to UCARP on Linux, as I recently documented here:

* [http://www.debian-administration.org/article/678/Virtual_IP_...](http://www.debian-administration.org/article/678/Virtual_IP_addresses_with_ucarp_for_high-availability)

~~~
komljen
Thanks, I didn't know about UCARP

