Dave Hall Consulting logo

Tricks to Running HAProxy on pfSense Embedded

HAProxy is available as an addon module for pfSense 1.2.3. This makes it really easy to have pfSense control the gateway and load balancing. There are a couple of tricks to getting it all up and running.

Although everything looked good in the webgui HAProxy just wouldn't start. After logging in it seemed that there were 2 problems, firstly as mentioned in the forums the IP addresses must be an interface or CARP addresses not Virtual IPs for HAProxy to work and secondly the file descriptor limits have to be increased. To increase the file descriptor limits run the following commands from a shell on pfSense.

mount -o rw /dev/ufs/pfsense1  /
echo >> /etc/sysctl.conf
echo '# File descriptor limits for HAProxy' >> /etc/sysctl.conf
kern.maxfiles=2000011 >> /etc/sysctl.conf
kern.maxfilesperproc=2000011 >> /etc/sysctl.conf
sysctl kern.maxfiles=2000011
sysctl kern.maxfilesperproc=2000011
mount -o ro /dev/ufs/pfsense1  /

The mount commands are only needed if running on embedded pfSense to make the CF card writeable while we make the changes then make it read only again once we are done. The echo commands add the new limits to /etc/sysctl.conf so the settings persist and the sysctl commands make them apply now.

I haven't tested to see if the file descriptor issue effects the non embedded version of pfSense, feel free to let me (and others know) via the comments.

Missing kern. in front of maxfilesperproc

Keith Deming wrote:

Hi there,

I found this page when I was having similar problems getting haproxy to run on pfSense embedded. I noticed that your second sysctl command is missing the kern. prefix and should read:

sysctl kern.maxfilesperproc=2000011

Do you know of any other reason why haproxy might not start? I applied the fixes you describe above, but the service still refuses to start. I don't see anything in the logs to point me in the right direction either.



Added Tue, 2010-04-20 04:55

Re: Missing kern. in front of maxfilesperproc

Dave wrote:

Thanks for the correction Keith. I have corrected the post.

By doing the above steps I got it working. Maybe double your config. The IP addresses are configured correctly? Proxy ARP address don't work with HA Proxy on pfSense, they either need to be the primary interface address or CARP addresses. The port/s you have HA Proxy listening on aren't being used by another service such as the pfSense webGUI? Other than that I don't know what to suggest.

Added Wed, 2010-04-21 01:18