I did laugh when I saw this great spoof video from NetworkChuck sponsored by Kemp Technologies.
Chuck is a genius at turning a crazy idea into a great product pitch - I honestly couldn't tell if he was being serious or not for the first 10 minutes :-).
Kemp is one of our best competitors and has a great product supported by a great team. The video is clearly pitched at tech enthusiasts who like to play with so-called ‘FREE’ stuff. The real pitch however is at the end of the video where Kemp is suggesting that you can use their product to make secure pin-holes to specific applications inside the corporate firewall.
So it’s great PR and well worth watching, but two things really bug me about it:
- So-called FREE proprietary software sucks, because vendor lock-in sucks.
- Open source software guarantees your FREEDOM - which I personally find important.
So if you were enough of a GEEK to put a load balancer in your home, how should you really do it?
Chuck raises some brilliant points and solves a problem that could be common with home networks. BUT, It's also crazy (which is why it's funny).
Netflix needs load balancers, But it’s highly unlikely that your family and pets will require scaling out servers for your private song/video/photo collections!
In Chuck's example, you could have a Website, NAS and plex server on your home network and only have one public IP available to access them all. You could put these behind a virtual service with your public IP as the virtual service address all on port 443 and have your Website, NAS and plex server as your backend real servers and use funky ACL rules for your ‘content switching’ and DNS settings to access the correct server you want when you access the VIP.
Now, that’s reasonable, right? Well, not really...
That's extreme overkill. Why would you want to use proprietary enterprise software to do something in your home network?
So how could we improve our skills by doing this with open source software?
Let’s use a free open source alternative with a huge community and extensive help forums with decades of data already in them.
The same tasks can be achieved by running a reverse proxy on our favourite open source software, HAProxy, which is built into pfsense which you could already be running. This offers a free open source load balancing solution, and uses it exactly the same way as I described above. The HAProxy configuration would be used to create the Virtual service and the ACL rules to then create a cloudflare account for the DNS settings for the nameservers that would be required.
If you are looking to do this, you could….
- Create a Virtual service on HAProxy, on port 443, using a free address in your home network that you wish to access the servers.
- Add your real servers as the back end and this is where the traffic will be redirected to.
- Set up a domain (you can get a free one at freenom.com) and a nameserver on a service such as cloudflare, as this helps enhance security using SSL. On cloudflare, change your DNS records to point your new nameserver to the IP address of your house.
- Ping the new nameserver to ensure that it has been set up correctly.
- Next, you can optionally add an SSL certificate to the URL (this can be a SAN certificate or a wildcard certificate).
- Port forward port 443
- Set up content redirection on your HAProxy configuration.
Your HAProxy configuration may look something like this...
listen Home_VIP bind 192.168.90.10:443 transparent id 37014876 mode http balance leastconn stick on src stick-table type ip size 10240K expire 30m peers loadbalancer_replication server backup 127.0.0.1:9081 backup non-stick option http-keep-alive timeout http-request 5s timeout tunnel 1h option redispatch option abortonclose maxconn 40000 server Plex_Server 192.168.90.6:8006 id 623843618 weight 100 check inter 4000 rise 2 fall 2 slowstart 8000 minconn 0 maxconn 0 on-marked-down shutdown sessions server Web_Server 192.168.90.7:80 id 459236736 weight 10 check inter 4000 rise 2 fall 2 slowstart 8000 minconn 0 maxconn 0 on-marked-down shutdown sessions server NAS_Server 192.168.94.13:5001 id 267373704 weight 100 check inter 4000 rise 2 fall 2 slowstart 8000 minconn 0 maxconn 0 on-marked-down shutdown sessions acl rule_1 path_beg,url_dec -m beg -i /plex use-server Plex_server if rule_1 acl rule_2 path_beg,url_dec -m beg -i /NAS use-server NAS_server if rule_2 acl rule_3 path_beg,url_dec -m beg -i /web use-server Web_server if rule_3
I have my home VIP on port 443, my backend servers on the port they are being load balanced on and I have configured some content redirection rules to send traffic to the correct server based on the start of the path (this can be done in different ways, such as to send it to the relevant IP address of each server).
It is important to bear in mind a lot of households don’t have a static public IP so you would need to watch out for these changes. There is also another way to resolve this issue by simply using different ports, but if you are stuck to only port 443 then this would be the best option.
Learn more about HAProxy ACL rules with this handy introduction.
What you DON’T want to do, is this….
Spend lots of time learning a proprietary product , when you could be improving your open source skills which are transferable at no cost - and will help your career in the long term.
You don’t need a sledgehammer to crack a nut
So, can you use an enterprise load balancer to solve this problem? Yes, yes you can. Would it be extreme overkill? Absolutely.
I think the moral of the story is that if you are building a home network, you should stick to home network, and not enterprise, solutions.
AND I loved the video :-).
If you have any questions on how to achieve this please contact one of the team!