BalanceNG Frequenty Asked Questions

Please email FAQ entry suggestions to info@inlab.de.

Table of Contents

 Q1.01: Is BalanceNG available for other platforms ?
 Q1.02: How is BalanceNG related to balance ?
 Q1.03: Is there performance data available for BalanceNG ?
 Q1.04: Could you explain the licensing and purchasing process ?
 Q1.05: Isn't BalanceNG a bit expensive ?
 Q1.06: Are there alternative products from other vendors ?
 Q1.07: What are the main advantages of BalanceNG compared to a LVS/Keepalived combination ?
 Q1.08: Are there references ?
 Q1.09: Is there a Web GUI available ?
 Q1.10: Wich configuration do you recommend for beginners ?
 Q1.11: Does BalanceNG support SSL offloading ?
 Q1.12: Do I need a separate license for V2 and V3 releases ?
 Q1.13: What is the ECCN (Export Control Classification Number) of BalanceNG ?

2. Technical Questions

 Q2.01: Does BalanceNG forward the original client address unchanged ?
 Q2.02: Can we load balance to applications running on the same machine ?
 Q2.03: Can I load balance traffic between several ISP links ?
 Q2.04: Is there a bngagent port to Windows ?
 Q2.05: Do you have a "single legged" configuration example ?
 Q2.06: Do you have a "transparent switch" configuration example ?
 Q2.07: Do you have a Direct Server Return configuration example ?
 Q2.08: Do you have a VRRP tracking configuration example ?
 Q2.08b: Do you have a link load balancing configuration example ?
 Q2.09: ARP is misbehaving on my Linux boxes, what's going on ?
 Q2.10: Is there a function to synchronize master and backup configuration files ?
 Q2.11: How do I make the loopback alias permanent in Solaris 10 ?
 Q2.12: How do I establish the loopback alias for Direct Server Return operation (DSR) on Linux ?
 Q2.13: What features are expected to be available shortly ?
 Q2.14: How do I setup the loopback alias for DSR on Windows ?
 Q2.15: Can BalanceNG load balance TFTP traffic ?
 Q2.16: Can BalanceNG load balance ftp over SSL (FTPS) ?
 Q2.17: How do I specifically route back server traffic to the Load Balancer (setup "Source Routing" on Linux) ?
 Q2.18: How do I setup wget as an external HTTP health check ?
 Q2.19: BalanceNG seems not to work on a VMware VM, what should I do ?
 Q2.20: How do I enable the loopback adapter on Windows 2008 ?
 Q2.21: The SNMPD interfacing does not work, what should I check ?
 Q2.22: Does BalanceNG support IPv6 ?

Q1.01: Is BalanceNG available for other platforms ?

BalanceNG is currently available for Linux/x86, Solaris 9+10 (SPARC) and Solaris 10 (x86) . The agent of BalanceNG (bngagent) is available in source and is supported on several platforms (Linux, Solaris, Mac OS-X, HP-UX and more).

Q1.02: How is BalanceNG related to balance ?

BalanceNG and Balance are both from the same company. Besides of that there's no further relationship between Balance and BalanceNG. BalanceNG is a complete Layer2/Ethernet based load balancer for Linux, whereas Balance is a TCP only proxy tool with load balancing capabilities. BalanceNG and Balance do not share code since the design approaches differ substantially. Anyway, the Balance project will be continued as before (see http://balance.sourceforge.net).

Q1.03: Is there performance data available for BalanceNG ?

BalanceNG comes with its own integrated benchmark functionality, take a look at our collection of BalanceNG benchmark results.

Q1.04: Could you explain the licensing and purchasing process ?

First of all, please note that BalanceNG comes with a free "Basic" License: A basic load balancer setup with one virtual server and two targets may now be evaluated as long as needed at no charge.

The standard purchasing and licensing "workflow" for Full Licenses is as follows:

• Download the binary for your platform and perform your tests
• Purchase the desired BalanceNG licenses at the License Shop (You will receive your registered serial numbers as the result of this purchase)
• The license keys matching your serial number and nodeid may be generated by yourself at any time at the BalanceNG License Key Factory.

Q1.05: Isn't BalanceNG a bit expensive ?

No, we don't think so. It's quite the contrary: With BalanceNG you are able to replace hardware devices (Like Nortel/Alteon, Cisco/LocalDirector and BigIP/F5) that easily cost more than 10000.-- EUR/$ per node. Last but not least: The Free Basic License of BalanceNG allows you to operate a professional load balancer for free ... !

Q1.06: Are there alternative products from other vendors ?

"Central Dispatch" from Resonate appears to be a software competitor (noticed by customer which has moved to BalanceNG). In the open source community there's Linux Virtual Server (LVS), check www.linuxvirtualserver.org for information. There's also Keepalived which represents a keepalive and health checking facility for LVS. There are several companies which sell preconfigured boxes based on LVS.

Q1.07: What are the main advantages of BalanceNG compared to a LVS/Keepalived combination ?

• BalanceNG is available for multiple operating system platforms (Linux and Solaris SPARC/x86).
• BalanceNG uses industry standard VRRP protocols to establish HA.
• BalanceNG offers the bngagent feedback based load balancing, LVS needs an additional addon component to be configured (feedbackd).
• BalanceNG installation and setup is reported to be much easier and quicker.
• There's no Linux kernel patching or kernel rebuilding necessary, which saves a lot of time and trouble.

Q1.08: Are there references ?

Take a look at the Customers page, we included links to the most promiment customers. A nice live example is www.nieuws.nl, one of the biggest news portal sites in the Netherlands. BalanceNG in a HA-configuration distributes the load of up to 5 million hits per month to a server farm. The session table holds more that 10000 concurrent sessions at low traffic hours.

Q1.09: Is there a Web GUI available ?

No, we don't offer our own Web GUI. However, we encourage and support interested users and partners to build their own. Just contact us to get some recommendations and hints.

Q1.10: Which configuration do you recommend for beginners ?

We recommend to setup a DSR (Direct Server Return) configuration first, since that does not require network topolgy changes and fits well into already existing networks. The loopback aliases have to be established correctly on the targets, but that is manageable and well documented. Take a look at example 3 which is fully operational also with the new free Basic License of BalanceNG.

Q1.11: Does BalanceNG support SSL offloading ?

No, BalanceNG itself does not include this functionality. We recommend using BalanceNG is a combination with stunnel on the target servers (where stunnel may use acceleration hardware) thus "offloading" the SSL efforts to multiple stunnels.

Q1.12: Do I need a separate license for V2 and V3 releases ?

No, one license key enables all releases of BalanceNG (1.x, 2.x or V3). Note that the free "advanced trial licenses" are release dependent (just specify the desired release).

Q1.13: What is the ECCN (Export Control Classification Number) of BalanceNG?

The ECCN of BalanceNG is "EAR99/NLR" ("No License Required").

Yes, this is a basic property of BalanceNG (or feature).

Q2.02: Can we load balance to applications running on the same machine ?

Yes, but BalanceNG needs to have its own physical interface and "set localdsr 1" enabled in the configuration. Take a look at Example 6 for further information.

Q2.03: Can I load balance traffic between several ISP links ?

Yes, BalanceNG supports Link Load Balancing (since release 1.526). Take a look here (Example 4) for a more advanced application example.

Q2.04: Is there a bngagent port to Windows ?

There's a bngagent implementation available as a customer contribution (without warranty and support), take a look into the "contrib" directory of the distribution. It's called "BngAgentService" and implements a Windows Service which integrates into the Windows operating system. It is implemented in Delphi 7 (Object Pascal), source code is also provided.

Q2.05: Do you have a "single legged" configuration example ?

Yes, take a look at the Single Legged Example (Example 1).

Yes, take a look at Layer 2 Dual Legged Switching Mode Example (Example 2).

Yes, take a look at Direct Server Return Example (Single Legged) (Example 3).

Yes, take a look at Link Load Balancing Example (Dual Legged, HA) (Example 4).

Yes, take a look at Link Load Balancing Example (Dual Legged, HA) (Example 4) too which shows various concepts and techniques at the same time.

Please check if you are hit by the "Linux ARP flux" problem. Linux answers ARP requests on wrong and unassociated interfaces per default. This leads to the following two problems:

• ARP requests for the loopback alias address are answered on the HW interfaces (even if NOARP on lo0:1 is set).
• If the machine is connected twice to the same switch (e.g. with eth0 and eth1) eth2 may answer ARP requests for the address on eth1 and vice versa in a race condition manner (confusing almost everthing).

This can be prevented by specific arp kernel settings. Take a look here for additional information about the nature of the problem (and other solutions): http://linux-ip.net/html/ether-arp.html#ether-arp-flux.

To fix that generally (and reboot safe) we recommend to include the following lines into /etc/sysctl.conf (2.6 kernel only):

net.ipv4.conf.all.arp_ignore=1 
net.ipv4.conf.all.arp_announce=2 

The following commands may be used to change the settings interactively during runtime:

# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

Unfortunately there seems to be no general and simple solution for for kernel 2.4. We recommend currently upgrading to 2.6 kernel in that case, this is probably the easiest way.

No, not at the moment. The configuration files have to be synchronized manually for the time being.

This setting helps to keep the netmask to be /32 (255.255.255.255) of the loopback alias on reboot.

• Use CIDR notation specifying /32 in /etc/hostname.lo0:1, e.g.:

  # cat /etc/hostname.lo0:1
  10.1.1.1/32
  

• Use also CIDR notation for all normal interfaces specifying the normal netmask, e.g.:

  # cat /etc/hostname.bge0
  10.1.1.10/24
  

• And last but not least remove the network entry and corresponding netmask from /etc/netmasks.

This can be done with the following command:

# ifconfig lo:0 <IP-address> netmask 255.255.255.255 -arp up 

To make this permanent and reboot safe you may include this command in /etc/init.d/local or in a equivalent customizable startup script (distribution dependent).

Important: Take a close look at Question Q2.09 if your targets (real servers) for DSR are Linux based.

Q2.13: What features are expected to be available shortly ?

You can expect the following new features with BalanceNG V3 in the near future (implemented as BalanceNG V3 modules):

• IPv6 support
• IPv4 to IPv6 migration support
• Native VLAN support for Solaris

This is done by installing and configuring the "MS Loopback Adapter" by following these steps on each Windows based Target machine participating in a BalanceNG DSR (Direct Server Return) setup:

The installation of the MS Loopback Adapter works as follows:

• Start->Settings->Control Panel->Add/Remove Hardware
• Add/troubleshoot a device->Next
• Add a new device->Next
• No, select from list->Next
• Network Adapters->Next
• Select "Microsoft" as Manufacturer->select "MS Loopback Adapter"->Next->Finish

The configuration of the just created Loopback Adapter is as follows:

• Start->Settings->Control Panel->Network and Dial up Connections
• Right click on new adapter selecting properties
• Only "Internet Protocol" needs to be selected (remove selection of "Client for MS Networks" and "File and Printer sharing")
• TCP/IP Properties->enter IP address of virtual server (the same address as in the BalanceNG server ipaddr definition)
• do not enter a default gateway
• Advanced->Set Interface Metric to 254 (this step is important to stop ARP responding)
• OK and save all changes.

Yes, that works with no problems by not specifying ports at server and target definitions ("all service load balancing" like in conf001.txt).

Yes, that's also working with BalanceNG in a "all service load balancing" configuration. It turned out that BalanceNG worked over big name hardware vendors like Cisco and Nortel in that case !

In practice there are several situations, where a specific routing configuration is needed to route only the traffic related to the service from the target back to the load balancer. This can be done with Linux using iptables and the iproute2 functionality. The following script has to be run on the target and assumes an apache server listening on port 80 on the target IP address 10.1.1.1. The addresses 10.1.1.10 and 10.1.1.11 in this example are the "network real" addresses of the master and backup node, respectively. The address 10.1.1.20 in this example is the "network virt" address represented by both nodes using VRRP and may be reachable via eth1.

This technique is also often being referenced as "source routing", since the source address (and port) information is used to determine the "next hop" for routing.

The basic ideas of this approach are:

• The OUTPUT chain is used to influence locally generated traffic.
• The special "mangle" table is used to mark outgoing packets with --set-mark.
• The health check source addresses are exempted by the first two lines.
• A special extra routing table www.out is created with iproute2.
• Packets marked by iptables are specifically routed to the "network virt" address represented by both nodes using VRRP.

Here the script contents ready to be run on startup (change addresses accordingly):

iptables -A OUTPUT -t mangle -p tcp -d 10.1.1.10 --sport 80 -j ACCEPT
iptables -A OUTPUT -t mangle -p tcp -d 10.1.1.11 --sport 80 -j ACCEPT
iptables -A OUTPUT -t mangle -p tcp -s 10.1.1.1 --sport 80 -j MARK --set-mark 2
echo 202 www.out >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table www.out
ip route add default via 10.1.1.20 dev eth1 table www.out
ip route flush cache

Basic commands to check these settings are:

iptables -t mangle -L
ip rule ls
ip route list table www.out
ip route

The following command flushes the table, so that a script may be run again:

iptables -F OUTPUT -t mangle

This is very easy, just add an additional "script"-definition to the target section like this:

bng# target 1 script "wget -q -O /dev/null -t 1 -T 2 http://www.BalanceNG.net",4,10

The option "-q" keeps wget quiet with no output, "-O /dev/null" ignores the contents received, "-t 1" specifies that the access is tried just once per call and "-T 2" specifies a timeout of 2 seconds.

BalanceNG needs the ability to operate the connected, physical interfaces in promiscuous mode. In a VM setup this requires that the VM has the permission to do that in turn. The solution is to either run the VM as root or to set the permissions of /dev/vmnet* doing a "chmod go+rw /dev/vmnet*" on the vmware host before starting the VM.

Important: Please note, that BalanceNG under VMware requires a separate virtual switch for use by BalanceNG only (and a separate physical NIC for that vswitch).

Please consult the ESX Server 3 Configuration Guide for enabling promiscuous mode on the virtual switch (Pages 50 and 51): vi3_35_25_3_server_config.pdf.

For ESX version 2 you may look at this PDF from VMware and do the reverse as suggested on page 8: esx2_security.pdf.

In some cases you need to convert the VM before with the free VMware converter tool available here: www.vmware.com/products/converter/.

This requires the following actions:

• Configure the loopback adapter with the virtual server IP address
• Disable the firewall on the Windows 2008 targets
• Set the name of the physical interface to "net" and the name of the loopback adapter to "loopback"
• Enter the following command line instructions (referencing the names "net" and "loopack"):

     netsh interface ipv4 set interface "net" weakhostreceive=enabled
     netsh interface ipv4 set interface "loopback" weakhostreceive=enabled
     netsh interface ipv4 set interface "loopback" weakhostsend=enabled
  

The needed Debian and Ubuntu packages are snmpd and snmp (tiny-snmpd does not work for some reason).

The following redonly "com2sec" mapping is recommended (in /etc/snmp/snmpd.conf), just uncomment as follows:

     #       sec.name  source          community
     #com2sec paranoid  default         public
     com2sec  readonly  default         public
     #com2sec readwrite default         private

Additionally, the following line needs to be present in /etc/snmp/snmpd.conf in order to establish the interface between snmpd and BalanceNG:

     pass .1.3.6.1.4.1.2771.1 /sbin/bng

Note: There's no need to change /etc/default/snmpd anymore with 2.226 and above (snmpd runs now as user snmp).

A typical "snmpget" command line looks like this:

     snmpget -v1 -c public localhost .1.3.6.1.4.1.2771.1.1

A complete "snmpwalk" of the BalanceNG 2.x MIB can be invoked like this:

     snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2771.1

The BALANCENG-MIB may be copied to the /usr/share/snmp/mibs directory (for Ubuntu/Debian Linux). The following environment variable setting makes the BalanceNG MIB available to the snmpd tools:

     export MIBS=+BALANCENG-MIB

Note the difference between the two "snmpget" invocations below:

     $ snmpget -v1 -c public localhost .1.3.6.1.4.1.2771.1.1
     SNMPv2-SMI::enterprises.2771.1.1 = STRING: "2.228"
     $ export MIBS=+BALANCENG-MIB
     $ snmpget -v1 -c public localhost .1.3.6.1.4.1.2771.1.1
     BALANCENG-MIB::Release = STRING: "2.228"

You may also setup a local snmp.conf like this to make this setting permanent:

     $ echo "mibs +MY-MIB" >> $HOME/.snmp/snmp.conf

IPv6 support is currently under development for BalanceNG V3 and will be available very soon.