The Mirror’s Edge: Optimizing University Networks for Performance


We’re considering several options:

  • Positioning mirrors behind pfSense, utilizing layer 7 (HTTP) load balancing for ports 80/443 and layer 4 for other services. However, we’re concerned about the performance impact of HTTP load balancers due to double request processing. Would TCP load balancing be a more efficient alternative?
  • Implementing mirrors behind pfSense with layer 4 (TCP) load balancing for all services on a secondary IP address. This approach seems incompatible with our existing HTTP HAProxy setup, which discriminates requests based on the HTTP Host header. Is there a way to accommodate both TCP services like FTP and rsync, which require layer 4 load balancing, and our current HTTP services?
  • Allocating a second WAN IP on pfSense to forward ports 80/443 (and 21/873) to a TCP HAProxy VM within the cluster. Could this setup provide the necessary balance between performance and redundancy?
  • Utilizing WAN with CARP for the mirrors, where one server handles all requests while the other remains idle. Is this method more effective for performance compared to other strategies?
  • Employing DNS Round-Robin for the mirrors on WAN. Although it’s designed for load balancing, we understand that clients may switch to another record if one fails to respond. A mentor advised against this method without providing a reason. Could you shed light on any potential drawbacks?
  • Your

expertise on the best course of action for our network upgrade would be greatly appreciated. Thank you for your time.


The dilemma between using layer 7 (HTTP) load balancing for ports 80/443 and layer 4 for other services is primarily a question of performance versus granularity. HTTP load balancers, while offering more control over traffic distribution based on content type, can indeed introduce performance overhead due to additional processing. TCP load balancing, on the other hand, operates at a lower level, offering better performance by handling traffic without inspecting its content. For services that do not require the intelligent routing capabilities of HTTP load balancing, TCP is a more efficient alternative.

Accommodating TCP Services with HTTP HAProxy:

Integrating TCP services like FTP and rsync, which necessitate layer 4 load balancing, alongside HTTP services can be challenging. One solution is to use different IP addresses or ports for TCP and HTTP services, allowing HAProxy to handle HTTP requests while a separate TCP load balancer manages other protocols. This segregation ensures that each service is optimized without interference from the other.

Second WAN IP for TCP HAProxy:

Allocating a second WAN IP to forward specific ports to a TCP HAProxy VM can indeed strike a balance between performance and redundancy. This approach allows for dedicated resources to manage TCP traffic, potentially improving throughput and reliability. However, it requires careful network configuration to avoid conflicts and ensure seamless failover between servers.

WAN with CARP:

Common Address Redundancy Protocol (CARP) is a failover protocol that enables multiple hosts to share the same IP address. While one server actively handles requests, the other remains in standby mode, ready to take over in case of failure. This setup is straightforward and can be effective for redundancy, but it may not fully utilize available resources since one server is always idle.

DNS Round-Robin:

DNS Round-Robin is a simple method of distributing load across multiple servers by rotating DNS responses. It is easy to implement and does not require specialized hardware or software. However, it lacks session persistence and does not account for server load or health, which can lead to uneven distribution of requests and potential service disruption if a server becomes unresponsive.

In conclusion, the optimal strategy depends on the specific requirements and constraints of the university’s network infrastructure. A combination of TCP load balancing for performance-critical services and HTTP load balancing for content-based routing, complemented by a robust failover mechanism like CARP, could provide a comprehensive solution. DNS Round-Robin, while appealing for its simplicity, should be approached with caution due to its limitations in handling complex traffic patterns and ensuring high availability.

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us