Load Balancer working with LAN IP but not with WAN IP
-
pfSense LAN: 192.168.1.201
WAN: 178.22.67.xxWebserver(s) at: 192.168.1.11/21, port 8080
Created server pool with webservers above
Created Virtual Server: IP = pfSense LAN / WAN (only one at a time for testing), port 80Created firewall rules to pass WAN traffic to webserver pool port 8080
Status: If I use the pfSense LAN IP in the virtual server, and test over LAN, Load balancing works fine
If I switch to pfSense WAN IP, can get no response from pfSense port 80. (Admin port of pfsense has been moved to 8082)Firewall logs dont show any blocks. Webservers have default gateway set to the pfSense LAN IP (192.168.1.201)
Webservers and Pool are healthy. And, repeat, Virtual server works fine through pfsense LAN IP.
Its as if pfsense is not listening on port 80 at all. Driving me crazy - spent a lot of cycles on it. Am relatively new to pfsense, and likely missing something obvious. Any help appreciated much!
-
Adding more info: Have tried port forwarding from WAN IP port 80 to LAN IP - no luck.
Am on 2.0.1-release version. Like I said, its as if pfSense is not listening on port 80 for the WAN IP at all. Is there a simple way to check that? (tried netstat, and didn't see it listed there either). Any specific commands to check/resolve to make sure WAN IP port 80 traffic is accepted? thanks.
-
It might not be relevant, but to test port forwarding on the WAN interface you really need to have the connection attempt arrive at the pfSense box on the WAN interface. Connection attempts to the WAN IP address that arrive on the LAN interface will not match port forwarding rules on the WAN interface.
Port forwarding rules don't setup listening sockets so you won't find evidence of successful establishment of port forwarding in netstat output.
I think the best way to troubleshoot port forwarding issues is packet capture:
1. Does the connection attempt arrive on the correct interface?
2. Does it leave on the correct interface?
3. Is the correct response generated?
4. If not, check the target system. The addressed server's configuration might need some tweaking to allow the attempted access. -
Enabled packet capture on the WAN interface, and attempted access to the WAN IP port 80. Captured info (excerpt below) does appear to confirm that the packets are coming in over the WAN interface as they should.
17:06:44.561287 …. > ..., ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 57, id 11464, offset 0, flags [DF], proto TCP (6), length 52)
182.68.252.xxx.10970 > 178.22.67.xx.80: Flags [S], cksum 0xef04 (correct), seq 1136216498, win 8192, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0 -
Apologies for the partial info in the previous post - didnt realize could take the packet capture approach further…
So - here's where I am using packet capture - my earlier theory of pfSense not listening on WAN port 80 for Load Balancer was very wrong.
1. Packets are received over WAN port 80
2. Forwarded via LAN IP on pfSense to the web-server LAN IPs in the pool to port 8080
3. Webserver returns packets back to the LAN IP of pfSense in responseYet - no data is returned back to the original WAN source (browser/curl client), and nothing still in the firewall logs. Bit flummoxed how to trace the packets from the pfsense lan IP to its WAN IP.
-
4. If not, check the target system. The addressed server's configuration might need some tweaking to allow the attempted access.
Could you please elaborate? Just to be sure we are on the same page: I am attempting to use the Load Balancer via the WAN IP (put the webservers on the LAN in the Virtual Server/ pool.) I had attempted port forwarding as a work-around - however, since that did not resolve, I figured to re-simplify and go back to "bare" Load Balancer setup. What I am seeing using pcap (from what I can tell), my http request is going:
request: my_isp >>> pfSense WAN IP:80 >>> pfS LAN IP >>> webserver:8080
response: webserver:8080 >>> pfS LAN IP |STOP| (does not make it back out through the WAN IP)Any suggestions on what configuration might need tweaking on which box?
-
Any suggestions on what configuration might need tweaking on which box?
Some server software includes a "mini firewall". Server configuration requires specification of which interface(s) the server will access requests from and/or which IP addresses the server will accept requests from.
Perhaps the server is rejecting the requests you have logged because the server is not configured to accept those requests. There might be a server log giving more details.
If you provided more details from the packet captures (especially the responses), identified the server (e.g. Apache v2.1) and so on that also might help other readers see what is going on.
-
Some server software includes a "mini firewall". Server configuration requires specification of which interface(s) the server will access requests from and/or which IP addresses the server will accept requests from.
Perhaps the server is rejecting the requests you have logged because the server is not configured to accept those requests. There might be a server log giving more details.
That tip resolved it. I was under the impression that I had the "mini" firewall on the webserver disabled for my tests - but I must have been wrong. "Problem" went away when I uninstalled the local/mini firewall that is no longer necessary. We were using an application that sits on top of iptables - and I assumed incorrectly that shutting down iptables would disable the local firewall application. This local/mini firewall must have additional filtering outside of iptables as well.
Now - I have a separate question - how to setup load balancer to work across https connections. Will look around for info, and if needed post it separately.