PfSense load balancing not work, in a weirdest way



  • Hi everyone,
    I’ve been trying to test pfSense version 2.4.1 AMD64 server load balancing function, using 3 virtual machines in a KVM host. This is the setup:

    As I understand, when the client sends request to the pfSense LB IP/Port – 192.168.200.254:9999, the pfSense will NAT the packet like this:

    But, as I’ve captured the packets in client and web machine, the IP source and destination seems to be weird and the client cannot access the web server

    Notice that 192.168.201.1 is the LAN GW assigned in the pfSense, also is the IP address of the KVM host interface.

    This is the packets captured in the client

    This is the packets captured in the web server

    This is the packet captured in pfSense LAN interface (packets for ICMP monitor between pfSense and web server, and between pfSense and LAN GW 192.168.201.1 have been removed for tidy output):

    01:13:40.485180 IP 192.168.200.100.49180 > 192.168.201.100.8080: tcp 0
    01:13:40.739649 IP 192.168.200.100.49181 > 192.168.201.100.8080: tcp 0
    01:13:42.354218 ARP, Request who-has 192.168.201.254 (52:54:00:2b:a2:6d) tell 192.168.201.100, length 46
    01:13:42.354245 ARP, Reply 192.168.201.254 is-at 52:54:00:2b:a2:6d, length 28
    01:13:43.504061 IP 192.168.200.100.49180 > 192.168.201.100.8080: tcp 0
    01:13:43.754054 IP 192.168.200.100.49181 > 192.168.201.100.8080: tcp 0
    01:13:45.309792 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:13:47.293853 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:13:49.277792 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:13:49.503980 IP 192.168.200.100.49180 > 192.168.201.100.8080: tcp 0
    01:13:49.754136 IP 192.168.200.100.49181 > 192.168.201.100.8080: tcp 0
    01:13:51.261825 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:13:53.309749 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:13:55.293771 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:13:57.021726 ARP, Request who-has 192.168.201.254 tell 192.168.201.1, length 46
    01:13:57.021764 ARP, Reply 192.168.201.254 is-at 52:54:00:2b:a2:6d, length 28
    01:13:57.277695 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:13:59.261825 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:14:01.309595 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:14:01.770170 IP 192.168.200.100.49182 > 192.168.201.100.8080: tcp 0
    01:14:03.293771 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43
    01:14:04.785258 IP 192.168.200.100.49182 > 192.168.201.100.8080: tcp 0
    01:14:05.277804 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:6d:03:74.8002, length 43

    This is the server pool configured in pfSense

    Pool status:

    This is the load balancing port configured in pfSense
    Load balancing port status:

    Notice that I’ve added a floating rule to allow everything in the pfSense

    Can you please explain this result, and tell me what I have done wrong ?

    Thank you.



  • Anyone, please ?


Log in to reply