Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LVS Server behind Pfsense 2.4.4-RELEASE-p3

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 324 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      prx
      last edited by prx

      Hi,

      we would like to balance our smtp(s) servers using our internal LVS linux server, but we have some issues. The public ip of our LVS Server is A.B.C.92 and it has as default gateway A.B.C.1 (VIP CARP of pfsense interface). IP of our 4 smtp(s) servers are: A.B.C.40-43 and they have the same default gateway (A.B.C.1) of LVS Server. The Servers subnet is not natted. The LVS mode is DR. We have many logs on the WAN and Server interface with traffic block and TCP:FPA / TCP:PA as causes. After googling a litle bit, we understood that the problem is with asymmetric routing and so we added on the floating interface the following rule:
      Action: Pass
      Quick: cheked
      Interaface: WAN
      Direction:out
      Address Family: IPv4
      Protocol: TCP
      Source: Servers subnet
      TCP Flag: Any flags

      The problem is that by activating this rule, all the Servers in the Server Subnet (A.B.C.0/24) can ping external servers but tcp traffic is blocked.

      Can someone help us?

      Thank you very much

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Adding that outbound rule should not affect normal traffic from internal servers at all.

        Seeing blocked FIN entries like that is not necessarily a problem:
        https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets

        If you were seeing asymmetric routing problems I would expect to see blocked traffic on LAN also.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.