LVS Server behind Pfsense 2.4.4-RELEASE-p3
-
Hi,
we would like to balance our smtp(s) servers using our internal LVS linux server, but we have some issues. The public ip of our LVS Server is A.B.C.92 and it has as default gateway A.B.C.1 (VIP CARP of pfsense interface). IP of our 4 smtp(s) servers are: A.B.C.40-43 and they have the same default gateway (A.B.C.1) of LVS Server. The Servers subnet is not natted. The LVS mode is DR. We have many logs on the WAN and Server interface with traffic block and TCP:FPA / TCP:PA as causes. After googling a litle bit, we understood that the problem is with asymmetric routing and so we added on the floating interface the following rule:
Action: Pass
Quick: cheked
Interaface: WAN
Direction:out
Address Family: IPv4
Protocol: TCP
Source: Servers subnet
TCP Flag: Any flagsThe problem is that by activating this rule, all the Servers in the Server Subnet (A.B.C.0/24) can ping external servers but tcp traffic is blocked.
Can someone help us?
Thank you very much
-
Adding that outbound rule should not affect normal traffic from internal servers at all.
Seeing blocked FIN entries like that is not necessarily a problem:
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packetsIf you were seeing asymmetric routing problems I would expect to see blocked traffic on LAN also.
Steve