When using loadbalancing DST MAC is always 00:00:5e:00:01:98



  • Hi all!
    Another weird behaviour of loadbalancer.

    –------- CARP            CARP  ---------
              |            | 1:VIP1          VIP2|            |
              |pfSense1|-------------------|pfSense2|
    PC1----|            |2:VIP3          VIP4|            |
              |            |-------------------|            |
              ---------              |            ---------
                                          |
                                          PC2

    LoadBalancer is configured on pfSense1 as Failover with two members:
    interface1 with icmp to VIP2 and interface2 with icmp to VIP4.
    VIP2 and VIP4 are default gateways at interfaces 1 and 2 respectively.
    Interface 2 is primary in LoadBalancer.
    Now the problem.
    PC2 sends TCP SYN to PC1 and PC1 responds with SYN ACK where MAC address
    of this packet on interface 2 is not PC2's MAC bat MAC of VIP4, so all
    trafffic from PC1 to PC2 goes through pfSense2 VIP4.
    So it seems that pfSense uses loadbalancer to deliver packets back to PC2.
    There is rule on pfSense1 at the LAN interface (PC1 is connected to):
    allow all from LAN network to interface2 network using default routing
    (not loadbalancer) though this rule should not play here as the state is
    created when PC2 initiates connection.
    Any thoughts please?



  • Ok, may be it happens because on pfSense1 I have
    pass in quick on em2 reply-to (em2 10.29.254.254) inet from <flttornoc>to any keep state label "USER_RULE: Allow All for FLT TOR NOC"
    pass in quick on carp1 reply-to (em2 10.29.254.254) inet from <flttornoc>to any keep state label "USER_RULE: Allow All for FLT TOR NOC"

    carp1 has VIP3 (on em2)
    10.29.254.254 is VIP4(and default gateway for em2 on pfSense1)
    <flttornoc>represents em2 subnet.

    I know that now GruensFroeschli will advice me to use google, but honestrly i tried and as newbe to pf I still have questions:

    1. I understand route-to, but what exactly does reply-to mean?
    2. can I add specific rule for my PC2 to create something like this?
      pass in quick on em2 inet from <pc2>to any keep state label "USER_RULE: Allow All for FLT TOR NOC"

    Thanks.</pc2></flttornoc></flttornoc></flttornoc>


Locked