Correct NAT rule for Inbound Load Balancing DNS
-
Hi All,
Something so simple has become complicated.
This was happening with 1.2.3 (probably because of slb not being able to balance UDP) and is also happening with 2.0 RC1 (Relayd?) for me.
I am trying to setup a round robin style DNS over several load balanced servers.
-
I have created several load balanced pools using the internal IP addresses of my DNS servers.
-
All pools have the same set of internal IP addresses in them.
-
I have created several Virtual Servers, one for each DNS public IP in use. The interface says they are configured in redirect_mode.
-
There is an allocation of one pool to one virtual server to one external IP.
-
The external IPs are proxARP style IPs on the WAN interface.
-
There are firewall rules in place that allows all external DNS traffic to pass to the internal DNS server IP addresses on the DNS port.
-
Additionally there are 2 firewalls in this setup in active/passive setup using CARP.
Here is where the confusion is.
- I have setup a single NAT rule using aliases, that will pass all external UDP traffic coming in to any of the external DNS IP addresses (Proto DNS) to any of the internal DNS IP addresses.
This seems to work in some capacity.
-
I see traffic to all the internal DNS server IPs in the logs.
-
However this round robin operation seems to be being performed by the NAT rule and not the load balancer.
-
I have tested by taking one of the internal DNS servers physically offline. The load balancer shows it offline and out of the pool but round robin traffic is still being sent there according to the logs and my external nslookup tests will hang when that server is used.
-
I have tried to remove the NAT rule completely but then no DNS traffic is allowed to pass to the internal DNS IP addresses at all.
-
I suspect that removing all of the load balancing configuration while leaving the NAT rule in place will cause the system to continue to function as it is doing now. I am unable to safely test this at the moment.
I have reviewed the documentation but it is not clear enough on how this should be setup.
What am I missing here?
-
-
I guess my question to start should be:
Can someone confirm if 2.0 RC1 supports UDP load balancing?
-
Wow! I can not believe that there are no answers to this!
-
The number of people using the inbound load balancer is much lower than those using other features. It's not beyond reason to suspect that nobody has tried to balance udp inbound like that. This thread is also not in the 2.0 board so you may not catch many people here who use 2.0.
Some Googling suggests that it's possible in relayd, at least in relay (not redirect) mode. Try to edit /usr/local/www/load_balancer_virtual_server_edit.php - removing the comment marks from line 249 and 259, see if using relay mode works. At the moment we force redirect mode but I don't remember the reasoning behind the other code being disabled.
-
Weird, I didn't get an email notification about an update to this thread and decided to manually check. Thanks for the info, will give that a shot soon and report back.
