Help with double NAT (incoming and outgoing) and load balancing?

  • I am trying an experiment. I have several existing private subnets behind a legacy firewall. I would like to use pfSense as a load balancer for a pool of webservers in one of the subnets, and publish an address on pfSense for internet clients. The catch is, I want to do it without changing the existing network configuration or anything on the web servers.

    Currently clients can reach the web servers individually via a 1:1 portforward NAT rule on the PIX firewall

    Existing setup:

    web server A
    internal address > gateway > PIX firewall > external address 1:1 nat to (example)

    web server B
    internal address > gateway > PIX firewall > external address 1:1 nat to (example)

    web server C > gateway > PIX firewall > external address 1:1 nat to (example)

    I would like to drop in a pfSense router as a load balancer for server A and B without changing any of the existing network setup.
    To accomplish this, I would configure pfSense like this:

    pfSense WAN interface >  gateway > PIX firewall > external address 1:1 nat to (example)

    pfSense LAN interface >  gateway (There is no PIX firewall external 1:1 NAT for this address)

    Now, I would setup a load balance pool on pfSense for webservers A and B.

    When a client is pointed at the address for pfSense, the request is handled by pfSense and delivered to either web server A or B. However, the originating address is sent out the default gateway directly by the webserver, and not pfSense.

    This is normal behavior. However, I think it can be made to work if a reverse NAT rule is applied to incoming client connections connecting to pfSenses WAN interface. In effect, this would turn pfSense into a load balancing reverse proxy server, instead of a load balancing NAT firewall.

    So, can anyone help me figure out how to apply a reverse NAT rule to the WAN interface so that it would apply to load balanced client requests? Once this is working, I would be able to remove the 1:1 NAT rules on the Cisco PIX for everything except the pfSense box. I would then like to get a failover pfSense box configured as backup for the primary.

    So far, I have tried multiple NAT configurations on the pfSense box, but all packets delivered to a load balanced pool shows the originating client IP, not the pfSense LAN IP. I suspect I need to create a virtual LAN IP to bind the NAT to, but I am not sure how to accomplish this.
    If I can get this working I will contribute the howto for the pfSense documentation.


    Sean Harbour

  • Is there a reason why you don't want to drop the pix and move it's config over to a pfsense and adding the loadbalancing feature? If you prepare the pfSense it's a plug and play swap over that should not take more than a minute.

  • Dropping the PIX setup is not an option. The PIX are already in a dual failover configuration, the support is paid up for this year, and migration and verification of the thousands of rules on the PIX to pfSense would take more time than I am willing to commit at this point.

    Is what I am trying to do with pfSense doable with the current version? If it works, it would be a great intermediate step.


    Sean Harbour