Help with double NAT (incoming and outgoing) and load balancing?
sharbour last edited by
I am trying an experiment. I have several existing private subnets behind a legacy firewall. I would like to use pfSense as a load balancer for a pool of webservers in one of the subnets, and publish an address on pfSense for internet clients. The catch is, I want to do it without changing the existing network configuration or anything on the web servers.
Currently clients can reach the web servers individually via a 1:1 portforward NAT rule on the PIX firewall
web server A
internal address 172.16.3.108 > gateway 172.16.3.1 > PIX firewall > external address 1:1 nat to (example) 188.8.131.52 web1.example.org
web server B
internal address 172.16.3.109 > gateway 172.16.3.1 > PIX firewall > external address 1:1 nat to (example) 184.108.40.206 web2.example.org
web server C
192.168.1.7 > gateway 192.168.1.1 > PIX firewall > external address 1:1 nat to (example) 220.127.116.11 web3.example.org
I would like to drop in a pfSense router as a load balancer for server A and B without changing any of the existing network setup.
To accomplish this, I would configure pfSense like this:
pfSense WAN interface
192.168.1.6 > gateway 192.168.1.1 > PIX firewall > external address 1:1 nat to (example) 18.104.22.168 web4.example.org
pfSense LAN interface
172.16.3.201 > gateway 172.16.3.1 (There is no PIX firewall external 1:1 NAT for this address)
Now, I would setup a load balance pool on pfSense for webservers A and B.
When a client is pointed at the 192.168.1.6 address for pfSense, the request is handled by pfSense and delivered to either web server A or B. However, the originating address is sent out the default gateway directly by the webserver, and not pfSense.
This is normal behavior. However, I think it can be made to work if a reverse NAT rule is applied to incoming client connections connecting to pfSenses WAN interface. In effect, this would turn pfSense into a load balancing reverse proxy server, instead of a load balancing NAT firewall.
So, can anyone help me figure out how to apply a reverse NAT rule to the WAN interface so that it would apply to load balanced client requests? Once this is working, I would be able to remove the 1:1 NAT rules on the Cisco PIX for everything except the pfSense box. I would then like to get a failover pfSense box configured as backup for the primary.
So far, I have tried multiple NAT configurations on the pfSense box, but all packets delivered to a load balanced pool shows the originating client IP, not the pfSense LAN IP. I suspect I need to create a virtual LAN IP to bind the NAT to, but I am not sure how to accomplish this.
If I can get this working I will contribute the howto for the pfSense documentation.
hoba last edited by
Is there a reason why you don't want to drop the pix and move it's config over to a pfsense and adding the loadbalancing feature? If you prepare the pfSense it's a plug and play swap over that should not take more than a minute.
sharbour last edited by
Dropping the PIX setup is not an option. The PIX are already in a dual failover configuration, the support is paid up for this year, and migration and verification of the thousands of rules on the PIX to pfSense would take more time than I am willing to commit at this point.
Is what I am trying to do with pfSense doable with the current version? If it works, it would be a great intermediate step.