Help with double NAT (incoming and outgoing) and load balancing?

sharbour

I am trying an experiment. I have several existing private subnets behind a legacy firewall. I would like to use pfSense as a load balancer for a pool of webservers in one of the subnets, and publish an address on pfSense for internet clients. The catch is, I want to do it without changing the existing network configuration or anything on the web servers.

Currently clients can reach the web servers individually via a 1:1 portforward NAT rule on the PIX firewall

Existing setup:

web server A
internal address 172.16.3.108 > gateway 172.16.3.1 > PIX firewall > external address 1:1 nat to (example) 1.2.4.8 web1.example.org

web server B
internal address 172.16.3.109 > gateway 172.16.3.1 > PIX firewall > external address 1:1 nat to (example) 1.2.4.9 web2.example.org

web server C
192.168.1.7 > gateway 192.168.1.1 > PIX firewall > external address 1:1 nat to (example) 1.2.4.7 web3.example.org

I would like to drop in a pfSense router as a load balancer for server A and B without changing any of the existing network setup.
To accomplish this, I would configure pfSense like this:

pfSense WAN interface
192.168.1.6 >  gateway 192.168.1.1 > PIX firewall > external address 1:1 nat to (example) 1.2.4.7 web4.example.org

pfSense LAN interface
172.16.3.201 >  gateway 172.16.3.1 (There is no PIX firewall external 1:1 NAT for this address)

Now, I would setup a load balance pool on pfSense for webservers A and B.

When a client is pointed at the 192.168.1.6 address for pfSense, the request is handled by pfSense and delivered to either web server A or B. However, the originating address is sent out the default gateway directly by the webserver, and not pfSense.

This is normal behavior. However, I think it can be made to work if a reverse NAT rule is applied to incoming client connections connecting to pfSenses WAN interface. In effect, this would turn pfSense into a load balancing reverse proxy server, instead of a load balancing NAT firewall.

So, can anyone help me figure out how to apply a reverse NAT rule to the WAN interface so that it would apply to load balanced client requests? Once this is working, I would be able to remove the 1:1 NAT rules on the Cisco PIX for everything except the pfSense box. I would then like to get a failover pfSense box configured as backup for the primary.

So far, I have tried multiple NAT configurations on the pfSense box, but all packets delivered to a load balanced pool shows the originating client IP, not the pfSense LAN IP. I suspect I need to create a virtual LAN IP to bind the NAT to, but I am not sure how to accomplish this.
If I can get this working I will contribute the howto for the pfSense documentation.

Thanks,

Sean Harbour
sharbour@nwresd.k12.or.us

hoba

Is there a reason why you don't want to drop the pix and move it's config over to a pfsense and adding the loadbalancing feature? If you prepare the pfSense it's a plug and play swap over that should not take more than a minute.

sharbour

Dropping the PIX setup is not an option. The PIX are already in a dual failover configuration, the support is paid up for this year, and migration and verification of the thousands of rules on the PIX to pfSense would take more time than I am willing to commit at this point.

Is what I am trying to do with pfSense doable with the current version? If it works, it would be a great intermediate step.

Thanks,

Sean Harbour
sharbour@nwresd.k12.or.us