Outbound Load Balancing and inbound port forwarding
Good morning folks,
I have a setup as shown in the (simplified) graphic below.
Two routers with NAT, one load balancer for pfsense (also doing NAT), and one OpenVPN server behind the load balancer.
Basically, the idea is for the OpenVPN Server to handle incoming OpenVPN requests on both external IPs.
The (outbound) load balancer forwards incoming requests to port 1194 on either Carp VIP to the VPN Server.
The Routers (1 & 2) forward port 1194 to the CARP VIPs 192.168.1.3 & 192.168.1.4 respectively.
Everything works on the inbound side, but when the openvpn server sees the incoming request and responds to it, it's UDP packets will get load balanced outbound via either Router1 or Router2.
My question is: In this sort of setup, how can I force the load balancer to use the correct (the one that the connection came in from) router when the VPN server responds?
I'm asking, because the client will (rightfully so) reject incoming packets from a different IP.
I'm trying to prevent this assymetric routing from going on here.
Is that possible with UDP, or should I try to go another way?
I may not have been entirely clear about what I'm trying to accomplish.
It is my understanding that a multi-wan PFSense machine will choose the correct outbound link for a link established inbound via port forwarding regardless of policy based outbound load balancing, correct?
It is also my understanding that this will obviously only work for stateful (i.e. TCP) connections, right?
If so, is there any way to accomplish this for UDP or do I have to go to TCP for OpenVPN? (I'm trying to avoid this)..
Any answers would be greatly appreciated!
marcelloc last edited by
It will be 'statefull' for tcp and udp, keep sessions will work on both at pfsense.
See via tcpdump at console how your VPN connections are 'flowing'.
Open two consoles,one for each wan.
Also test sessions To other services like dns or http for example.