Access load balanced servers from LAN, only works from external clients



  • Hi,

    192.168.2.103 = computer on LAN
    192.168.2.62 = webserver on LAN, that is load balanced.

    I set up a load balance (Services -> Load Balancer, altså known as "relayd") for my webservers, and it works fine from the internet when visiting my external domain-name. but when i try to access the same domain name from a computer on the LAN subnet that the load balanced servers are located on, it wont work. i am not getting any "blocked" in the firewall log, and the state table ->source tracking shows the following: "192.168.2.103 -> 192.168.2.62"

    What is wrong here ? everything looks fine to me, but i just cant get the connection to work when trying from a computer on the same LAN as the webserver.

    Its seems like some sort of NAT reflections is missing, since i am not using any NAT (load balancer listens on WAN IP) i cant seem to create a NAT reflection rule (i used NAT before, when i did not use load balancing and it worked from both external and LAN subnet), how to i tell my pfsense box to redirect clients correctly ?

    Thanks


  • Rebel Alliance Developer Netgate

    The servers are in the same subnet as the client, so that won't work because this happens:

    Client makes request to the LB:

    Source: 192.168.2.103  Destination: X.X.X.X

    LB Forwards the request:
    Source: 192.168.2.103  Destination: 192.168.2.62

    Server Responds:
    Source: 192.168.2.62  Destination: 192.168.2.103

    Client drops the packet because it didn't come from X.X.X.X.

    The only ways to avoid that are:
    1. Put servers in a separate subnet/interface so the traffic must flow back through the firewall.
    2. Switch to manual outbound NAT, make a rule to NAT out LAN from a source of the LAN subnet to a destination of the servers on the target port. That will make the servers believe the request came from the firewall, so the packets flow back the proper way.

    #1 is best. #2 is OK but you lose the source IP in web traffic logs.



  • @jimp:

    The servers are in the same subnet as the client, so that won't work because this happens:

    Client makes request to the LB:

    Source: 192.168.2.103  Destination: X.X.X.X

    LB Forwards the request:
    Source: 192.168.2.103  Destination: 192.168.2.62

    Server Responds:
    Source: 192.168.2.62  Destination: 192.168.2.103

    Client drops the packet because it didn't come from X.X.X.X.

    The only ways to avoid that are:
    1. Put servers in a separate subnet/interface so the traffic must flow back through the firewall.
    2. Switch to manual outbound NAT, make a rule to NAT out LAN from a source of the LAN subnet to a destination of the servers on the target port. That will make the servers believe the request came from the firewall, so the packets flow back the proper way.

    #1 is best. #2 is OK but you lose the source IP in web traffic logs.

    Great answer, thanks a lot! now i understand why it did not work, it's so simple i could not see it!!


Log in to reply