Access load balanced servers from LAN, only works from external clients
-
Hi,
192.168.2.103 = computer on LAN
192.168.2.62 = webserver on LAN, that is load balanced.I set up a load balance (Services -> Load Balancer, altså known as "relayd") for my webservers, and it works fine from the internet when visiting my external domain-name. but when i try to access the same domain name from a computer on the LAN subnet that the load balanced servers are located on, it wont work. i am not getting any "blocked" in the firewall log, and the state table ->source tracking shows the following: "192.168.2.103 -> 192.168.2.62"
What is wrong here ? everything looks fine to me, but i just cant get the connection to work when trying from a computer on the same LAN as the webserver.
Its seems like some sort of NAT reflections is missing, since i am not using any NAT (load balancer listens on WAN IP) i cant seem to create a NAT reflection rule (i used NAT before, when i did not use load balancing and it worked from both external and LAN subnet), how to i tell my pfsense box to redirect clients correctly ?
Thanks
-
The servers are in the same subnet as the client, so that won't work because this happens:
Client makes request to the LB:
Source: 192.168.2.103 Destination: X.X.X.X
LB Forwards the request:
Source: 192.168.2.103 Destination: 192.168.2.62Server Responds:
Source: 192.168.2.62 Destination: 192.168.2.103Client drops the packet because it didn't come from X.X.X.X.
The only ways to avoid that are:
1. Put servers in a separate subnet/interface so the traffic must flow back through the firewall.
2. Switch to manual outbound NAT, make a rule to NAT out LAN from a source of the LAN subnet to a destination of the servers on the target port. That will make the servers believe the request came from the firewall, so the packets flow back the proper way.#1 is best. #2 is OK but you lose the source IP in web traffic logs.
-
The servers are in the same subnet as the client, so that won't work because this happens:
Client makes request to the LB:
Source: 192.168.2.103 Destination: X.X.X.X
LB Forwards the request:
Source: 192.168.2.103 Destination: 192.168.2.62Server Responds:
Source: 192.168.2.62 Destination: 192.168.2.103Client drops the packet because it didn't come from X.X.X.X.
The only ways to avoid that are:
1. Put servers in a separate subnet/interface so the traffic must flow back through the firewall.
2. Switch to manual outbound NAT, make a rule to NAT out LAN from a source of the LAN subnet to a destination of the servers on the target port. That will make the servers believe the request came from the firewall, so the packets flow back the proper way.#1 is best. #2 is OK but you lose the source IP in web traffic logs.
Great answer, thanks a lot! now i understand why it did not work, it's so simple i could not see it!!