Firewall rules for on adress of a subnet and load balancing



  • Hello,

    I set up in my network load balancing of internet connection by creating a group called "load_balance"
    I appointed a LAN 192.168.1.0/24

    In my firewall rules, I wrote a rule that adds to the LAN gateway a group "load_balance"
    Interface LAN        source Lan net              destination any      gateway "load_balance"

    The problem is that I wish that the IP address (192.168.1.10) of my LAN must pass through the gateway "gateway1".
    The reason is that 192.168.1.10 will connect to a VPN network and loses its connection due to load balancing.

    So I write a new rule that gives 192.168.1.10  the gateway "gateway1" :
    Interface LAN      source 192.168.1.10        destination any         gateway "gateway1"

    But the IP address 192.168.1.10 is still undergoing the load balancing because it is in the "net Lan"

    I am forced to have a second LAN?

    thank you very much



  • No,

    you just need to arrange your rule in your firewall rule list to the correct place. The single IP rule must be on top of the rules for the subnet.

    Further I would suggest you to create a Loadbalancing group and a failover group. Then create an alias for ports which contains all destination ports which do not like load balancing like https and vpn and so on.

    Then place as first rule the rule with failover group as GW and the destination port alias for the complete /24 source subnet.
    The next rule is the same source subnet but with destination ports "any" and loadbalancing as GW group.

    So it will be easy for you to add ports to the alias if you found other services which do not like loadbalancing.



  • thank you for your reply, I solved my problem yesterday,

    My mistake was i left the TCP protocol to  the IP address that i didn't want with load balancer

    And when i tried the command tracert to see what gateway I go through i saw always the load balancing because the command tracert use UDP

    thank you for your advice :)


Log in to reply