NAT Reflection and Round Robin do not work



  • Hi everyone,

    I have three DSL connections. Two are doing round robin and one DSL connection for internal webserver. If I turn on NAT Reflection and Pure NAT to reach my webserver from within the LAN then I can not use Round Robin for some reason. If remove Round Robin from my gateway then I can reach my webserver from within using it's DNS. What could be the problem?

    My webserver php and vmware is such that I have to use the webserver DNS and it's local or public IP won't give the webpage so everyone must come in through the DNS name.

    Any suggestions?

    Thanks,



  • Rules that specify a gateway force traffic to that gateway, which will break anything that isn't reachable via that gateway. Add a rule above that allowing traffic to your web server's internal IP (the NAT of the reflection applies first, then rules) without specifying a gateway or group.



  • Thanks.

    I have done that but it doesn't work for two reasons:
    1- I won't be able to take advantage of the Round Robin configuration.
    2- I can NOT reach my webserver by using it's local IP or at least the PHP on it and the whole VMServer situation doesn't help. I can only reach it if DNS is entered in browser. I don't have the luxury to change the php code.

    Can we work with condition above mentioned in #2 and yet get me running? I mean the data may NOT traverse through internet after all but I have to use DNS as local IP of my webserver doesn't respond or responds with permission denied etc…

    Any other suggestions?

    Thanks,


  • LAYER 8 Netgate

    I won't be able to take advantage of the Round Robin configuration.

    Your web server is dependent on what interface your clients arrive on from the outside for any sort of load balancing or round robin, not firewall rules for connections originating from LAN.  All Chris' suggested rule does is tell the firewall to make connections from your LAN to your internal web server via the routing table instead of forcing them into your round robin gateway group, which breaks your NAT reflection.  it has nothing to do with connections coming in from the outside.

    Condition 2 sounds like a problem to be solved on the web server.  Are you using name-based virtual hosting on it?  That breaks going to the server by IP address because the server has no idea what virtual host you're really trying to access.  Put a host override in the DNS forwarder pointing at the inside IP address of the web server and use the DNS name to access it.  If you do that you don't have to worry about NAT reflection.



  • @Derelict:

    I won't be able to take advantage of the Round Robin configuration.

    Condition 2 sounds like a problem to be solved on the web server.  Are you using name-based virtual hosting on it?  That breaks going to the server by IP address because the server has no idea what virtual host you're really trying to access.  Put a host override in the DNS forwarder pointing at the inside IP address of the web server and use the DNS name to access it.  If you do that you don't have to worry about NAT reflection.

    Thanks for weighing in. I can live with not doing Round Robin for the webserver. However, I have used DNS Forwarder that doesn't seem to work. The only I get this to work right now is by sending ALL TCP traffic from ANY source to ANY source (a rule set on LAN firewall rules). The moment I add destination in that rule as in IP of webserver things break because webserver requires DNS. I also, tried the DNS Forwarder and that failed for the same reason probably.

    In order to get to the bottom of this I think I should check into firewall logs but I am not sure where to start to what to look for. Once that is clear maybe I can change rules or decide to take a patch that gives me the ability to do Round Robin for ALL other traffic but port 80 TCP to the webserver.

    Any suggestions on where to find the necessary logs and what to look for?


Log in to reply