DNS load balancer needs different firewall rule than HTTP load balancer?
t35zu last edited by
I got confused about the following and despite a forum search could not determine the reason:
if a HTTP load balancer virtual IP listens on a WAN IP I have to add a firewall rule to allow the various pool IPs as destinations.
if a DNS load balancer virtual IP listens on a WAN IP I have to add a firewall rule to allow the single WAN IP as destination, not any of the pool IPs.
if you NAT port forward DNS (tcp/udp) to an internal IP then a firewall rule to allow the internal IP as destination is needed again.
My question is: Why is the "Load Balancer" + DNS an exception?
Because it is a handled in relayd as a proxy and not as a NAT relay as the other modes do. You'll also notice that all queries appear to originate from the firewall when using it for DNS.