DNS load balancer needs different firewall rule than HTTP load balancer?



  • Hi,

    I got confused about the following and despite a forum search could not determine the reason:

    if a HTTP load balancer virtual IP listens on a WAN IP I have to add a firewall rule to allow the various pool IPs as destinations.
    if a DNS load balancer virtual IP listens on a WAN IP I have to add a firewall rule to allow the single WAN IP as destination, not any of the pool IPs.
    if you NAT port forward DNS (tcp/udp) to an internal IP then a firewall rule to allow the internal IP as destination is needed again.

    My question is: Why is the "Load Balancer" + DNS an exception?

    thanks,
    t35zu


  • Rebel Alliance Developer Netgate

    Because it is a handled in relayd as a proxy and not as a NAT relay as the other modes do. You'll also notice that all queries appear to originate from the firewall when using it for DNS.


Log in to reply