Re: [pfSense] outbound NAT

Thu, 27 Sep 2012 05:49:25 -0700 

On 9/27/2012 12:05 AM, Adam Thompson wrote:

The two pfSense boxes are doing the load balancing inbound and it is
working well so F1 and L1 are the same box, F2 and L2 are the same
box,

[Adam Thompson]

OK, that makes it more complicated, as I don't know how pf handles that
situation.  I know what happens if the packets actually egress and
re-ingress, but not sure about the short-circuit case.


What I am getting is: Outside->V1@(FL1,FL2) gets balanced by
(FL1,FL2) to->(S1,S2 private addresses)->(S1,S2 respond to the
request)->(FL1,FL2 rewrite S1,S2 address with actual WAN interface
IP)->Outside
This causes a situation where you make the request to 1.2.3.4 but
the replies come back to you from 1.2.3.9

That means that, as I suspected, having L1/L2 running on F1/F2 is causing
some sort of unexpected interaction.  If you have the ability to
temporarily turn up a physically separate system to do the load-balancing,
I think you will find that everything "just works".

Are you using the TCP Load Balancing feature, or are you using something
like varnish?

If you have to rely on outbound NAT rules to make this work, I suspect
you'll quickly find that pf states expire on you for no apparent reason;
if the outbound NAT isn't being handled by a 'match' statement, then you
aren't matching the original incoming state, which means you'll shortly be
dropping incoming connections.

Trying not to flog a dead horse here, if you have to use AON to accomplish
this, *something else* is *broken*.

-Adam
Silly as this may sound at this point I was "trying" to keep things as simple as I could by using the TCP load balance feature rather than a third party app like varnish. I, unfortunately at this time, do not have the option of a separate box/boxes to turn up for load balancing. I will be working today to see if the idea you gave me for using a /31 int the network drop down to snat outbound while keeping an eye open for dropped packets. If this has problems I will go for 1:1 NAT for now and then get a pair of boxes to load balance with maybe Varnish, HA proxy , or possibly Apache traffic server. 
Thank You for all the help.
JohnM


_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to