Re: [pfSense] [Bulk] Re: Web Server Load Balance

Wed, 06 Aug 2014 14:35:38 -0700 

Hi Satvinder,
You could try and put some 'outbound nat' rules on the interface that points to the server more or less like this: source:LAN destination:LAN translateIP:LAN-ip (assuming the server lives on the LAN..) it should nat requests to the IP of pfSense.. And allow replies to travel back the expected route.. 


That would however 'mask' the real client ip to that of pfSense.. (for 
those clients coming from the lan)



To find where traffic fails to arrive you could inspect traffic with 
'tcpdump' and check if Syn and SynAck packets travel the same proper 
routes, and are properly natted where applicable.




Another option could be found in a totally different direction.. You 
might want to look into the haproxy(-devel) package.. It needs an update 
though, would be nice if one of the devs could make the 1.5.3 version 
available for pfSense 2.1 (maybe through using pfPorts normal /haproxy/ 
folder? as 2014Q2 branche in ports doesnt have that version.)..
That package is aimed at providing website load-balancing, and also has 
some nice options like sticky sessions based on cookie's and or other 
information.. It does however take a little more processing as both 
request and reply need to go through haproxy..


Greets PiBa-NL

Satvinder Singh schreef op 6-8-2014 19:44:

Hi,

I have tried having the Virtual Server on a different subnet and 
created rules in the firewall, but still doesn't work. I have tried 
having all 3 (2 Nodes + Virtual Server) then creating a NAT for the 
virtual server bt still doesn't work, any help would be greatly 
appreciated.


Thanks
        Satvinder Singh         
        
Security Systems Engineer
[email protected] <mailto:>
804.744.9630 x273 direct
703.989.8030 cell
www.NC4worldwide.com <http://www.NC4worldwide.com>
        
        
<http://www.linkedin.com/company/nc4>     



From: Vick Khera <[email protected] <mailto:[email protected]>>

Reply-To: pfSense Support and Discussion Mailing List 
<[email protected] <mailto:[email protected]>>

Date: Tuesday, July 29, 2014 at 11:49 AM

To: pfSense Support and Discussion Mailing List 
<[email protected] <mailto:[email protected]>>

Subject: Re: [pfSense] Web Server Load Balance



On Mon, Jul 28, 2014 at 11:53 AM, Satvinder Singh 
<[email protected] 
<mailto:[email protected]>> wrote:


    Am I missing something?



The load balancer is sending the packets using the original IP.  Since 
all machines can directly connect to each other, the reply goes 
directly from VM1 to VM2 rather than back via the load balancer.



There's no way around this. If they were on different networks, it 
would either "just work" or you could get around it via adding a 
custom NAT rule to cause the original request to be rewritten to the 
load balancer's IP, and then it will work.



Disclaimer: This message is intended only for the use of the 
individual or entity to which it is addressed and may contain 
information which is privileged, confidential, proprietary, or exempt 
from disclosure under applicable law. If you are not the intended 
recipient or the person responsible for delivering the message to the 
intended recipient, you are strictly prohibited from disclosing, 
distributing, copying, or in any way using this message. If you have 
received this communication in error, please notify the sender and 
destroy and delete any copies you may have received.



_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list



_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list





















					Reply via email to