Hello Party People,
First of all I love pfsense and I'm using it intensely now for about 3 years in
my job and I'm honestly quite satisfied with the stability and performance (I'm
using the cfcard nanobsd version). I have to say I became a little fanboy of
pfsense.
I hope you can help me out here, I'm not sure if these are bugs, but it seems
to be so.
I try to explain my 2 problems in detail.
My setup
------------
2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9
Platform nanobsd (4g)
I have 3 master/slave pairs of HA pfsense. 2 pairs of them are connected to the
internet, each with their own internet connection. The third pair is on an
internal net and serves as a "secure data vault door" (lb for galera cluster).
It's internally accessible from both external pairs and works flawless.
Smt. like this, very simplified of course. If you need things like VLAN and so
on, just ask I'll provide this to you.
M/S Pair1 M/S Pair22
| |
_____________
|
M/S Pair3
Problem 1 - Reverse Natting my dmz'ed postfix mail server:
--------------------------------------------------------------------------
I have found out that there seems to be a reproducible bug/error, which breaks
the HA, well sort of, I guess. I can reproduce it with a fresh install. On the
HA-Setups (Line1/Line2), I have one webserver in each DMZ. For the mail service
to work properly I need to reverse NAT port 25. So I did switch to hybrid
outbound NAT and entered:
WAN 172.16.40.0/22 * * 25 (external VIP
of the mailserver) * YES
Why did I do that? Because mail providers like e.g. gmx.net and Hotmail.com, do
a reverse check on the visiting mail server. So if you leave outbound NAT in
automatic mode, the external (V)IP of the mailserver is used by postfix to
connect to gmx (which is correct so far). BUT the Mailserver from gmx.net
checks the DNS/IP of the emailserver connecting, it then connects BACK trying
to reach my emailserver (VIP) but instead the pfsense-master IP (not even the
pfsense external VIP!) answers. So the gmx server refuses my mail delivery, as
the check didn't answer back with the right email address. No email can be
send, period!
Here is a first question: If I'm not mistaken with older versions, you could
not only enter the subnet but the server ip directly, this seems to have
changed, am I right? If so, why? What happened?
NOW, here comes the REAL problem. After activating hybrid outbound NAT, the
external VIP of my HA-Setup seems to be broken (the internal VIP's are still
fine though). Try it for yourself. I can't ping the external VIP-Address, I
can't use my browser to connect to the pfsense webpage, it seems to be
completely dead. I reproduced this error with a fresh HA sandbox setup here at
the office. When I switch it back to automatic, it works again, but THEN my
mail servers won't function properly.
Doing a failover test in hybrid mode, made my load balancing pools go offline
for a few seconds, but AFAIR this shouldn't be the case. So, at least to me, it
looks like there is something utterly broken using this hybrid feature.
I hope you can tell me if I did smtg. wrong or if there is a fix for my first
problem.
Most important, is this a bug, should I file it?
"Problem" 2 - Internal Load-Balancing for my developers:
----------------------------------------------------------------------
This is a problem I'd really die for solving it. I'm using relayd big time and
it works awesome with my amount of pools and data we get. BUT, I'd like to
setup an internal LoadBalancing. I setup some pools and some LAN-VIP's, those
work already, but NOT in the same network segment. How can I tell relayd to
accept requests, which orginate from the same subnet. Is this possible? The
background for this is, our setup is completely in ssl, so https is a must. As
we only have 2-3 dev machines, but a lot more websites and apis and services
which all need functioning certificates, we of course had to switch away from
port 443, to other non standard ports.
The tests they are setting up, won't work properly with other then the 443
ports (selenium firefox e.g.), so I wanted to circumvent this with VIP's and
LB-Pools, always using port 443, to be error free.
Is this even possible? This would be so awesome, we are really struggeling here
with that.
Please tell me it's possible to redirect the LB-VIP back to the subnet the pool
originates from, please! ^^
Thanks for your invested time and help in advance,
Jens Simmoleit
Senior Linux Systems Administrator
infoscore Profile Tracking GmbH
part of arvato Financial Solutions
Kaistrasse 7
40211 Düsseldorf
Phone: +49 211 50 66 51- 88
Fax: +49 211 50 66 51- 93
Mobile: +49 160 97 80 46 94
E-Mail: [email protected]
finance.arvato.com
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
infoscore Profile Tracking GmbH | Sitz: Düsseldorf I Amtsgericht HRB Gütersloh
9368 | USt-IDNr.: DE 287843415 I
Geschäftsführer: Kai Kalchthaler, Matthias Schweizer
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail und eventuelle Anlagen können vertrauliche und/oder rechtlich
geschützte Informationen enthalten. Wenn Sie nicht der
richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren
Sie bitte sofort den Absender und vernichten Sie diese
E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail
sind nicht gestattet.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This e-mail and any attachments may contain confidential and/or privileged
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender immediately and destroy
this e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is forbidden.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Bitte denken Sie über Ihre Verantwortung gegenüber der Umwelt nach, bevor Sie
diese E-Mail ausdrucken!
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
