Hi Giannis, >From my experience dealing with a lot of load balancers in my time, and also >working for different vendors, the easiest is to use source-nat. This is just configuration on the relayd itself without making "major" changes in the rest of the network or servers. Which you would need to do to when choosing different VLANs or DSR.
Your concern about source-net and hiding the client IP is valid, but easily fixed with Client-IP header in http, if http is the protocol, otherwise you will loose the client IP. ;) One more thing to remember with source-nat is the maximum amount of concurrent connections you can handle in a single IP, if that is below 64k you are fine, otherwise you will have to create a pool of IPs to source-nat from. In my opinion DSR is only relevant for services like FTP and NNTP, where you have a lot more traffic going out than coming in, so you don't have to put that burden through the single load balancer interface. If you have the ability to change the VLANs that of course the cleanest of all the option and source-nat the dirtiest, but it's also the simplest. :) Good luck! Mischa > On 19 Mar 2018, at 11:20, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> > wrote: > > Hi, > > I'm designing a new setup with relayd and multiple pools. I'm using redirects > with forward. > > The problem I have is that all the real server as in the same VLAN. > In advance the servers in one pool need to access the servers in another > pool, through the load balancer, thus having a problem with replies not > passing through the LB (ie IMAP server accessing LDAP servers) > > I've thought of different solutions for this and I've come up to the > following. I need a second opinion: > > 1) Use different VLAN per pool of servers > 2) 1 VLAN, with 1 bridge and multiple subnets on vether devices > 3) Source NAT to hide client IP > 4) Use a relay as a proxy (instead of redirect on the $int_if) > 5) Use DSR (route-to) with sloppy states > > Solution 1 seems the best to me but it has overhead of adding/managing the > vlans everywhere. > Solution 2 seems to work but I'm not quite sure about it > 3 and 4 hide the client IP so I want to avoid it > 5 also want to avoid, has problems with failover, don't like the half states > > So 2 seems ok, I have basic separation of pools and I guess since I control > all the servers the jumping from one subnet to another is not a serious > security problem. > > appreciate any opinions on this > > Giannis > ps. whole setup with carp-pfsync >
