scenario: two machines, on (A) 10.x.x.11 and (B) 10.x.x.12 run web servers on port 1024 which are made available to the world via public IP on port 80 by a pfsense firewall (F) (1.2RC4) running a load balancer. the internal IP of the firewall is 10.x.x.254.
an application which runs on the 10.x.x.11,12 and others wishes to connect to the web server pool. nat reflection doesn't work, so we thought we could run a load balancer on the firewall's internal IP address. however, this doesn't work. using tcpdump on A, we see the firewall connecting to the web and the packets being returned normally, everything OK. using tcpdump on F, we can see the packets arrive on the firewall heading for 10.x.x.254:80, and go off to the web server on port 1024, and come back to the firewall. the firewall doesn't then send the packets back to the host which originated the connection. firewall logs indicate the connection is being permitted from A to A, no indication of anything being refused! is what we are trying to do sensible, i.e. to use a load balancer on the *inside* of our network to allow callbacks to a webapp to be made resilient? thanks Paul
