Scott Ullrich wrote:
On 2/25/06, Daniel Leaberry <[EMAIL PROTECTED]> wrote:
Thanks Scott for the Carp and OpenVPN answer. I have just one more.
I have a /29 that I run pfsense in and a /27 subnet of dmz addresses that is
routed to me. I setup incoming load balancing with one of these /27 addresses.
It didn't work. I wasn't sure if creating the virtual server with the dmz
address also created a virtual ip, so I tried both. Neither one worked. I did
set a firewall rule to allow the traffic. I looked at the output of
/tmp/rules.debug and it didn't look like there was anything but an anchor.
I'm using the 2-20 testing snapshot
here's the relevant rules.debug output
# Load balancing anchor - slbd updates
rdr-anchor "slb"
rdr on fxp2 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on fxp1 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
rdr on xl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8023
Did you create a Pool and a Virtual Server? You need VIP's, too.
http://wiki.pfsense.com/wikka.php?wakka=IncomingLoadBalancing may
help.
I did, I followed that exact tutorial. I have 64.90.194.xx as a vip with
proxy arp (even though my subnet is routed to me) and it's also the
virtual server (The monitor option was pretty vague, I just picked icmp
and put in the ip of one of the pool servers) It has a pool containing 3
servers in the lan subnet 192.168.x.x. It has appropriate pass rules for
the wan (pass on wan port 80 to 64.90.194.xx) and I turned on logging so
I can see my attempts getting to pfsense and being logged. The
connection always times out. (I send a SYN and get nothing back.) When I
check the state table on pf I see the following
tcp 67.104.0.xx:3185 -> 64.90.194.xx:80 SYN_SENT:CLOSED
tcp 64.90.194.xx:80 <- 67.104.0.xx:3185 CLOSED:SYN_SENT
The other question has to do with reflection redirects. If I read correctly
these should let me access my public dmz addresses from the lan interface? If
this is correct then these don't work. But they are the least of my concerns as
I've traditionally used split dns. Here's an example reflection rule from
rules.debug.
rdr on fxp0 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 192.168.xx.xx
port 80
# Reflection redirects
rdr on fxp2 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 127.0.0.1 port
19003
rdr on fxp1 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 127.0.0.1 port
19004
rdr on xl0 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 127.0.0.1 port
19005
I do have to say I've put two pfsense nodes into production using failover carp
and it's much nicer then the netscreen we were using. The thing that killed the
netscreen was it's inability to delete 1:1 mappings until the server using that
ip was down for hours. Then the netscreen would notice it was down and let you
delete the mapping. With pfsense it's been so much easier.
What doesn't work about it? This is a hot item that I need to get
fixed and subsequently get paid for, since someone sponsored the
feature and they claim its broken, too, but it works for me.
Scott
Remember, everything I do is run through a 1:1 nat so maybe I'm a little
different but from the lan interface I cannot access a server with a
public ip. I type 64.90.195.xx (the main web server) and from inside the
lan this does not give me anything but a connection timed out error.
Once again the states are as follows
tcp 192.168.100.103:2050 -> 64.90.193.xx:53101 -> 64.90.195.xx:80
SYN_SENT:CLOSED
tcp 64.90.195.xx:80 <- 192.168.100.103:2050 CLOSED:SYN_SENT
It looks like the redirect happens but it doesn't go through the 1:1 nat.
I tried a wide open rule on the lan (pass from any to any) and also
tried unchecking the block private network option on the wan (I thought
maybe it was blocking those redirect rules.)
Just to describe the network I have two subnets routed to me from my
colo. the /29 is what pf is running on and the /27 is my dmz that I 1:1
nat with. So I only have two interfaces Wan and Lan.
Hope that helps
Daniel
