On 07/02/2017 18:00, list-requ...@lists.pfsense.org wrote:
i try to get an internal load balancer running.
I Setup HA proxy with an public IP: 123.123.123.123 and i have 2 webservers:
10.0.3.99 and 10.0.3.98.
When i connect from outside of 10.0.3.0/24 it works as expected but when i try
to use make a connection from the internal lan 10.0.3.0/24 i got no response.
(Presumably you mean when you connect from 10.0.3.x to 123.123.123.123)
Are you actually using the HAproxy package, or are you just using
regular load-balanced pools (Services > Load Balancer)?
If you are using load-balanced pools, read on.
I read somethink about NAT reflection but i didnt understand how to configure
it correctly.
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
Go to System>Advanced, Firewall/NAT, scroll down to "NAT Reflection mode
for port forwards", and change from "Disabled" to "Pure NAT"
What happens is:
* packet is sent from client with src 10.0.3.5 (say), destination
123.123.123.123
* packet follows default gateway and arrives at pfSense
* as well as rewriting the dest to 10.0.33.98 (or 99), NAT reflection
means that it rewrites the source to 10.0.3.1 (or whatever your pfSense
LAN addr is)
* the packet arrives at the destination web server with src 10.0.3.1 and
dest 10.0.33.98
* the return packet has src 10.0.33.98 and dst 10.0.3.1
* hence it arrives back at pfSense
* pfSense rewrites it to src 123.123.123.123 dest 10.0.3.5
This ensures that pfSense is in the loop for both the outbound and
inbound packets. However your webserver logs will show the connection
coming from 10.0.3.1, not from the true client IP address.
HTH,
Brian.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
