My company has a web application running on a set of web servers
that we're load balancing with relayd.
We've recently learned of a problem where end users who have:
- Comcast cable internet connections,
- Linksys cable routers provided by Comcast, and
- the Linksys router's "firewall protection" setting enabled (as
it is by default)
can't access our load balanced servers. We've watched the
traffic, and it appears that our response packets are being
dropped by the Linksys router. To confirm this further, if
the Linksys "firewall protection" setting is disabled, then
everything works fine.
To further complicate matters, the users *can* access any single
one of the web servers just fine. It's only when they try to use
the relayd load balanced IP address that things break.
More details, in case any of them help:
relayd is running on a pair of stock Dell R200 machines, along
with pf and carp. The installed OpenBSD version is 4.4 i386,
running the generic kernel.
relayd.conf looks like this:
-----------------------------------------------------------------
wsrv1=192.168.2.20
wsrv2=192.168.2.21
wsrv3=192.168.2.22
interval 5
timeout 200
table <wwwhosts> { $wsrv1 $wsrv2 $wsrv3 }
redirect "wsrv" {
listen on a.b.c.d port 80
tag RELAYD
sticky-address
forward to <wwwhosts> port 80 mode roundrobin check http "/robots.txt" code
200
}
redirect "wsrv-https" {
listen on a.b.c.d port 443
tag RELAYD
sticky-address
forward to <wwwhosts> port 443 mode roundrobin check https "/robots.txt" code
200
}
-----------------------------------------------------------------
We're not completely certain that relayd is causing the issue,
but we've eliminated everything else we can think of (except of
course the Linksys firewall, but we can't very well tell every
single possible end user in the world who might have a Linksys
cable router to turn off its firewall setting.) If there's
something obvious that we're doing wrong with the configuration,
we'd love to know about it.
Thanks!
