Re: [pfSense Support] Failover problem

Tue, 29 Apr 2008 22:31:05 -0700

I created Ticket #1706 regarding the load-balancing issue. Does anyone have an estimate of how long time before bugs are fixed? Could I do a workarround meanwhile?
BTW a nice-to-have feature: NAT rules that apply to multiple interfaces OR en easy way to copy all NAT rules from one IF to another (creating the nessecary firewall rules) 

Have a nice day!
Martin

Bill Marquette skrev:

On Fri, Apr 25, 2008 at 12:36 AM, Martin Kruse Jensen <[EMAIL PROTECTED]> wrote:

  

 I still need to set the default lan -> any rule to use the loadbalancetowan
gateway right?

    


correct


  

 In http://pastebin.com/f36121457 i didn't
 but in http://pastebin.com/f10483182 i did change it

    


yep, looks like we aren't installing the reply-to logic on WAN for
some reason (probably cause nobody had a setup where machines on wan2
tried to connect to services on wan).  Can you file a bug on
cvstrac.pfsense.com for this, please?  Thanks

--Bill



  

 Martin

 Bill Marquette skrev:

 On Thu, Apr 24, 2008 at 4:22 AM, Martin Kruse Jensen <[EMAIL PROTECTED]> wrote:


 The /tmp/rules.debug can be found at http://pastebin.com/m39a0c097

 Before getting /tmp/rules.debug i did the following:
 - Created failover gateway in Services -> Load-balancer (loadbalancetowan)
 - Set the default lan -> any rules gateway to loadbalancetowan
 - Set the firewall rules (created by nat) to use the gateway
loadbalancetowan on both WAN's




Yeah, don't do that. You need a NAT (rdr/port forward in this case)
and filter rule per WAN, but don't change the gateway else you end up
with non-sensical rules like:
pass in quick on $wan route-to { ( vr0 10.33.56.1 ) } proto tcp from
any to <main> port = 80 keep state label "USER_RULE: NAT "
and
pass in quick on $StofaOPT1 route-to { ( vr0 10.33.56.1 ) } proto tcp
from any to { 192.168.1.3 } port = 80 keep state label "USER_RULE:
NAT Stofatest"

which points the next hop INBOUND for this traffic to vr0 (which is
your WAN in this case). ie. the traffic goes back outbound...bad.

I still see no reply-to's in the ruleset, so I'm suspecting that we
have an issue when dealing with rules on the default gateway, but fix
those rules to use the default gateway and give us the output of
rules.debug again if you are still having issues. Thanks

--Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED]




    


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  






















					Reply via email to