[prev in list] [next in list] [prev in thread] [next in thread]
List: pfsense-discussion
Subject: [pfSense] 2 problems - hybrid reverse natting breaks external VIP? internal webserver LB pool for th
From: <jens.simmoleit () bertelsmann ! de>
Date: 2015-06-18 12:16:35
Message-ID: 6EC0C9D1A1A3C3469AA763B32F2CB52B53B85B38 () GTLBMLXEN0005 ! bagmail ! net
[Download RAW message or body]
Hello Party People,
First of all I love pfsense and I'm using it intensely now for about 3 year=
s in my job and I'm honestly quite satisfied with the stability and perform=
ance (I'm using the cfcard nanobsd version). I have to say I became a littl=
e fanboy of pfsense.
I hope you can help me out here, I'm not sure if these are bugs, but it see=
ms to be so.
I try to explain my 2 problems in detail.
My setup
------------
2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9
Platform nanobsd (4g)
I have 3 master/slave pairs of HA pfsense. 2 pairs of them are connected to=
the internet, each with their own internet connection. The third pair is o=
n an internal net and serves as a "secure data vault door" (lb for galera c=
luster). It's internally accessible from both external pairs and works flaw=
less.
Smt. like this, very simplified of course. If you need things like VLAN and=
so on, just ask I'll provide this to you.
M/S Pair1 M/S Pair22
| |
_____________
|
M/S Pair3
Problem 1 - Reverse Natting my dmz'ed postfix mail server:
--------------------------------------------------------------------------
I have found out that there seems to be a reproducible bug/error, which bre=
aks the HA, well sort of, I guess. I can reproduce it with a fresh install.=
On the HA-Setups (Line1/Line2), I have one webserver in each DMZ. For the =
mail service to work properly I need to reverse NAT port 25. So I did switc=
h to hybrid outbound NAT and entered:
WAN 172.16.40.0/22 * * 25 (external =
VIP of the mailserver) * YES
Why did I do that? Because mail providers like e.g. gmx.net and Hotmail.com=
, do a reverse check on the visiting mail server. So if you leave outbound =
NAT in automatic mode, the external (V)IP of the mailserver is used by pos=
tfix to connect to gmx (which is correct so far). BUT the Mailserver from g=
mx.net checks the DNS/IP of the emailserver connecting, it then connects BA=
CK trying to reach my emailserver (VIP) but instead the pfsense-master IP (=
not even the pfsense external VIP!) answers. So the gmx server refuses my m=
ail delivery, as the check didn't answer back with the right email address.=
No email can be send, period!
Here is a first question: If I'm not mistaken with older versions, you coul=
d not only enter the subnet but the server ip directly, this seems to have =
changed, am I right? If so, why? What happened?
NOW, here comes the REAL problem. After activating hybrid outbound NAT, the=
external VIP of my HA-Setup seems to be broken (the internal VIP's are sti=
ll fine though). Try it for yourself. I can't ping the external VIP-Address=
, I can't use my browser to connect to the pfsense webpage, it seems to be =
completely dead. I reproduced this error with a fresh HA sandbox setup here=
at the office. When I switch it back to automatic, it works again, but THE=
N my mail servers won't function properly.
Doing a failover test in hybrid mode, made my load balancing pools go offli=
ne for a few seconds, but AFAIR this shouldn't be the case. So, at least to=
me, it looks like there is something utterly broken using this hybrid feat=
ure.
I hope you can tell me if I did smtg. wrong or if there is a fix for my fir=
st problem.
Most important, is this a bug, should I file it?
"Problem" 2 - Internal Load-Balancing for my developers:
----------------------------------------------------------------------
This is a problem I'd really die for solving it. I'm using relayd big time =
and it works awesome with my amount of pools and data we get. BUT, I'd like=
to setup an internal LoadBalancing. I setup some pools and some LAN-VIP's,=
those work already, but NOT in the same network segment. How can I tell re=
layd to accept requests, which orginate from the same subnet. Is this possi=
ble? The background for this is, our setup is completely in ssl, so https i=
s a must. As we only have 2-3 dev machines, but a lot more websites and api=
s and services which all need functioning certificates, we of course had to=
switch away from port 443, to other non standard ports.
The tests they are setting up, won't work properly with other then the 443 =
ports (selenium firefox e.g.), so I wanted to circumvent this with VIP's an=
d LB-Pools, always using port 443, to be error free.
Is this even possible? This would be so awesome, we are really struggeling =
here with that.
Please tell me it's possible to redirect the LB-VIP back to the subnet the =
pool originates from, please! ^^
Thanks for your invested time and help in advance,
Jens Simmoleit
Senior Linux Systems Administrator
infoscore Profile Tracking GmbH
part of arvato Financial Solutions
Kaistrasse 7
40211 D=FCsseldorf
Phone: +49 211 50 66 51- 88
Fax: +49 211 50 66 51- 93
Mobile: +49 160 97 80 46 94
E-Mail: Jens.Simmoleit@bertelsmann.de
finance.arvato.com
---------------------------------------------------------------------------=
---------------------------------------------------------------------------=
------------------------------------
infoscore Profile Tracking GmbH | Sitz: D=FCsseldorf I Amtsgericht HRB G=FC=
tersloh 9368 | USt-IDNr.: DE 287843415 I
Gesch=E4ftsf=FChrer: Kai Kalchthaler, Matthias Schweizer
---------------------------------------------------------------------------=
---------------------------------------------------------------------------=
------------------------------------
Diese E-Mail und eventuelle Anlagen k=F6nnen vertrauliche und/oder rechtlic=
h gesch=FCtzte Informationen enthalten. Wenn Sie nicht der
richtige Adressat sind oder diese E-Mail irrt=FCmlich erhalten haben, infor=
mieren Sie bitte sofort den Absender und vernichten Sie diese
E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mai=
l sind nicht gestattet.
---------------------------------------------------------------------------=
---------------------------------------------------------------------------=
------------------------------------
This e-mail and any attachments may contain confidential and/or privileged =
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender immediately and des=
troy this e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is forbidden.
---------------------------------------------------------------------------=
---------------------------------------------------------------------------=
------------------------------------
Bitte denken Sie =FCber Ihre Verantwortung gegen=FCber der Umwelt nach, bev=
or Sie diese E-Mail ausdrucken!
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic