Routing Problems on own Server Load Balncing Rule

Hi,
we got an Interface (VLAN 253 / 10.0.253.10) and a few server in this VLAN, e.g. 10.0.253.11.
The default gateway of all Servers in VLAN 253 are set to 10.0.253.10 and for testing i created these firewall rules : any-any-253 & 253-any-any
The IP from the UTM is 10.0.189.151 and the default Gateway 10.0.189.1

 

Also we set a few Server Load Balancing Rule like email2016.domain.de ( Additional Address 10.0.189.116 (VLAN 189)) - HTTPS -> EX01 (253.11), EX02 (253.12)...

The problem is, I'm not able to open a connection to one Load Balancing Rule from the same Subnet.
So email2016.domain.de (10.0.189.116) works not from 10.0.253.0/24

The LB-Rules works per se, like a Server in a nother VLAN. E. g. VLAN 224 / 10.0.224.51 can connect to email2016... without problems

Is there a problem in our configuration, or do we have to add a static route?

 

Best Regerds

  • Hello logan517,

     

    I think the server load balancing works like NAT, so the IP Destination is changed to the balanced servers. Maybe the problem is that the ACK Packets won't go back through the UTM if the sender is on the same network.

    If you need it for http/https (and you have the webserver protection subscription) you can use webserver protection with more than one real servers selected instead.

     

    Good luck!

    CS

  • In reply to CS:

    CS
    Ithink the server load balancing works like NAT, so the IP Destination is changed to the balanced servers. Maybe the problem is that the ACK Packets won't go back through the UTM if the sender is on the same network.

    Any idea how to fix this / any workaround?

     

    CS
    If you need it for http/https (and you have the webserver protection subscription) you can use webserver protection with more than one real servers selected instead.

    HTTP /S was only en example. We also balance SMTP, IMAP....
    Exchange 2016 isn't supported with more than 1 real server through the waf.

  • In reply to logan517:

    logan517

    Any idea how to fix this / any workaround?

    Try this: https://freeloadbalancer.com/ but use the one-arm configuration https://kemptechnologies.com/de/videos/how-to/one-arm-virtual-services/ 

    In NAT-Mode (two-arm) it is the same problem like load balancing with the utm.

     

    Good luck!

    CS

  • In reply to CS:

    hmm, we want to use another server reluctantly.

    Isn't there a workaround with the utm it selfs, like a static route to our cisco switch's or something?

  • In reply to logan517:

    logan517

    hmm, we want to use another server reluctantly.

    Isn't there a workaround with the utm it selfs, like a static route to our cisco switch's or something?

     

    Maybe with S-NAT-Rules

    From: VLAN 253 to EX01 change Source to 10.0.253.10

    The server should send the packets back over the UTM.

  • In reply to CS:

    Hi CS,

    thx for this idea.

     

    An S-Nat Rule works great.

    VLAN 253 (Network) = 10.0.253.0/24
    VLAN 253 (Address) = 10.0.253.10

    From VLAN 253 (Network) - Service: Any - To VLAN 253 (Network)
    Change Source To VLAN 265 (Address)