This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT to load balancer VIP

The same question was asked in  Functional DNAT does not work when destination is server load balance object but never got a response.

So I gather that this is not possible, but are there any workarounds?

I my case it is a database connection, and I don't have a cluster for nothing.

In short:

external IP:3306 -> DNAT interal-IP:3306 works
external IP:3306 -> DNAT LB VIP:3306 doesn't work



This thread was automatically locked due to age.
Parents Reply Children
  • Thanks for your response.

    How do I secure that? I obviously don't want to explose my database cluster to the world.

    Do not create the automatic firewall rule, but create a rule manually to allow only the source subnet access to port 3306?

  • Hello Harro,

    yes, with manual rules you could restrict access and source ips further.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Sorry for the late response, I needed the client to be able to test it.

    The configuration is a bit weird imho.

    I needed to define an LB rule: public IP:3306 -> IP of the database nodes, but a firewall rule: client IP:3306 -> IP of the database nodes, instead of what I expected, client IP:3306 -> public IP.

    But this works. Thanks for the reponses everyone.