Reply
Highlighted
Emerging Member
Posts: 44
Registered: ‎02-23-2016
Kudos: 3
Solutions: 5
Accepted Solution

Are "Do not load balance" rules still necessary if the other interface is failover-only?

If you use the wizard, it auto-generates a few rules in the firewall like this:

        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }

eth0 is the primary.

eth1 is failover-only.

 

My understanding is eth1 is not used unless eth0 is down. However, it's still online and it can receive incoming traffic if port-forwarding rules are set. Is that correct?

 

Another question is with the "modify table main"

 

Let's say I have 2 load-balance groups:

group alpha

eth0 primary

eth1 failover-only

 

group beta

eth0 failover-only

eth1 primary

 

Do I need to create a new table for group beta or will using the same "modify table main" work?

eth0 is a static IP

eth1 is a DHCP IP

 

Thanks in advance.


Accepted Solutions
Veteran Member
Posts: 7,791
Registered: ‎03-24-2016
Kudos: 2028
Solutions: 892

Re: Are "Do not load balance" rules still necessary if the other interface is failover-onl

The modify rule shown is to make sure, packets from LAN destined for WAN IP address, don't leave on WAN1, and get back on WAN2, taking long detour on internet.   (This rule is aimed at hairpin NAT, not normal port forwards from WAN)

 

If you have multiple LB groups, you still have single firewall modify ruleset on LAN interface. As your example shows same WAN interfaces, there's no need to add more modify rules.  Having rules as shown for both ADDRv4_eth0 and ADDRv4_eth1 point to table main is OK

View solution in original post


All Replies
Veteran Member
Posts: 7,791
Registered: ‎03-24-2016
Kudos: 2028
Solutions: 892

Re: Are "Do not load balance" rules still necessary if the other interface is failover-onl

The modify rule shown is to make sure, packets from LAN destined for WAN IP address, don't leave on WAN1, and get back on WAN2, taking long detour on internet.   (This rule is aimed at hairpin NAT, not normal port forwards from WAN)

 

If you have multiple LB groups, you still have single firewall modify ruleset on LAN interface. As your example shows same WAN interfaces, there's no need to add more modify rules.  Having rules as shown for both ADDRv4_eth0 and ADDRv4_eth1 point to table main is OK

Reply