Spoofing and load balanced http traffic on LAN subnet

From:	Chrisup-Gmail <chrisup at gmail dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Spoofing and load balanced http traffic on LAN subnet
Date:	Mon, 22 May 2006 11:50:29 -0700
Hello,

I have mono setup with public IPs on both interfaces, CIDR is /28 for both nets.

I have enabled advanced NAT as required for using public IPs on the
LAN interface.

I'm using a load balancer on the LAN subnet for http, so http requests
to the FQDN are redistributed between 2 web servers on the lan subnet.

The firewall blocks the syn/ack from the web servers back to the
client. I'd like to allow this "spoofing" so I can use the load
balancer.

The LAN OPT spoofing rule appears to be processed before the client
rules; is there a way I cann change that/disable that to allow the
load balancing to work? Which file processes that option? I didn't see
an ipfilter.conf under /etc/* and I didn't see it in the config.xml.

below is the relevant ipmon output from the last 50 filter log
entries, 165.xx is the WAN and 205.xx is the LAN. 64.xx and 65.xx are
the clients trying to pass http inbound. The load balancer is
205.xxx.xxx.61 (not present in log.)

The web servers 205.xxx.xxx.54 and 205.xxx.xxx.56 are returning the
syn/ack back to the client after receiving the http request form the
load balancer.

xxx.xxx.254.252 is the ISP DNS server seen in the log below, but no
problems there, just an FYI.

If you need my status.php, or any more info,  I can provide it.

Thanks,

Chris


May 21 21:27:42 m0n0wall ipmon[85]: 21:27:41.607915 2x xl0 @0:15 b
205.xxx.xxx.56,80 -> 65.xxx.xxx.115,64938 PR tcp len 20 60 -AS IN
May 21 21:27:45 m0n0wall ipmon[85]: 21:27:44.611280 xl0 @0:15 b
205.xxx.xxx.56,80 -> 65.xxx.xxx.115,64938 PR tcp len 20 60 -AS IN
May 21 21:28:09 m0n0wall ipmon[85]: 21:28:08.614812 xl0 @0:15 b
205.xxx.xxx.54,80 -> 65.xxx.xxx.115,64938 PR tcp len 20 44 -AS IN
May 21 21:28:12 m0n0wall ipmon[85]: 21:28:11.608185 xl0 @0:15 b
205.xxx.xxx.54,80 -> 65.xxx.xxx.115,64938 PR tcp len 20 44 -AS IN
May 21 21:28:18 m0n0wall ipmon[85]: 21:28:17.608257 xl0 @0:15 b
205.xxx.xxx.54,80 -> 65.xxx.xxx.115,64938 PR tcp len 20 44 -AS IN
May 21 21:30:04 m0n0wall ipmon[85]: 21:30:04.043222 xl0 @100:2 p
205.xxx.xxx.54,2195 -> 64.xxx.xxx.117,22 PR tcp len 20 60 -S K-S IN
May 21 21:30:04 m0n0wall ipmon[85]: 21:30:04.045822 xl0 @100:2 p
205.xxx.xxx.54,1672 -> xxx.xxx.254.252,53 PR udp len 20 59 K-S IN
May 21 21:30:04 m0n0wall ipmon[85]: 21:30:04.121627 xl0 @100:2 p
205.xxx.xxx.54,2480 -> xxx.xxx.254.252,53 PR udp len 20 59 K-S IN
May 21 21:30:04 m0n0wall ipmon[85]: 21:30:04.184120 xl0 @100:2 p
205.xxx.xxx.54,1236 -> 64.xxx.xxx.117,22 PR tcp len 20 60 -S K-S IN