Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Unable to get traffic from an NLB cluster from another VLAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unable to get traffic from an NLB cluster from another VLAN (Read 1491 times)
NJK
Newbie
Posts: 6
Karma: 0
Unable to get traffic from an NLB cluster from another VLAN
«
on:
August 22, 2023, 09:53:09 am »
Hi all,
First of all, I hope I am in the correct post for this problem.
We have a cluster of IIS servers in VLAN X which use NLB (Network Load Balancing:
https://learn.microsoft.com/en-us/windows-server/networking/technologies/network-load-balancing
) to balance the traffic to these machines. It is quite an old technic but still works like a charm as long with you are in the same subnet when a OPNsense firewall is being used.
We use IGMP multicast as the cluster operation mode instead of unicast. The switches are configured correctly and recognise the IPs for the cluster.
From a second subnet in VLAN Y we are able to ping every IP address that is not linked to the NLB cluster, also all other traffic is working fine for these IP addresses.
All the IP addresses that are linked to the NLB cluster will give a time-out when pinging them, also no other traffic seems to work.
For now we allow all traffic between the 2 VLANs to exclude rules from being the problem, also the Windows Firewalls are turned off to exclude problems with these as well.
Since the switches handle the multicast we didn't think any additional configuration for the OPNsense was needed. However it does not work...
Does OPNsense need additional set-up to work with IGMP multicast when working with an NLB cluster?
Edit: We run opnsense-business version 23.4.2.
«
Last Edit: August 22, 2023, 09:54:58 am by NJK
»
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #1 on:
August 22, 2023, 01:45:19 pm »
Hi,
just to confirm, the
"Block bogon networks"
checkbox is not checked on both VLANs interface settings, right?
Logged
NJK
Newbie
Posts: 6
Karma: 0
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #2 on:
August 22, 2023, 04:48:52 pm »
Hi Tron80,
Thank you for your reply.
I just did a test with an unchecked "Block bogon networks".
There is no difference in the behavior of the traffic between the 2 VLANs.
All the traffic to none NLB ip-addresses is wording. Traffic to NLB ip-addresses doesn't work.
So this doesn't seem to be the cause of the problem.
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #3 on:
August 23, 2023, 09:32:10 am »
Just to be clear: you tested with unchecked box on both VLANs X and Y?
Logged
NJK
Newbie
Posts: 6
Karma: 0
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #4 on:
August 23, 2023, 09:33:22 am »
Yes correct, both where turned off during the test yesterday.
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #5 on:
August 23, 2023, 10:04:11 am »
I have to admit that I am not the multicast expert but I guess you might want to look at the os-igmp-proxy extension for opnsense and take it into operation accordingly.
But again, multicast does not like me and I don't like it. Sorry.
Logged
NJK
Newbie
Posts: 6
Karma: 0
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #6 on:
August 24, 2023, 08:02:20 am »
Thanks for your help.
I have broadened the search a bit away from OPNsense and looked for people with similar problems when they are using FreeBSD or pfSense (Since OPNsense is forked from it).
This broadened search let me to the tunable net.link.ether.inet.allow_multicast
https://man.freebsd.org/cgi/man.cgi?query=arp&sektion=4
Setting this tunable at least causes the IP and the correct mac-address to be visible in the ARP-table in OPNsense. It also causes log message like "<5>arp: 01:00:5e:7f:d2:28 is multicast" to disappear from the general system log.
However, traffic to those NLB IP-addresses is still not working
Does anyone else have an idea?
I will have look at the os-igmp-proxy, but it looks like it is designed to proxcy the IGMP messages. I am not sure if this is what we need in this case.
Logged
NJK
Newbie
Posts: 6
Karma: 0
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #7 on:
August 24, 2023, 08:41:47 am »
I did some package capture on the firewall and attached the screenshots of the capture to this post.
ping_210-30.png contains the capture of a working ping to a none NLB ip-address.
ping_210-40.png contains the capture of a not working ping to a NLB ip-address.
To me it looks like OPNsense is just not routing the reply, but I am not an expert in this. Hopefully someone has a better idea of what is going on.
Logged
NJK
Newbie
Posts: 6
Karma: 0
Re: Unable to get traffic from an NLB cluster from another VLAN
«
Reply #8 on:
August 24, 2023, 08:42:43 am »
The missing attachment
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Unable to get traffic from an NLB cluster from another VLAN