Hi, I'm designing a new setup with relayd and multiple pools. I'm using redirects with forward.
The problem I have is that all the real server as in the same VLAN. In advance the servers in one pool need to access the servers in another pool, through the load balancer, thus having a problem with replies not passing through the LB (ie IMAP server accessing LDAP servers) I've thought of different solutions for this and I've come up to the following. I need a second opinion: 1) Use different VLAN per pool of servers 2) 1 VLAN, with 1 bridge and multiple subnets on vether devices 3) Source NAT to hide client IP 4) Use a relay as a proxy (instead of redirect on the $int_if) 5) Use DSR (route-to) with sloppy states Solution 1 seems the best to me but it has overhead of adding/managing the vlans everywhere. Solution 2 seems to work but I'm not quite sure about it 3 and 4 hide the client IP so I want to avoid it 5 also want to avoid, has problems with failover, don't like the half states So 2 seems ok, I have basic separation of pools and I guess since I control all the servers the jumping from one subnet to another is not a serious security problem. appreciate any opinions on this Giannis ps. whole setup with carp-pfsync
