Howdy folks,
I've hit one I'm not 100% sure on and the docs are a bit unclear.
Scenario:
1) Qty 2 SG-230 in an Active-Active Cluster.
2) Qty 2 50/10 internet connections
3) Qty 10 Public IP Address 5 per internet connection
4) Behind the Cluster inside the private network lives mailserver.domain.local
5) On the internet lives mailserver.publicdomain.com
6) Public DNS for mailserver.public.domain.com round robins two ip addresses.
7) Each of the round robin address is on a separate internet connection
8) The round robin address are not the primary address of the connections
9) DNAT rules are in pairs. One per server per virtual address:
Example DNATS
ANY->HTTP->VIRTUALADDRESS#2 on Connection1 --> Internal Target
ANY->HTTP->VIRTUALADDRESS#7 on Connection2 --> Internal Target
ANY->HTTPS->VIRTUALADDRESS#2 on Connection1 --> Internal Target
ANY->HTTPS->VIRTUALADDRESS#7 on Connection2 --> Internal Target
ANY->SMTP->VIRTUALADDRESS#2 on Connection1 --> Internal Target
ANY->SMTP->VIRTUALADDRESS#7 on Connection2 --> Internal Target
The question I'm left with is:
Do I need a corresponding Multi path rule for Traffic that is initiated from the internet side of the equation?
I completely understand Multi-paths role in egress traffic leaving the private LAN. I'm completely in the dark if it plays a role on ingress traffic coming from the the internet.
Originally I thought I would need Matching Multi-path rules for the trip back to the originating host to ensure a consist to and from path. Now I'm starting to think that is part of the DNAT and that I'm over thinking it; since the multi-path rule could in theory mess up the DNAT association if it applied to traffic initiated from the outside.
This thread was automatically locked due to age.
