16again wrote:WAN_IN: For optimum speed, keep the established/related rule at the top.
Change modify rule so it captures entire eth0 address space:
rule 20 { action modify description "do NOT load balance destination public address" destination { group { address-group NETv4_eth0 } } modify { table main } }
I also noted you're missing hairpin masquerade rule on webserver VLAN. But since this isn't full hairpin it might not be needed. (on true hairpin , packet leaves same interface as where it entered)
I am not sure what to change to capture the address space. I think I added the hairpin rule. Not sure about the masquerade part.
