if the load is not shared across the node it might be a reason that you have not configured the "Port Redirects" in the Configuration -> Proxies tab, right below the Proxy HA settings. Only ports listed here are picked up by the network driver and are shared between the nodes.
Also please note that "Source IP" is the criteria used for sharing the load, so if all requests come from a single IP address (NAT, downstream proxy, etc) load sharing can't be applied.
Restricting access to the VIP only could be done with a firewall sitting between clients and MWG. On MWG itself it is required that the proxy port is opened as otherwise the cluster health check fails which causes nodes to be marked as "offline".
I am suggesting you to follow this:
end users use 192.168.180.127:8080 as explicit proxy, 192.168.180.127 is 'Director VIP'.
scanning node: 192.168.180.138
Scanning only node:
Note: Here you can see the best practice with attached file which you can use in both Proxy or Transparent Mode.
MWG Best Practices HA Proxy.pdf 509.2 K
Many Thanks asabban & M. BM.