OptiqRoute Load Balancer_Transparent Mode With Firewall

7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall

1/13

1 / 13

OptiQroute Load Balancers

Transparent Mode Application

ApplicationDescription Firewall in front of LAN

Different Servers locatedbehind Firewall

Firewall to be accessiblefrom Internet

Load Balancer to beinstalled in a TRANSPARENTMODE between Firewall andInternet routers

Traffic to the Firewall tobe received thru bothInternet routers

WAN 1 IP : 100.1.1.1/24

Gateway IP : 100.1.1.254

Peer IP : 209.73.186.238

WAN2

Firewall

Citrix Server

10.0.0.3

Email Server

10.0.0.2

Web Server

10.0.0.1

WAN 2 IP : 200.1.1.1/24

Gateway IP : 200.1.1.254

Peer IP : 209.73.186.238

LAN IP : 100.1.1.2/24

10.0.0.254

WAN IP :

100.1.1.10100.1.1.20100.1.1.30100.1.1.40

DSL ROUTER : 200.1.1.254T1 ROUTER : 100.1.1.254

FTP Server

10.0.0.4

WAN1

LAN

Internet

OptiQroute 2120 RSW


2/13

2 / 13



NetworkDiagram

Peer IP = Public IP entered to do constant pings to and determine that live is alive beyond the Internet router

WAN2

Firewall

Citrix Server

10.0.0.3

Email Server

10.0.0.2

Web Server

10.0.0.1

WAN 1 IP : 100.1.1.1/24

Gateway IP : 100.1.1.254

Peer IP : 209.73.186.238

WAN 2 IP : 200.1.1.1/24

Gateway IP : 200.1.1.254

Peer IP : 209.73.186.238

LAN IP : 100.1.1.2/24

10.0.0.254

WAN IP :

100.1.1.10100.1.1.20100.1.1.30

100.1.1.40

DSL ROUTER : 200.1.1.254T1 ROUTER : 100.1.1.254

FTP Server

10.0.0.4

WAN1

LAN

Internet

OptiQroute 2120 RSW


3/13

3 / 13



IPTable

200.1.1.40200.1.1.30200.1.1.20200.1.1.10WAN 2

100.1.1.40100.1.1.30100.1.1.20100.1.1.10WAN 1

10.0.0.410.0.0.310.0.0.210.0.0.1Private

FTP ServerCitrix ServerEmail ServerWeb Server


4/13

4 / 13



Mapping TableCitrix Server

WAN2

Traffic arrives directly to Citrixon WAN1 thru 100.1.1.30 on a

transparent mode.

Citrix can also be reached byaccessing 200.1.1.30 (secondaryWAN2 IP). The traffic is reroutedwith Destination NAT by the LoadBalancer to 100.1.1.30.

WAN1

LAN

100.1.1.1

100.1.1.2

Transparent

Citrix: 100.1.1.30

NAT

200.1.1.1Secondary IP : 200.1.1.30

DNAT

Citrix Server

10.0.0.3

Email Server

10.0.0.2

Web Server

10.0.0.1

FTP Server

10.0.0.4

Firewall

InternetInternet


5/13

5 / 13



Programming of the Load Balancer

It is done in 4 steps:

STEP 1 Configuration of WAN Interfaces (slide 6-8)We will enter the IP addresses of WAN, Peer IPs, Secondary WAN IPs, bandwidth values and

enable Proxy ARP.

STEP 2 Setup LAN Interface (slide 9)We will enter the IP address for LAN in the same segment as the WAN and enable Proxy ARP.

STEP 3 Setup Host in the LAN/Firewall (slide 10)We will enter host located behind the Firewall as IP addresses in the LAN side of the balancer.

At this point, and due to the transparent mode, the Firewall can be reached from the Internet with the

public IP addresses.

STEP 4 Setup DNAT Rules (slides 11-12)We will enter Destination NAT rules (DNAT) that will forward the traffic received on the second WAN

interface to the public IP addresses that reside on the Firewall WAN port. Now the Firewall isbeing reached on both sets of public IP addresses.


6/13

6 / 13



Programming WAN interfaces : Expand Configuration, Interface andWAN


7/13

7 / 13



We enable Proxy-ARP to keep for Transparent Mode (need to be done both in WAN and LAN)

We enter and define the parameters for the WAN interface. IP Address is the load balancer IP

address with its network mask (/24 = 255.255.255.0). The Gateway IP is the IP of the router in frontof the load balancer. The Peer IP is a PUBLIC IP that the load balancer uses to do pings to so that wecan determine the line is alive.


8/13

8 / 13



We need to define finally the SECONDARYIP addresses that will reside on the WANports. We WILL NOT INCLUDE the IPaddresses that will be assigned to the

Firewall WAN port or Internet routers,only those IP addresses that will be locatedat the WAN ports.

We enter and define additional Peer Ip addresses (ifthe main Peer IP is not working, these extended IPswill be used to determine the line is alive). Set up

also the bandwidth associated to Internet lines.


9/13

9 / 13



Under Configuration Interface LAN: we would enter the LAN IP address in the same segment as the WAN IPs andwe need to enable the Proxy ARP as well.


10/13

10 / 13



Under Configuration Router We will enter the hosts/IP addresses that are present in the LAN or WAN. The hosts(IP addresses resident in the firewall) need to be entered with a network mask /32.


11/13

11 / 13



Finally we need to include Destination NAT Rules under Configuration NAT. These rules will redirect the trafficthat arrives to the secondary IP addresses on the WAN ports to the IPs terminating in the Firewall. In the slide wecan see that ALL TRAFFIC ARRIVING TO THE WAN INTERFACE WITH DESTINATION IP 200.1.1.10 (web servertraffic) NEEDS TO BE DELIVERED TO 100.1.1.10 (IP in the firewall to further route to the web server).


12/13

12 / 13



The different NAT / DNAT rules entered to route traffic from the secondary WAN 2 Ips to the public Firewallpublic Ips


13/13

13 / 13



Contact:www.alvaco.com

Toll Free: 1-877-641-2109

Phone: 1-407-574-2017

Fax:1-407-574-2016

[email protected]

[email protected]

Information& Support

Documents

OptiqRoute Load Balancer_Transparent Mode With Firewall