Upload
javier-gomez
View
221
Download
0
Embed Size (px)
Citation preview
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
1/13
1 / 13
OptiQroute Load Balancers
Transparent Mode Application
ApplicationDescription Firewall in front of LAN
Different Servers locatedbehind Firewall
Firewall to be accessiblefrom Internet
Load Balancer to beinstalled in a TRANSPARENTMODE between Firewall andInternet routers
Traffic to the Firewall tobe received thru bothInternet routers
WAN 1 IP : 100.1.1.1/24
Gateway IP : 100.1.1.254
Peer IP : 209.73.186.238
WAN2
Firewall
Citrix Server
10.0.0.3
Email Server
10.0.0.2
Web Server
10.0.0.1
WAN 2 IP : 200.1.1.1/24
Gateway IP : 200.1.1.254
Peer IP : 209.73.186.238
LAN IP : 100.1.1.2/24
10.0.0.254
WAN IP :
100.1.1.10100.1.1.20100.1.1.30100.1.1.40
DSL ROUTER : 200.1.1.254T1 ROUTER : 100.1.1.254
FTP Server
10.0.0.4
WAN1
LAN
Internet
OptiQroute 2120 RSW
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
2/13
2 / 13
OptiQroute Load Balancers
Transparent Mode Application
NetworkDiagram
Peer IP = Public IP entered to do constant pings to and determine that live is alive beyond the Internet router
WAN2
Firewall
Citrix Server
10.0.0.3
Email Server
10.0.0.2
Web Server
10.0.0.1
WAN 1 IP : 100.1.1.1/24
Gateway IP : 100.1.1.254
Peer IP : 209.73.186.238
WAN 2 IP : 200.1.1.1/24
Gateway IP : 200.1.1.254
Peer IP : 209.73.186.238
LAN IP : 100.1.1.2/24
10.0.0.254
WAN IP :
100.1.1.10100.1.1.20100.1.1.30
100.1.1.40
DSL ROUTER : 200.1.1.254T1 ROUTER : 100.1.1.254
FTP Server
10.0.0.4
WAN1
LAN
Internet
OptiQroute 2120 RSW
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
3/13
3 / 13
OptiQroute Load Balancers
Transparent Mode Application
IPTable
200.1.1.40200.1.1.30200.1.1.20200.1.1.10WAN 2
100.1.1.40100.1.1.30100.1.1.20100.1.1.10WAN 1
10.0.0.410.0.0.310.0.0.210.0.0.1Private
FTP ServerCitrix ServerEmail ServerWeb Server
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
4/13
4 / 13
OptiQroute Load Balancers
Transparent Mode Application
Mapping TableCitrix Server
WAN2
Traffic arrives directly to Citrixon WAN1 thru 100.1.1.30 on a
transparent mode.
Citrix can also be reached byaccessing 200.1.1.30 (secondaryWAN2 IP). The traffic is reroutedwith Destination NAT by the LoadBalancer to 100.1.1.30.
WAN1
LAN
100.1.1.1
100.1.1.2
Transparent
Citrix: 100.1.1.30
NAT
200.1.1.1Secondary IP : 200.1.1.30
DNAT
Citrix Server
10.0.0.3
Email Server
10.0.0.2
Web Server
10.0.0.1
FTP Server
10.0.0.4
Firewall
InternetInternet
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
5/13
5 / 13
OptiQroute Load Balancers
Transparent Mode Application
Programming of the Load Balancer
It is done in 4 steps:
STEP 1 Configuration of WAN Interfaces (slide 6-8)We will enter the IP addresses of WAN, Peer IPs, Secondary WAN IPs, bandwidth values and
enable Proxy ARP.
STEP 2 Setup LAN Interface (slide 9)We will enter the IP address for LAN in the same segment as the WAN and enable Proxy ARP.
STEP 3 Setup Host in the LAN/Firewall (slide 10)We will enter host located behind the Firewall as IP addresses in the LAN side of the balancer.
At this point, and due to the transparent mode, the Firewall can be reached from the Internet with the
public IP addresses.
STEP 4 Setup DNAT Rules (slides 11-12)We will enter Destination NAT rules (DNAT) that will forward the traffic received on the second WAN
interface to the public IP addresses that reside on the Firewall WAN port. Now the Firewall isbeing reached on both sets of public IP addresses.
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
6/13
6 / 13
OptiQroute Load Balancers
Transparent Mode Application
Programming WAN interfaces : Expand Configuration, Interface andWAN
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
7/13
7 / 13
OptiQroute Load Balancers
Transparent Mode Application
We enable Proxy-ARP to keep for Transparent Mode (need to be done both in WAN and LAN)
We enter and define the parameters for the WAN interface. IP Address is the load balancer IP
address with its network mask (/24 = 255.255.255.0). The Gateway IP is the IP of the router in frontof the load balancer. The Peer IP is a PUBLIC IP that the load balancer uses to do pings to so that wecan determine the line is alive.
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
8/13
8 / 13
OptiQroute Load Balancers
Transparent Mode Application
We need to define finally the SECONDARYIP addresses that will reside on the WANports. We WILL NOT INCLUDE the IPaddresses that will be assigned to the
Firewall WAN port or Internet routers,only those IP addresses that will be locatedat the WAN ports.
We enter and define additional Peer Ip addresses (ifthe main Peer IP is not working, these extended IPswill be used to determine the line is alive). Set up
also the bandwidth associated to Internet lines.
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
9/13
9 / 13
OptiQroute Load Balancers
Transparent Mode Application
Under Configuration Interface LAN: we would enter the LAN IP address in the same segment as the WAN IPs andwe need to enable the Proxy ARP as well.
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
10/13
10 / 13
OptiQroute Load Balancers
Transparent Mode Application
Under Configuration Router We will enter the hosts/IP addresses that are present in the LAN or WAN. The hosts(IP addresses resident in the firewall) need to be entered with a network mask /32.
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
11/13
11 / 13
OptiQroute Load Balancers
Transparent Mode Application
Finally we need to include Destination NAT Rules under Configuration NAT. These rules will redirect the trafficthat arrives to the secondary IP addresses on the WAN ports to the IPs terminating in the Firewall. In the slide wecan see that ALL TRAFFIC ARRIVING TO THE WAN INTERFACE WITH DESTINATION IP 200.1.1.10 (web servertraffic) NEEDS TO BE DELIVERED TO 100.1.1.10 (IP in the firewall to further route to the web server).
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
12/13
12 / 13
OptiQroute Load Balancers
Transparent Mode Application
The different NAT / DNAT rules entered to route traffic from the secondary WAN 2 Ips to the public Firewallpublic Ips
7/24/2019 OptiqRoute Load Balancer_Transparent Mode With Firewall
13/13
13 / 13
OptiQroute Load Balancers
Transparent Mode Application
Contact:www.alvaco.com
Toll Free: 1-877-641-2109
Phone: 1-407-574-2017
Fax:1-407-574-2016
Information& Support