Firewall Wizards mailing list archives
Re: RES: Firewall Load Balance
From: paul <paul () hessels ca>
Date: Thu, 18 Apr 2002 14:58:36 -0400 (EDT)
The routing protocol doesn't really have anything to do with the
actual load balancing. The routing engine is what will tell you if you
can do this or not.
Most routing engines, the routing in the Linux kernel for instance, use
ECMP[1]. Equal Cost Multi Pathing. Basically the load balancing is done
based on a src/dst ip pair, sometimes with src/dst port thrown in. ECMP is
cheap vs per-packet load balancing, so its likely your router will
use ECMP.
If your router does ECMP with src/dst ip then your stateful firewall
should work without any problems.
If it uses src/dst port you can get into problems with things like active
ftp.
If it doesn't use ECMP, but uses per-packet load balancing, you are SOL.
With ECMP the firewalls don't have to have the same connection tracking
table.
SIMPLE EXAMPLE:
ECMP Should always chose the same paths.
----firewallA---WebFarmA
(ECMP)/
internet---router
\
----firewallB---WebFarmB
COMPLEX EXAMPLE:
There are, of course, more complex examples. You can run into problems
with dynamic load balancing and stateful firewalls... assuming you have two
firewalls between four routers... a six pack if you will. In this example
I will assume all 6 machines are running Linux with zebra-ospf(including
the firewalls).
i\
n \BGPpeerA
t }---------routerA---firewallA---routerC--WebFarmA
e } | \ / \ /
r } | / \ / \
n }---------routerB---firewallB---routerD--WebFarmB
r /BGPpeerB
t/
This gives you a load balanced, highly available connection... the problem
arises if the different routers decide on different than expected return
paths. For instance, if the traffic path looks like this then your
firewall won't be able to be stateful:
BGPpeerB > routerB > firewallB > routerD > WebFarmB > routerD > firewallA
routerB
What we did to solve this, hackish I'll admit, is to run NAT on the firewalls with the right of the diagram being internal address space. This ensures that the return path is the correct. You could also force paths through network by setting local-prefs.... less hackish, but less load balanced... depending on what your two internet connections are sized too. DISCLAIMER: I haven't had my coffee yet today... nor my donut. [1] There is a RFC about this.... done by the people at merit. On Thu, 18 Apr 2002, Marcelo Barbosa Lima wrote:
Thanks Rob, but I think that this doesn´t work very well. It´s important that both Linux box have the same connection tracking table. OSPF does load balance in packet traffic. It doen´t pay attetion in connection before forward packets. I believe that some packets can be rejected in the stateful firewall. -----Mensagem original----- De: mahhy [mailto:mahhy () undertow ca] Enviada em: quinta-feira, 18 de abril de 2002 09:18 Para: Marcelo Barbosa Lima Cc: firewall-wizards () nfr com Assunto: Re: [fw-wiz] Firewall Load Balance On Tue, 16 Apr 2002, Marcelo Barbosa Lima wrote:Is it possible to implement an architecture of firewallloadbalance using only two Linux Boxes? LVS permits to implement load balance to services. I want to offer load balance and highavailibilityusing Linux. Did anybody do it? Thanks,I currently do this at work. Two Linux iptables firewalls, using the High Availability package from www.linux-ha.org. This allows the Primary Firewall to fail and the Secondary to take over. I know this isnt quite what you are looking for, as you would like to load balance over the two machines. My solution to this was to use OSPF on the firewalls, and a fairly intelligent router behind the firewall. It basically round robins any outbound connections to the two machines (since in OSPF terms there are two default routes). I'm sure there are other ways to achieve this as well.
-- yow _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RES: Firewall Load Balance Marcelo Barbosa Lima (Apr 18)
- Re: RES: Firewall Load Balance paul (Apr 19)