Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.1, 3.3.0
10
Balancing Traffic Outbound to the Internet
Introducing firewall load balancing for outbound traffic
This chapter explains how to set up a configuration in which users behind a set of firewalls request information from Internet servers. Such a configuration is common for any enterprise that wants to provide users on its intranet access to the Internet, but wants to deny Internet users access to its intranet.
The job of the BIG-IP Controller redundant system is to load balance the firewalls so that they perform as efficiently and effectively as possible. You can also use the BIG-IP Controller redundant system to limit outbound traffic to specific ports, thereby enhancing security.
This type of configuration requires you to configure network address translation (NAT) on your firewalls. Before attempting to implement this configuration, verify that your firewalls can perform NAT.
Figure 10.1, following, illustrates this type of scenario, and provides an example configuration for this entire chapter. Remember that this is just a sample: when creating your own configuration, you must use IP addresses, host names, and so on, that are applicable to your own network.
Figure 10.1 Balancing outbound traffic
Configuration tasks
To configure firewall load balancing for outbound traffic, you need to complete the following tasks in order:
- Verify user network routing.
- Create a load balancing pool for the firewalls.
- Create a wildcard virtual server that references the load balancing pool, so that outbound traffic is load balanced across the firewalls and forwarded to the Internet.
- Configure interfaces on the BIG-IP Controller redundant system.
- Configure address translation on the firewalls.
- Create a route on the firewalls for return traffic to the user network.
Each of the following sections explains one of these tasks, and shows how you perform the task in order to implement a configuration typical for an enterprise that wants to provide users limited access to the Internet, as shown in Figure 10.1.
Note: The procedures in this chapter detail how to configure a single BIG-IP Controller. In order to complete your configuration, synchronize the configured BIG-IP Controller with the other BIG-IP Controller in your BIG-IP Controller redundant system, as detailed in Synchronizing configurations between controllers, on page 18-41.
Verifying user network routing
Verify that the default route on the router between your client network and the BIG-IP Controller redundant system is the internal shared alias for the BIG-IP Controller redundant system. This alias is configured during setup, using the First-Time Boot utility. For more information about this utility, see Running the First Time Boot utility in the BIG-IP Installation Guide. For more information about routing, see Addressing routing issues in the BIG-IP Installation Guide.
To implement the example configuration shown in Figure 10.1, make sure that the router between network 10.10.40.0/24 and the BIG-IP Controller redundant system is configured to point to 10.10.30.1.
Note: The router in Figure 10.1 is optional. If the client network is on the same network as the BIG-IP Controller redundant system, then you can use the BIG-IP Controller internal shared alias as a default gateway for the client network.
Creating a pool for the firewalls
To use this configuration, you must create a load balancing pool. A pool is a group of devices that you want the BIG-IP Controller redundant system to load balance. The devices you want to load balance are your firewalls, so you create a pool containing the inside interfaces of these firewalls. For more information about pools, refer to Configuring a pool, on page 18-5.
You can use either the Configuration utility or the bigpipe pool command to create the pool.
To create a pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - In the Add Pool screen, configure the attributes required for the firewalls you want to add to the pool.
For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 10.1:· Create a pool named firewalls.
· Add each firewall from the example, 10.10.20.4, 10.10.20.5, and 10.10.20.6, to the pool. For each firewall you add to the pool, specify port 0, which means this firewall accepts traffic on all ports.
To create the pool from the command line
Use the bigpipe pool command to create the pool:
bigpipe pool <pool name> { lb_method <xx> member <Firewall1>:0
member <Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information.
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the inside IP addresses of your respective firewalls.
- lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in BIG-IP Reference Guide.
In Figure 10.1, for example, the pool for the inside addresses is firewalls, the inside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command to implement this configuration would be:
bigpipe pool firewalls { lb_method rr member 10.10.20.4:0 member 10.10.20.5:0 member 10.10.20.6:0 }
Creating a wildcard virtual server
To configure the BIG-IP Controller redundant system for outbound connections, you must create a wildcard virtual server; that is, a virtual server that accepts all traffic from the user network, then load balances the traffic across the firewalls.
To create a wildcard virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - In the Add Virtual Server screen, configure the attributes required for the virtual server you want to add.
For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 10.1:· Add a virtual server with address 0.0.0.0 and port 0 (this designates a wildcard virtual server).
· In the Pool list, select firewalls (having created the firewalls pool in Creating a pool for the firewalls, on page 10-4).
To create a wildcard virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip 0.0.0.0:0 <interface> use pool <pool name>
In the command, replace the parameters with the appropriate information:
- <interface> is the interface on the BIG-IP on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure.
To implement the example configuration shown in Figure 10.1, the command is:
bigpipe vip 0.0.0.0:0 none use pool firewalls
Enhancing security
To supplement the security offered by your firewalls, you may want to limit the types of traffic that can pass outbound to the Internet. You can use port-specific wildcard virtual servers to restrict traffic in this manner. While a standard wildcard virtual server forwards all traffic, a port-specific wildcard virtual server forwards traffic specific to only the specified port. For more information, see Defining wildcard virtual servers, on page 18-8.
You can use either the Configuration utility or the bigpipe vip command to create the virtual server.
To create a port-specific wildcard server using the Configuration utility
Follow the instructions detailed in To create a wildcard virtual server using the Configuration utility, on page 10-6. In step 3, when you configure the Port attribute, choose the port to which you want outgoing traffic to be limited for that virtual server. Complete the rest of the directions as detailed on page 10-6, then repeat the process for any other ports you want to be accessible to outgoing traffic.
To implement the example configuration shown in Figure 10.1, to limit the traffic forwarded to HTTP and FTP, you would complete the steps in To create a wildcard virtual server using the Configuration utility three times (that is, once for each of three port-specific virtual servers). For the Port attribute, you would enter 80 for the HTTP service, and 20 and 21 for the FTP service.
To create a port-specific wildcard server from the command line
To create a port-specific wildcard server, use the bigpipe vip command as you did in To create a wildcard virtual server from the command line, on page 10-6. Substitute the number of the port to which you want to limit access.
To limit the traffic forwarded to HTTP and FTP in the configuration shown in Figure 10.1, you would replace the command in To create a wildcard virtual server from the command line with the following commands:
bigpipe vip 0.0.0.0:80 none use pool firewall
bigpipe vip 0.0.0.0:20 none use pool firewall
bigpipe vip 0.0.0.0:21 none use pool firewall
Configuring interfaces
Typically, a BIG-IP Controller has two interfaces:
- An external interface, typically set for destination processing. In Figure 10.1, the external interface is exp0.
- An internal interface, typically set for source processing. In Figure 10.1, the internal interface is exp1.
For this configuration, you set, or reset, interface processing so that the internal interface only processes destination addresses. This enables the wildcard virtual server you created in Creating a wildcard virtual server, on page 10-5, to process outbound user requests.
You must also set, or reset, interface processing on the external interface, so that this interface only processes source addresses. When the result of a user request returns from the Internet to the external interface, source processing looks up the connection established by the wildcard virtual server on the destination processing (internal) interface, then sends the result to the user.
To configure source and destination processing using the Configuration utility
- In the navigation pane, click NICs.
- The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
In the Network Interface Card table, click the name of the interface you want to configure. The Network Interface Card Properties screen opens.
- In the Network Interface Card Properties screen, configure the attributes required for the interface. For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 10.1:· For exp0, make sure the Enable Source Processing check box is checked.
· For exp1, make sure the Enable Destination Processing check box is checked.
To configure source processing from the command line
Use the bigpipe interface command with the source keyword to turn source processing on or off for an interface:
bigpipe interface <interface> source [ <enable> | <disable> ]
where <interface> is the identifier for the internal interface of a BIG-IP Controller.
To implement the example configuration shown in Figure 10.1, you use the commands:
bigpipe interface exp0 source enable
bigpipe interface exp1 source disable
To configure destination processing from the command line
Use the bigpipe interface command with the dest keyword to turn destination processing on for an interface:
bigpipe interface <interface> dest [ <enable> | <disable> ]
where <interface> is the identifier for the external interface of a BIG-IP Controller.
For the example configuration shown in Figure 10.1, you would use the command:
bigpipe interface exp1 dest enable
bigpipe interface exp0 dest disable
Configuring network address translation on firewalls
This example configuration includes a single BIG-IP Controller redundant system on the inside of your firewalls. In this respect it is different from other configurations in this guide, which include BIG-IP Controller redundant pairs on both sides of your firewalls. Although the use of one BIG-IP Controller redundant pair simplifies some aspects of the configuration, it also requires additional work from your firewalls.
Specifically, you must configure your firewalls so that they perform network address translation (NAT). This ensures that, in situations where a firewall opens and maintains a connection for a user, packets sent back to that user return to the user through that firewall. Refer to your firewall documentation for instructions on NAT configuration.
Creating a route for return traffic
For outbound traffic, the virtual server you created in Creating a wildcard virtual server, on page 10-5, determines the next hop; that is, the next device to which a request should be sent in order to reach its ultimate destination. Therefore, no special routing is required. However, in order to provide a route back to your internal network, you must add a route on your firewalls to this network, using the external shared alias of the BIG-IP Controller redundant system as a gateway.
In Figure 10.1, the external shared alias of the BIG-IP Controller system is 10.10.20.1 and the internal network is 10.10.40.0/24. Thus, a command to configure this routing might be:
route add -net 10.10.40.0 -gateway 10.10.20.1
The exact syntax of this command depends on the type of router.