9

Balancing Two-Way Traffic Across Firewalls

• Introducing two-way firewall load balancing
• Configuring two-way firewall load balancing
• Configuring routing to the internal network
• Creating pools for firewalls and servers
• Creating virtual servers for inbound traffic
• Creating virtual servers for outbound traffic
• Configuring administrative routing
• Additional configuration options

Introducing two-way firewall load balancing

This chapter describes how to set up a configuration that load balances two types of traffic:

• Users on the Internet requesting information from a pair of enterprise servers behind the enterprise's set of firewalls, generating inbound traffic.
• Users behind a set of firewalls requesting information from Internet servers, generating outbound traffic.
  
  

  This type of configuration is appropriate for any enterprise that wants to provide information by way of the Internet, while limiting traffic to a specific service, and also wants to maintain a large intranet with fast access to the Internet for internal users.

  This configuration calls for two BIG-IP Controllers:

• A BIG-IP Controller on the outside (that is, the side nearest the Internet) of the firewalls, to balance traffic inbound across the firewalls.
• A BIG-IP Controller on the inside (that is, the side nearest the enterprise servers) of the firewalls to balance traffic outbound across the firewalls, and also to balance traffic inbound across the server array.
  
  

  Collectively, this is known as a firewall sandwich configuration, because the BIG-IP Controller are on either side of the fire walls sandwiching them. Figure 9.1 illustrates this type of configuration, and provides an example configuration for this entire chapter. Remember that this is just a sample: when creating your own configuration, you must use IP addresses, host names, and so on, that are applicable to your own network.

Note: All products except the BIG-IP e-Commerce Controller support this configuration.

Figure 9.1 Load balancing two-way traffic

Configuring two-way firewall load balancing

To load balance enterprise servers as well as two-way traffic across a set of firewalls using a firewall sandwich configuration, you need to complete all the following tasks in order:

• Configure routing to the internal network.
• Create pools for firewalls and servers.
• Create virtual servers for inbound traffic.
• Create virtual servers for outbound traffic.
• Configure administrative routing.
  
  

  The following sections provide details on how to set up this configuration, using the sample IP addresses and device names in Figure 9.1 as an example.

Configuring routing to the internal network

The external router should route traffic bound for the network that includes your intranet by way of the external VLAN of the external BIG-IP Controller.

In Figure 9.1, the internal controller is BIG-IP Controller2, the network is 10.10.30.0/24, and the external address (or floating self IP address for redundant system) of the external controller is 10.10.10.1. Thus, a command to configure this routing might be:

Route add -net 10.10.30.0 -gateway 10.10.10.1

The exact syntax of this command depends on the type of router.

Creating pools for firewalls and servers

To use this configuration, you must create load balancing pools. You will create three pools.

• To load balance incoming requests across the external interfaces of your firewalls, you create a pool that includes these external interfaces.
• Because requests that pass through the firewalls must be load balanced to the enterprise servers, you create a pool that includes these enterprise servers.
• Outgoing requests must be balanced across the internal interfaces of your firewalls, so you create a pool that includes these internal interfaces.

Creating a pool for outside firewall interfaces

When using this configuration, you first create the pool for the outside addresses of the firewalls on the outside BIG-IP Controller.

To create the pool using the Configuration utility

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. Click the Add button.
   The Add Pool screen opens.
3. Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
   
   

   Configuration notes

   To create the configuration shown in Figure 9.1:

   · Create a pool named firewalls_outside.

   · Add each firewall from the example, 10.10.20.4, 10.10.20.5, and 10.10.20.6, to the pool. For each firewall you add to the pool, specify port 0.

To create the pool from the command line

Use the bigpipe pool command to create the pool:

b pool <pool name> { member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }

In Figure 9.1, for example, the pool for the outside addresses is firewalls_outside, and the outside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6. Thus, the command would be:

b pool firewalls_outside { member 10.10.20.4:0 member 10.10.20.5:0 member 10.10.20.6:0 }

Creating a pool for inside firewall interfaces

Next, create a pool for the internal addresses of your firewalls on the inside BIG-IP Controller BIG-IP 2. Use the Configuration utility, or the bigpipe pool command, as you did to create the pool for the outside firewall addresses. Choose a pool name appropriate for this pool.

To create the pool using the Configuration utility

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. Click the Add button.
   The Add Pool screen opens.
3. Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
   
   

   Configuration notes

   When you create the configuration shown in Figure 9.1:

   · Create a pool named firewalls_inside.

   · Add each firewall from the example, 10.10.30.4, 10.10.30.5, and 10.10.30.6, to the pool. For each firewall you add to the pool, specify port 0.

To create the pool from the command line

Use the bigpipe pool command to create the pool:

b pool <pool name> { member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }

To implement the configuration shown in Figure 9.1, you create this pool on BIG-IP 2. In this example, the pool for the inside addresses is firewalls_inside, and the inside addresses are 10.10.30.4, 10.10.30.5, and 10.10.30.6. Thus, the command to implement this configuration would be:

b pool firewalls_inside { member 10.10.30.4:0 member 10.10.30.5:0 member 10.10.30.6:0 }

Creating a pool for servers

Finally, create the pool for the nodes that handle requests to your enterprise servers on the inside BIG-IP Controller BIG-IP 2. Use the Configuration utility, or the bigpipe pool command, as you did to create the firewall pools. Choose a pool name appropriate for this pool.

To create the pool using the Configuration utility

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. Click the Add button.
   The Add Pool screen opens.
3. Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
   
   

   Configuration notes

   When you create the configuration shown in Figure 9.1:

   · Create a pool named servers.

   · Add the servers 10.10.40.4 and 10.10.40.5 to the pool. For each server, specify port 0.

To create the pool from the command line

Use the bigpipe pool command to create the pool:

b pool <pool name> { member <Server1>:0 member <Server2>:0 }

To implement the configuration shown in Figure 9.1, you create this pool on BIG-IP 2. In this example, the pool for the server addresses is servers, and the server addresses are 10.10.40.4 and 10.10.40.5. Thus, the command to implement this configuration would be:

b pool servers { member 10.10.40.4:80 member 10.10.40.5:80 }

Creating virtual servers for inbound traffic

After you define the pools for the outer interfaces of the firewalls, you can define virtual servers on the BIG-IP Controllers to load balance inbound connections. To do this you:

• Create a network virtual server on the outside BIG-IP Controllers BIG-IP 1 to load balance the firewalls. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address.
• Create a standard virtual server on the inside BIG-IP Controller BIG-IP 2 to load balance the enterprise servers.

Creating a network virtual server to load balance the firewalls

Because the outside BIG-IP Controller load balances inbound connections across the outside interfaces of the firewalls, you need to create a virtual server on that system. This virtual server will reference the pool you created in Creating a pool for outside firewall interfaces, on page 9-4 that contains these outside firewall interfaces.

In order to accommodate potential multiple virtual servers for your enterprise servers, create a network virtual server. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address. For example, in Figure 9.1, the virtual server 10.10.30.0 load balances traffic across the firewall set to all virtual servers on the 10.10.30.0/24 network.

To create a network virtual server using the Configuration utility

1. In the navigation pane, click Virtual Servers.
   The Virtual Servers screen opens.
2. Click the Add button.
   The Add Virtual Server screen opens.
3. Configure the appropriate attributes on the Add Virtual Server screen. For additional information about configuring a virtual server, click the Help button.
   
   

   Configuration note

   When you create the configuration shown in Figure 9.1:

   · Add a virtual server with address 10.10.30.0 and port 0 (this designates a wildcard virtual server).

   · In the Pool list, select firewalls_outside (having created the firewalls_outside pool in Creating a pool for outside firewall interfaces, on page 9-4).

To create a network virtual server from the command line

Use the bigpipe virtual command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:

b virtual <virt_ip>:<service> use pool <pool name>

Repeat this command for each service you want to configure. To implement the configuration shown in Figure 9.1, you use the command:

b virtual 10.10.30.0 use pool firewall_outsides

Enhancing security for this configuration

To supplement the security offered by your firewalls, you may want to create a standard virtual server rather than a network virtual server. For example, in the configuration shown in Figure 9.1, you really only need a virtual server for 10.10.30.9. In this configuration, using a standard virtual server would reduce the number of accessible addresses from 254 to 1.

• To create a standard virtual server to enhance the security of the configuration shown in Figure 9.1 using the Configuration utility, follow the instructions in To create a network virtual server using the Configuration utility, on page 9-8. Substitute 10.10.30.9 for the Address attribute, and 80 for Port.
• To create a port-specific virtual server to enhance the security of the configuration shown in Figure 9.1 from the command line, use the bigpipe virtual command as explained in To create a network virtual server from the command line, on page 9-8. The command would be:
  
  

  b virtual 10.10.30.9:80 use pool firewall_outsides

Creating a standard virtual server to load balance intranet servers

After you configure the outside BIG-IP Controller BIG-IP 1 to handle inbound traffic, configure the inside BIG-IP Controller BIG-IP 2 to load balance the enterprise servers.

Use the Configuration utility, or the bigpipe virtual command, as you did to create the wildcard virtual server for the inside BIG-IP Controller. Instead of using a wildcard IP address, use a standard IP address and pool appropriate for your network.

To create a standard virtual server using the Configuration utility

1. In the navigation pane, click Virtual Servers.
2. Click Add Virtual Server.
   The Add Virtual Server screen opens.
3. Configure the appropriate attributes on the Add Virtual Server screen. For additional information about configuring a virtual server, click the Help button.
4. In the Pool list, select the pool you want to apply to the virtual server. For example, to implement the configuration shown in Figure 9.1, you would choose servers (having created the servers pool in Creating a pool for servers, on page 9-6).
   
   

   Configuration notes

   When you create the configuration shown in Figure 9.1:

   · Add a virtual server with address 10.10.30.9, port 80.

   · In the Pool list, select firewalls_outside (having created the firewalls_outside pool in Creating a pool for servers, on page 9-6).

To create a standard virtual server from the command line

Use the bigpipe virtual command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:

b virtual <virt_ip>:<service> use pool <pool name>

For example, to use the bigpipe virtual command to implement the configuration shown in Figure 9.1, the command would be:

b virtual 10.10.30.9:80 use pool server_pool

Creating virtual servers for outbound traffic

After you define the pools for the internal interfaces of the firewalls, you can define virtual servers on the BIG-IP Controllers to load balance outbound connections.

To do this you:

• Create a wildcard virtual server on the inside BIG-IP Controller to balance traffic outbound to the firewalls.
• Create a forwarding wildcard virtual server on the outside BIG-IP Controller to forward traffic to the Internet. A forwarding virtual server is a virtual server that merely forwards traffic, rather than balancing it across nodes.

Creating a wildcard virtual server for balancing traffic to the firewalls

To configure the inside BIG-IP Controller for outbound connections, create a wildcard virtual server that accepts all traffic from the internal network, then load balances the traffic through the firewalls. After you create this wildcard virtual server, you must disable it on the external VLAN.

To create a wildcard virtual server using the Configuration utility

1. In the navigation pane, click Virtual Servers.
2. Click the Add button.
   The Add Virtual Server screen opens.
3. Configure the following attributes on the Add Virtual Server screen. For additional information about configuring a virtual server, click the Help button.
   
   

   Configuration note

   To create the configuration shown in Figure 9.1, configure the wildcard virtual server 0.0.0.0:0 and use the pool firewalls_inside.

To create a wildcard virtual server from the command line

Use the bigpipe virtual command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:

b virtual 0.0.0.0:0 use pool <pool name>

To use the bigpipe virtual command to create the virtual server and disable it on the external VLAN as show in the configuration in Figure 9.1, type the following command:

b virtual 0.0.0.0:0 use pool firewall_insides vlans disable external

Creating a forwarding wildcard virtual server to forward traffic to the Internet

After the appropriate firewall has processed outbound traffic, you want the outside BIG-IP Controller to forward the traffic to the Internet. To accomplish this, create a wildcard virtual server as you did in Creating a wildcard virtual server for balancing traffic to the firewalls, on page 9-11, using either the Configuration utility or the command line.

• If you use the Configuration utility, use the address and port 0.0.0.0:0, and select Forwarding in the Resources section.
• From the command line, to implement the configuration shown in Figure 9.1, you type:
  
  

  b virtual 0.0.0.0:0 forward vlans external disable

Enhancing security for this configuration

In some situations, you may want to limit the types of traffic that can pass outbound to the Internet. You can use port-specific wildcard virtual servers to restrict traffic in this manner. While a standard wildcard virtual server forwards all traffic, a port-specific wildcard virtual server forwards traffic specific to only the specified port. For more information, see Virtual servers in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.

To create a port-specific wildcard server using the Configuration utility

Follow the instructions detailed in To create a wildcard virtual server using the Configuration utility, on page 9-11, with these exceptions:

• In step 3, when you configure the Port attribute, choose the port to which you want outgoing traffic to be limited for that virtual server.
• Complete the rest of the steps as detailed on page 9-11, then repeat the process for any other ports you want to be accessible to outgoing traffic.
  
  

  For example, to implement the configuration shown in Figure 9.1, to limit the traffic forwarded to HTTP and FTP, you would follow the instructions in To create a wildcard virtual server using the Configuration utility three times. That is, once for each of three port-specific virtual servers, entering respectively 80, 20, and 21 for the Port attribute.

To create a port-specific wildcard server from the command line

To create a port-specific wildcard server, use the bigpipe virtual command as you did in To create a network virtual server from the command line, on page 9-8. For the sample port number, substitute the number of the port to which you want to limit access.

For example, in the configuration shown in Figure 9.1, to limit the traffic forwarded to HHTP and FTP, you replace the command in the preceding section with the following commands:

b virtual 0.0.0.0:80 use pool firewall

b virtual 0.0.0.0:20 use pool firewall

b virtual 0.0.0.0:21 use pool firewall

Configuring administrative routing

In order to administer the outside BIG-IP Controller from the inside BIG-IP Controller and vice versa, you need to create routes between the systems, using the firewalls as gateways.

To implement the configuration shown in Figure 9.1, you use the following commands on BIG-IP Controllers BIG-IP 1:

route add -host 10.10.30.1 -gateway 10.10.20.4

If BIG-IP 1 is a redundant pair with 10.10.30.2 and 10.10.30.3 as its external addresses and 10.10.30.1 as their floating alias:

route add -host 10.10.30.1 -gateway 10.10.20.4

route add -host 10.10.30.2 -gateway 10.10.20.5

route add -host 10.10.30.3 -gateway 10.10.20.6

To complete the configuration, you use the following commands on BIG-IP Controller BIG-IP 2:

route add -host 10.10.20.1 -gateway 10.10.30.4

If BIG-IP 2 is a redundant pair with 10.10.20.2 and 10.10.20.3 as its internal addresses and 10.10.20.1 as their floating alias:

route add -host 10.10.20.1 -gateway 10.10.30.4

route add -host 10.10.20.2 -gateway 10.10.30.5

route add -host 10.10.20.3 -gateway 10.10.30.6

Additional configuration options

Whenever you configure a BIG-IP Controller, you have a number of options:

• You have the option in all configurations to configure a redundant BIG-IP Controller for fail-over. Refer to Redundant Systems in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.
• All configurations have health monitoring options. Refer to Health Monitors in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.
• When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.