Manual Chapter : BIG-IP Solutions Guide v4.2: Balancing Two-Way Traffic Across Firewalls

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.2 PTF-10, 4.2 PTF-09, 4.2 PTF-08, 4.2 PTF-07, 4.2 PTF-06, 4.2 PTF-05, 4.2 PTF-04, 4.2 PTF-03, 4.2 PTF-02, 4.2 PTF-01, 4.2.0
Manual Chapter


10

Balancing Two-Way Traffic Across Firewalls



Introducing two-way firewall load balancing

This chapter describes how to set up a configuration that load balances two types of traffic:

  • Users on the Internet requesting information from a pair of enterprise servers behind the enterprise's set of firewalls, generating inbound traffic.
  • Users behind a set of firewalls requesting information from Internet servers, generating outbound traffic.

    This type of configuration is appropriate for any enterprise that wants to provide information by way of the Internet, while limiting traffic to a specific service; and also wants to maintain a large intranet with fast access to the Internet for internal users.

    This configuration calls for two BIG-IP units:

  • A BIG-IP on the outside (that is, the side nearest the Internet) of the firewalls, to balance traffic inbound across the firewalls.
  • A BIG-IP on the inside (that is, the side nearest the enterprise servers) of the firewalls to balance traffic outbound across the firewalls, and also to balance traffic inbound across the server array.

    Collectively, this is known as a firewall sandwich configuration, because the BIG-IP units are on either side of the firewalls sandwiching them. Figure 10.1, following, illustrates this type of configuration, and provides an example configuration for this entire chapter. When creating your own configuration, remember to use IP addresses, host names, and so on, that are applicable to your own network.

    Note: All products except the BIG-IP e-Commerce Controller support this configuration.

    Figure 10.1 Load balancing two-way traffic

Configuring two-way firewall load balancing

To load balance enterprise servers as well as two-way traffic across a set of firewalls using a firewall sandwich configuration, you need to complete all the following tasks in order:

  • Configure routing to the internal network.
  • Create pools for firewalls and servers.
  • Enable port 0 traffic.
  • Create virtual servers for inbound traffic.
  • Create virtual servers for outbound traffic.
  • Configure administrative routing.

    The following sections provide details on how to set up this configuration, using the sample IP addresses and device names in Figure 10.1 as an example.

Configuring routing to the internal network

The external router should route traffic bound for the network that includes your intranet by way of the external shared alias of the external BIG-IP redundant system.

In Figure 10.1, the internal BIG-IP, the network is 10.10.30.0/24, and the external address (or floating alias for redundant system) is 10.10.10.1. Thus, a command to configure this routing might be:

Route add -net 10.10.30.0 -gateway 10.10.10.1

The exact syntax of this command depends on the type of router.

Creating pools for firewalls and servers

To use this configuration, you must create three load balancing pools.

  • To load balance incoming requests across the external interfaces of your firewalls, you create a pool that includes these external interfaces.
  • Because requests that pass through the firewalls must be load balanced to the enterprise servers, you create a pool that includes these enterprise servers.
  • Outgoing requests must be balanced across the internal interfaces of your firewalls, so you create a pool that includes these internal interfaces.

To create a pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. Enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration notes

    When you create the configuration shown in Figure 10.1:

    On the outside BIG-IP in Figure 10.1 labeled BIG-IP 1, create the pool firewalls_outside containing members 10.10.20.4, 10.10.20.5, and 10.10.20.6.

    On the inside BIG-IP in Figure 10.1 labeled BIG-IP 2, define pool firewalls_inside containing the members 10.10.30.4, 10.10.320.5, and 10.10.30.6.

    On the inside BIG-IP 2, define the pool servers containing members 10.10.40.4 and 10.10.20.5.

To define the pools from the command line

Use the bigpipe pool command to create the pool:

b pool <pool name> { member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }

To achieve the configuration in Figure 10.1, the commands would be:

b pool firewalls_outside { \

member 10.10.20.4:0 \

member 10.10.20.5:0 \

member 10.10.20.6:0 }

b pool firewalls_inside { \

member 10.10.30.4:0 \

member 10.10.30.5:0 \

member 10.10.30.6:0 }

b pool servers { \

member 10.10.40.4:0 \

member 10.10.40.5:0 }

Enabling port 0

For security reasons, the ports on the BIG-IP do not accept traffic until you enable them. In this configuration, the system accepts traffic on port 0. For this configuration to work, you must enable port 0. Use the following command to enable this port:

b service 0 tcp enable

Note: This step is only required if you create this configuration from the command line. If you create the configuration from the web-based Configuration utility, the port is opened automatically.

Creating virtual servers

After you define the pools, you can define virtual servers on the BIG-IP units to load balance inbound and outbound connections.

  • For inbound connections, create a network virtual server on the outside BIG-IP in Figure 10.1 labeled BIG-IP 1 to load balance the firewalls. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address.
  • For inbound connections, create a standard virtual server on the inside BIG-IP in Figure 10.1 labeled BIG-IP 2 to load balance the enterprise servers.
  • For outbound connections, create a wildcard virtual server on the inside BIG-IP to balance traffic outbound to the firewalls.
  • For outbound connections, create a forwarding wildcard virtual server on the outside BIG-IP to forward traffic to the Internet. A forwarding virtual server is a virtual server that merely forwards traffic, rather than balancing it across nodes.

To define a virtual server using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
    The Virtual Servers screen opens.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. Enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)

    Configuration notes

    When you create the configuration shown in Figure 10.1:

    Add a network virtual server with address 10.10.0.0 and port 80 using pool firewalls_outside.

    Add a standard virtual server with address 10.10.30.9 and port 80 using the pool severs.

    Create a wildcard virtual server on the inside BIG-IP with the address 0.0.0.0:0 using pool firewalls_inside.

    Create a forwarding wildcard virtual server on the outside BIG-IP with address 0.0.0.0:0. A forwarding virtual server is a virtual server that merely forwards traffic, rather than using a load-balancing pool.

To define the virtual server from the command line

Use the bigpipe virtual command to configure the virtual servers:

b virtual <virt_ip>:<service> use pool <pool name>

For this example, use the following commands:

b virtual 10.10.0.0 use pool firewall_outsides

b virtual 10.10.30.9:80 use pool servers

b virtual 0.0.0.0:0 use pool firewall_insides vlans disable external

b virtual 0.0.0.0:0 forward vlans external disable

Enhancing security for this configuration

In some situations, you may want to limit the types of traffic that can pass outbound to the Internet. You can use port-specific wildcard virtual servers to restrict traffic in this manner. While a standard wildcard virtual server forwards all traffic, a port-specific wildcard virtual server forwards traffic specific to only the specified port. For more information, see Virtual server in the BIG-IP Reference Guide, Chapter 4, Configuring the High-Level Network.

To create a port-specific wildcard server using the Configuration utility

Follow the instructions detailed in To define a virtual server using the Configuration utility, on page 10-5.

  • When you configure the Port attribute, choose the port to which you want outgoing traffic to be limited for that virtual server.
  • Complete the rest of the steps as detailed on page 10-5, then repeat the process for any other ports you want to be accessible to outgoing traffic.

    For example, to implement the configuration shown in Figure 10.1 on page 10-2, to limit the traffic forwarded to HTTP and FTP, you would follow the instructions in To define a virtual server using the Configuration utility three times. That is, once for each of three port-specific virtual servers, entering respectively 80, 20, and 21 for the Port attribute.

To create a port-specific wildcard server from the command line

To create a port-specific wildcard server, use the bigpipe virtual command as you did in To define the virtual server from the command line, on page 10-5. For the sample port number, substitute the number of the port to which you want to limit access.

For example, in the configuration shown in Figure 10.1 on page 10-2, to limit the traffic forwarded to HTTP and FTP, you replace the command in the preceding section with the following commands:

b virtual 0.0.0.0:80 use pool firewall

b virtual 0.0.0.0:20 use pool firewall

b virtual 0.0.0.0:21 use pool firewall

Configuring administrative routing

In order to administer the outside BIG-IP from the inside BIG-IP redundant system and the reverse, you need to create routes between the systems, using the firewalls as gateways.

To implement the configuration shown in Figure 10.1 on page 10-2, you use the following commands on the BIG-IP labeled BIG-IP 1:

route add -host 10.10.30.1 -gateway 10.10.20.4

If BIG-IP 2 is a redundant pair with 10.10.30.2 and 10.10.30.3 as its external addresses and 10.10.30.1 as their floating alias use these commands:

route add -host 10.10.30.1 -gateway 10.10.20.4

route add -host 10.10.30.2 -gateway 10.10.20.5

route add -host 10.10.30.3 -gateway 10.10.20.6

To complete the configuration, you use the following commands on the BIG-IP in Figure 10.1 labeled BIG-IP 2:

route add -host 10.10.20.1 -gateway 10.10.30.4

If BIG-IP 1 is a redundant pair with 10.10.20.2 and 10.10.20.3 as its internal addresses and 10.10.20.1 as their floating alias:

route add -host 10.10.20.1 -gateway 10.10.30.4

route add -host 10.10.20.2 -gateway 10.10.30.5

route add -host 10.10.20.3 -gateway 10.10.30.6

Additional configuration options

Whenever a BIG-IP is configured, you have a number of options:

  • You have the option in all configurations to configure a BIG-IP redundant system for fail-over. Refer to Chapter 6, Configuring a Redundant System, in the BIG-IP Reference Guide.
  • All configurations have health monitoring options. Refer to Health Monitors in Chapter 4, Configuring the High-Level Network, in the BIG-IP Reference Guide.
  • When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the Chapter 4, Configuring the High-Level Network, in the BIG-IP Reference Guide.