Manual Chapter : BIG-IP FireGuard Controller guide v3.3: Balancing Two-Way Traffic with Destination Processing

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.0
Manual Chapter


5

Balancing Two-Way Traffic with Destination Processing



Introducing two-way firewall load balancing with destination processing

With a few modifications, you can use the firewall sandwich configuration from Chapter 3, Introducing firewall load balancing for two-way traffic, to load balance servers on your intranet as well as two-way traffic across your firewalls. As with the Chapter 3 configuration, traffic is generated in two ways:

  • Users on the Internet request information from a pair of enterprise servers behind the enterprise's set of firewalls, generating inbound traffic.
  • Users behind a set of firewalls request information from Internet servers, generating outbound traffic.

    Traffic is again balanced across the firewall set in both the inbound and the outbound directions, necessitating two BIG-IP FireGuard redundant systems:

  • A BIG-IP FireGuard redundant system on the outside (that is, the side nearest the Internet) of the firewalls, to balance traffic inbound across the outside interfaces of the firewalls.
  • A BIG-IP FireGuard redundant system on the inside (that is, the side nearest the enterprise servers) of the firewalls, to balance traffic outbound across the inside interfaces of the firewalls.

    However, in this configuration, this redundant system also load balances servers on the intranet.

    Figure 5.1, following, illustrates this type of scenario, and provides an example configuration for this entire chapter. Remember that this is just a sample: when creating your own configuration, you must use IP addresses, host names, and so on, that are applicable to your own network.

    Figure 5.1 Two-way traffic with destination processing

Configuration tasks

To load balance enterprise servers as well as two-way traffic across a set of firewalls using a firewall sandwich configuration, you need to complete all the following tasks in order:

  • Configure routing to the internal network.
  • Create pools for firewalls and servers.
  • Create virtual servers for inbound traffic.
  • Create virtual servers for outbound traffic.
  • Configure BIG-IP FireGuard interfaces for source and destination processing.
  • Configure administrative routing.

    This chapter explains how to set up this configuration, using the sample IP addresses and device names in Figure 5.1 as an example.

    Note: The procedures in this chapter detail how to configure a single BIG-IP FireGuard. In order to complete your configuration, synchronize the configured BIG-IP FireGuard with the other BIG-IP FireGuard in your BIG-IP FireGuard redundant system, as detailed in Synchronizing configurations between controllers, on page 6-37.

Configuring routing to the internal network

The external router should route traffic bound for the network that includes your intranet by way of the external shared alias of the external BIG-IP FireGuard redundant system.

In Figure 5.1, the internal BIG-IP Controllers are 2a and 2b, the network is 10.10.30.0, and the external shared alias of the external BIG-IP FireGuard redundant system is 10.10.10.1. Thus, a command to configure this routing might be:

Route add -net 10.10.30.0 -gateway 10.10.10.1

The exact syntax of this command depends on the type of router.

Creating pools for firewalls and servers

To use this configuration, you must create load balancing pools. A pool is a group of devices that you want a BIG-IP FireGuard redundant system to load balance. You will create three pools:

  • To load balance incoming requests across the external interfaces of your firewalls, you create a pool that includes these external interfaces.
  • Requests that pass through the firewalls must be load balanced to the enterprise servers, so you create a pool that includes these enterprise servers.
  • When the servers respond to requests, the outgoing requests must be balanced across the internal interfaces of your firewalls, so you create a pool that includes these internal interfaces.

Creating a pool for outside firewall interfaces

When using this configuration, you first create the pool for the outside addresses of the firewalls on the outside BIG-IP FireGuard redundant system.

To implement the configuration shown in Figure 5.1, you create this pool on BIG-IP FireGuards 1a and 1b.

To create the pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1:

    · Create a pool named firewalls_outside.

    · Add each firewall from the example, 10.10.20.4, 10.10.20.5, and 10.10.20.6, to the pool. For each firewall you add to the pool, specify port 0.

To create the pool from the command line

Use the bigpipe pool command to create the pool:

bigpipe pool <pool name> { lb_method <xx> member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }

In the command, replace the parameters with the appropriate information.

  • <pool name> is a 1-31 character identifier for the pool.
  • <Firewall1>, <Firewall2>, and <Firewall3> are the IP addresses of the outside interfaces of your respective firewalls.
  • lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in the Reference Guide.

    In Figure 5.1, for example, the pool for the outside addresses is firewalls_outside, the outside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command would be:

    bigpipe pool firewalls_outside { lb_method rr member 10.10.20.4:0 member 10.10.20.5:0 member 10.10.20.6:0 }

Creating a pool for inside firewall interfaces

Next, create a pool for the internal addresses of your firewalls on the inside BIG-IP FireGuards redundant system (2a and 2b in Figure 5.1). Use the Configuration utility, or the bigpipe pool command, as you did to create the pool for the outside firewall addresses. Choose a pool name appropriate for this pool.

To create the pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1:

    · Create a pool named firewalls_inside.

    · Add each firewall from the example, 10.10.30.4, 10.10.30.5, and 10.10.30.6, to the pool. For each firewall you add to the pool, specify port 0.

To create the pool from the command line

Use the bigpipe pool command to create the pool:

bigpipe pool <pool name> { lb_method <xx> member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }

In the command, replace the parameters with the appropriate information.

  • <pool name> is a 1-31 character identifier for the pool.
  • <Firewall1>, <Firewall2>, and <Firewall3> are the IP addresses of the inside interfaces of your respective firewalls.
  • lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in the BIG-IP Reference Guide.

    To implement the configuration shown in Figure 5.1, you create this pool on BIG-IP FireGuard redundant systems 2a and 2b. In this example, the pool for the inside addresses is firewalls_inside, the inside addresses are 10.10.30.4, 10.10.30.5, and 10.10.30.6, and the load balancing method is Round Robin. Thus the command to implement this configuration would be:

    bigpipe pool firewalls_inside { lb_method rr member 10.10.30.4:0 member 10.10.30.5:0 member 10.10.30.6:0 }

Creating a pool for servers

Finally, create the pool for the nodes that handle requests to your enterprise servers on the inside BIG-IP FireGuard redundant system. Use the Configuration utility, or the bigpipe pool command, as you did to create the firewall pools. Choose a pool name appropriate for this pool.

To create the pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1:

    · Create a pool named servers.

    · Add the servers 10.10.40.4 and 10.10.40.5 to the pool. For each server, specify port 0.

To create the pool from the command line

Use the bigpipe pool command to create the pool:

bigpipe pool <pool name> { lb_method <xx> member <Server1>:0 member <Server2>:0 }

In the command, replace the parameters with the appropriate information.

  • <pool name> is a 1-31 character identifier for the pool.
  • <Server1> and <Server2> are the IP addresses of your enterprise servers.
  • lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in the Reference Guide.

    To implement the configuration shown in Figure 5.1, you create this pool on BIG-IP FireGuards 2a and 2b. In this example, the pool for the server addresses is servers, the server addresses are 10.10.40.4 and 10.10.40.5 and the load balancing method is Round Robin. Thus, the command to implement this configuration would be:

    bigpipe pool servers { lb_method rr member 10.10.40.4:80 member 10.10.40.5:80 }

Creating virtual servers for inbound traffic

After you define the pools for the outer interfaces of the firewalls, you can define virtual servers on the BIG-IP FireGuard redundant systems to load balance inbound connections. To do this, you:

  • Create a network virtual server on the outside BIG-IP FireGuards (1a and 1b in Figure 5.1) to load balance the firewalls. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address.
  • Create a standard virtual server on the inside BIG-IP FireGuards (2a and 2b in Figure 5.1) to load balance the enterprise servers.

Creating a network virtual server to load balance the firewalls

Because the outside BIG-IP Controller redundant system load balances inbound connections across the outside interfaces of the firewalls, you need to create a virtual server on that system (1a and 1b in Figure 5.1). This virtual server will reference the pool you created in Creating a pool for outside firewall interfaces, on page 5-4 that contains these outside firewall interfaces.

In order to accommodate potential multiple virtual servers for your enterprise servers, create a network virtual server. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address. For example, in Figure 5.1, the virtual server 10.10.30.0 load balances traffic across the firewall set to all virtual servers on the 10.10.30.0/24 network.

To create a network virtual server using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. On the toolbar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. Configure the appropriate attributes on the Add Virtual Server screen.
    For additional information about configuring a virtual server, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1:

    · Add a virtual server with address 10.10.30.0 and port 0 (this designates a wildcard virtual server).

    · In the Pool list, select firewalls_outside (having created the firewalls_outside pool in Creating a pool for outside firewall interfaces, on page 5-4).

To create a network virtual server from the command line

Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:

bigpipe vip <virtual server>:<service> <interface> use pool <pool name>

In the command, replace the parameters with the appropriate information:

  • <virtual server> is an IP address appropriate to your network.
  • <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
  • <interface> is the interface on the BIG-IP Controller on which you want to create this virtual server.
  • <pool name> is the name of the pool you want this virtual server to use.

    Repeat this command for each service you want to configure. To implement the configuration shown in Figure 5.1, you use the command

    bigpipe vip 10.10.30.0 none use pool firewall_outsides

Enhancing security

To supplement the security offered by your firewalls, you may want to create a standard virtual server rather than a network virtual server. For example, in the configuration shown in Figure 5.1, you really only need a virtual server for 10.10.30.9. In this configuration, using a standard virtual server would reduce the number of accessible addresses from 254 to one.

Creating a standard virtual server to load balance intranet servers

After you configure the outside BIG-IP FireGuard redundant system to handle inbound traffic, configure the inside BIG-IP FireGuard redundant system (2a and 2b in Figure 5.1) to load balance the enterprise servers.

Use the Configuration utility, or the bigpipe vip command, as you did to create the wildcard virtual server for the inside BIG-IP FireGuard redundant system. Instead of using a wildcard IP address, use a standard IP address and pool appropriate for your network.

To create a standard virtual server using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. On the toolbar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. Configure the appropriate attributes on the Add Virtual Server screen.
    For additional information about configuring a virtual server, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1:

    · Add a virtual server with address 10.10.30.9, port 80, and interface exp0.

    · In the Pool list, select firewalls_outside (having created the firewalls_outside pool in Creating a pool for servers, on page 5-7).

  4. In the Pool list, select the pool you want to apply to the virtual server. For example, to implement the configuration shown in Figure 5.1, you would choose servers (having created the servers pool in Creating a pool for servers, on page 5-7).

To create a standard virtual server from the command line

Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:

bigpipe vip <virtual server>:<service> <interface> use pool <pool name>

In the command, replace the parameters with the appropriate information:

  • <virtual server> is an IP address appropriate to your network.
  • <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
  • <interface> is the interface on the BIG-IP on which you want to create this virtual server.
  • <pool name> is the name of the pool you want this virtual server to use.

    For example, to use the bigpipe vip command to implement the configuration shown in Figure 5.1, the command would be:

    bigpipe vip 10.10.30.9:80 use pool server_pool

Designating a last hop pool for inbound traffic

When a BIG-IP FireGuard redundant system is accepting inbound connections for virtual servers from more than one firewall, it is typically necessary to return outbound packets through the same firewall they came through inbound. Returning the data through the originating firewall provides two potential benefits:

  • It balances the outbound load across the firewall set.
  • It guarantees, in situations where the firewall is maintaining a connection for a client, that packets can be returned to that client.

    To configure your firewall sandwich along these lines, use the Configuration utility or the bigpipe vip command with the lasthop keyword to designate the pool containing the inside interfaces of the firewalls as the last hop pool.

To configure a last hop pool using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the virtual server list, click the virtual server for which you want to set up a last hop pool.
    The Virtual Server properties screen for the virtual server you clicked opens.
  3. In the Virtual Server properties screen, select the pool you want to designate as the last hop.
    For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1, select firewalls_inside as the last hop pool for the virtual server 10.10.30.9:80 on interface exp0.

To configure last hop pools for virtual servers from the command line

Use the bigpipe vip command:

bigpipe vip <virtual server>:<service> <interface> lasthop pool <pool name>

In the command, replace the parameters with the appropriate information:

  • <virtual server> is an IP address appropriate to your network.
  • <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
  • <interface> is the network interface card on which you want this virtual server to process traffic.
  • <pool name> is the name of the pool you want this virtual server to use.

    For example, to implement the configuration shown in Figure 5.1, you would type:

    bigpipe vip 10.10.30.9:80 exp0 lasthop pool firewall_insides

Creating virtual servers for outbound traffic

After you define the pools for the internal interfaces of the firewalls, you can define virtual servers on the BIG-IP FireGuard redundant systems to load balance outbound connections. To do this you:

  • Create a wildcard virtual server on the inside BIG-IP FireGuards (2a and 2b in Figure 5.1) to balance traffic outbound to the firewalls.
  • Create a forwarding wildcard virtual server on the outside BIG-IP FireGuards (1a and 1b in Figure 5.1) to forward traffic to the Internet. A forwarding virtual server is a virtual server that merely forwards traffic, rather than balancing it across nodes.

Creating a wildcard virtual server for balancing traffic to the firewalls

To configure the inside BIG-IP Controller redundant system (2a and 2b in Figure 5.1) for outbound connections, create a wildcard virtual server that accepts all traffic from the internal network, then load balances the traffic through the firewalls.

To create a wildcard virtual server using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. On the toolbar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. Configure the following attributes on the Add Virtual Server screen.
    For additional information about configuring a virtual server, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1, select firewalls_inside as the last hop pool for the virtual server 0.0.0.0:0.

To create a wildcard virtual server from the command line

Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:

bigpipe vip 0.0.0.0:0 <interface> use pool <pool name>

In the command, replace the parameters with the appropriate information:

  • <interface> is the interface on the BIG-IP FireGuard on which you want to create this virtual server.
  • <pool name> is the name of the pool you want this virtual server to use.

    To use the bigpipe vip command to implement the configuration shown in Figure 5.1, you type:

    bigpipe vip 0.0.0.0:0 none use pool firewall_insides

Creating a forwarding wildcard virtual server to forward traffic to the Internet

After the appropriate firewall has processed outbound traffic, you want the outside BIG-IP Controller redundant system (1a and 1b in Figure 5.1) to forward the traffic to the Internet. To accomplish this, create a wildcard virtual server as you did in Creating a wildcard virtual server for balancing traffic to the firewalls, on page 5-14, using either the Configuration utility or the command line.

  • If you use the Configuration utility, use the address and port 0.0.0.0:0, and select Forwarding in the Resources section.
  • From the command line, to implement the configuration shown in Figure 5.1, you type:

    bigpipe vip 0.0.0.0:0 none forward

Enhancing security

In some situations, you may want to limit the types of traffic that can pass outbound to the Internet. You can use port-specific wildcard virtual servers to restrict traffic in this manner. While a standard wildcard virtual server forwards all traffic, a port-specific wildcard virtual server forwards traffic specific to only the specified port. For more information, see Defining wildcard virtual servers, on page 6-8.

To create a port-specific wildcard server using the Configuration utility

Follow the instructions detailed in To create a wildcard virtual server using the Configuration utility, on page 5-14.

  • In step 3, when you configure the Port attribute, choose the port to which you want outgoing traffic to be limited for that virtual server.
  • Complete the rest of the steps as detailed on page 5-14, then repeat the process for any other ports you want to be accessible to outgoing traffic.

    For example, to implement the configuration shown in Figure 5.1, to limit the traffic forwarded to HTTP and FTP, you would follow the instructions in To create a wildcard virtual server using the Configuration utility three times. That is, once for each of three port-specific virtual servers, entering 80, 20, and 21 for the Port attribute.

To create a port-specific wildcard server from the command line

To create a port-specific wildcard server, use the bigpipe vip command as you did in To create a network virtual server from the command line, on page 5-9. For the sample port number, substitute the number of the port to which you want to limit access.

For example, in the configuration shown in Figure 5.1, to limit the traffic forwarded to HHTP and FTP, you replace the command in the preceding section with the following commands:

bigpipe vip 0.0.0.0:80 none use pool firewall

bigpipe vip 0.0.0.0:20 none use pool firewall

bigpipe vip 0.0.0.0:21 none use pool firewall

Designating a last hop pool for outbound traffic

Just as you used a last hop pool to balance and maintain inbound connections in Designating a last hop pool for inbound traffic, on page 5-12, you now create a last hop pool for outbound traffic for the same purposes. Create the pool on the outside BIG-IP Controller redundant system (1a and 1b in Figure 5.1).

Create the last hop pool for outbound traffic as you did for inbound traffic, using either the Configuration utility or the command line.

  • If you use the Configuration utility, use the address and port 0.0.0.0:0 and select firewall_outsides in the Last Hop Pool section.
  • From the command line, to implement the configuration shown in Figure 5.1, you would type:

    bigpipe vip 0.0.0.0:0 lasthop pool firewall_outsides

Configuring interfaces

Typically, a BIG-IP FireGuard redundant system has two interfaces:

  • An external interface, usually set for destination processing
  • An internal interface, usually set for source processing

    In order for the firewall sandwich configuration to work, you must set all interfaces on the BIG-IP FireGuard redundant system systems (1a and 1b, and 2a and 2b, in Figure 5.1) to process both source and destination addresses.

    Thus, you must enable source processing for the external interfaces and disable destination processing for the internal interfaces.

To configure source and destination processing using the Configuration utility

  1. In the navigation pane, click NICs.
    The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
  2. In the Network Interface Card table, click the name of the interface you want to configure.
    The Network Interface Card Properties screen opens.
  3. In the Network Interface Card Properties screen, configure the attributes required for the interface.
    For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 5.1, for both exp0 and exp1, make sure the Enable Source Processing and the Enable Destination Processing check boxes are checked.

To configure source processing from the command line

Use the bigpipe interface command with the source keyword to turn source processing on for an interface:

bigpipe interface <interface> source enable

where <interface> is the identifier for the internal interface of a BIG-IP FireGuard redundant system.

To implement the configuration shown in Figure 5.1, you would use the command:

bigpipe interface exp0 source enable

Repeat this process for each BIG-IP FireGuard redundant system.

To configure destination processing from the command line

Use the bigpipe interface command with the dest keyword to turn destination processing on for an interface:

bigpipe interface <interface> dest enable

where <interface> is the identifier for the external interface of a BIG-IP FireGuard redundant system.

To implement the configuration shown in Figure 5.1, you would use the command:

bigpipe interface exp1 dest enable

Repeat this process for each BIG-IP FireGuard.

Configuring administrative routing

In order to administer the outside BIG-IP FireGuard redundant system (BIG-IP FireGuards 1a and 1b in Figure 5.1) from the inside BIG-IP FireGuard redundant system (BIG-IP FireGuards 2a and 2b in Figure 5.1), and to administer the inside redundant system from the outside redundant system, you need to create routes between the systems, using the firewalls as gateways.

To implement the configuration shown in Figure 5.1, you would use the following commands on BIG-IP FireGuards 1a and 1b:

route add -host 10.10.30.1 -gateway 10.10.20.4

route add -host 10.10.30.2 -gateway 10.10.20.5

route add -host 10.10.30.3 -gateway 10.10.20.6

To complete the configuration, you would use the following commands on BIG-IP FireGuards 2a and 2b:

route add -host 10.10.20.1 -gateway 10.10.30.4

route add -host 10.10.20.2 -gateway 10.10.30.5

route add -host 10.10.20.3 -gateway 10.10.30.6