Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.0
4
Balancing Two-Way Traffic
Introducing firewall load balancing for two-way traffic
This chapter explains how to load balance a configuration in which:
- Users on the Internet request information from an intranet behind the enterprise's set of firewalls, generating inbound traffic.
- Users behind a set of firewalls request information from Internet servers, generating outbound traffic.
Traffic must therefore be balanced across the firewall set in both the inbound and the outbound directions. This necessitates two BIG-IP FireGuard redundant systems:
- A BIG-IP FireGuard redundant system on the outside (that is, the side nearest the Internet) of the firewalls, to balance traffic inbound across the outside interfaces of the firewalls.
- A BIG-IP FireGuard redundant system on the inside (that is, the side nearest the enterprise servers) of the firewalls, to balance traffic outbound across the inside interfaces of the firewalls.
Like the configuration in Chapter 3, Balancing Traffic Inbound to Enterprise Servers, this is known as a firewall sandwich configuration, because the BIG-IP FireGuard redundant systems sandwich the firewalls.
Figure 4.1, following, illustrates this type of scenario, and provides an example configuration for this entire chapter. Remember that this is just a sample: when creating your own configuration, you must use IP addresses, host names, and so on, that are applicable to your own network.
Configuration tasks
To load balance two-way traffic across a set of firewalls using a firewall sandwich configuration, you need to complete the following tasks in order.
- Configure routing to the internal network.
- Create pools for the firewalls.
- Create virtual servers for inbound traffic.
- Create virtual servers for outbound traffic.
- Configure BIG-IP FireGuard interfaces for source and destination processing.
- Configure administrative routing.
Each of the following sections explains one of the tasks, and shows how you would perform the task in order to implement the example configuration shown in Figure 4.1.
Note: The procedures in this chapter detail how to configure a single BIG-IP FireGuard. In order to complete your configuration, synchronize the configured BIG-IP FireGuard with the other BIG-IP FireGuard in your BIG-IP FireGuard redundant system, as detailed in Synchronizing configurations between controllers, on page 6-37.
Configuring routing to the internal network
The external router should route traffic bound for the network that includes your intranet by way of the external shared alias of the external BIG-IP FireGuard redundant system.
In Figure 4.1, the intranet resides on the network 10.10.40.0, and the external shared alias is 10.10.10.1. Thus, a command to configure this routing might be:
route add -net 10.10.40.0 -gateway 10.10.10.1
The exact syntax of this command depends on the type of router.
Creating pools for the firewalls
To use this configuration, you must create load balancing pools. A pool is a group of devices that you want a BIG-IP FireGuard redundant system to load balance. You will create two pools:
- To load balance incoming requests across the outside interfaces of your firewalls, you create a pool that includes these outside interfaces.
- To load balance outgoing requests across the inside interfaces of your firewalls, you create a pool that includes these inside interfaces.
Creating a pool for outside firewall interfaces
When using this configuration, you first create the pool for the outside interfaces of the firewalls on the outside BIG-IP FireGuard redundant system.
To implement the configuration shown in Figure 4.1, you create this pool on BIG-IP FireGuards 1a and 1b.
To create the pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 4.1:· Create a pool named firewalls_outside.
· Add each firewall from the example, 10.10.20.4, 10.10.20.5, and 10.10.20.6, to the pool. For each firewall you add to the pool, specify port 0.
To create the pool from the command line
Use the bigpipe pool command to create the pool:
bigpipe pool <pool name> { lb_mode <xx> member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information.
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the IP addresses of the outside interfaces of your respective firewalls.
- lb_mode <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in BIG-IP Reference Guide.
In Figure 4.1, for example, the pool for the outside addresses is firewalls_outside, the outside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command would be:
bigpipe pool firewalls_outside { lb_mode rr member 10.10.20.4:0 member 10.10.20.5:0 member 10.10.20.6:0 }
Creating a pool for inside firewall interfaces
Next, create a pool for the inside interfaces of your firewalls on the inside BIG-IP FireGuard redundant system (2a and 2b in Figure 4.1). Use the Configuration utility, or the bigpipe pool command, as you did to create the pool for the outside firewall addresses. Choose a pool name appropriate for this pool.
To create the pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - Configure the following attributes on the Add Pool screen. For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 4.1:· Create a pool named firewalls_inside.
· Add each firewall from the example, 10.10.30.4, 10.10.30.5, and 10.10.30.6, to the pool. For each firewall you add to the pool, specify port 0.
To create the pool from the command line
Use the bigpipe pool command to create the pool:
bigpipe pool <pool name> { lb_mode <xx> member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information.
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the IP addresses of the inside interfaces of your respective firewalls.
- lb_mode <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in BIG-IP Reference Guide.
To implement the configuration shown in Figure 4.1, you would create this pool on BIG-IP FireGuards 2a and 2b. In this example, the pool for the inside addresses is firewalls_inside, the inside addresses are 10.10.30.4, 10.10.30.5, and 10.10.30.6, and the load balancing method is Round Robin. Thus the command to implement this configuration would be:
bigpipe pool firewalls_inside { lb_mode rr member 10.10.30.4:0 member 10.10.30.5:0 member 10.10.30.6:0 }
Creating virtual servers for inbound traffic
After you define pools for the outer interfaces of the firewalls, you can define virtual servers on the BIG-IP FireGuard redundant systems to load balance inbound connections. To do this you:
- Create a network virtual server on the outside BIG-IP FireGuards (1a and 1b in Figure 4.1) to load balance the firewalls. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address.
- Create a forwarding virtual server on the inside BIG-IP FireGuards (2a and 2b in Figure 4.1) to load balance the enterprise servers. A forwarding virtual server is a virtual server that merely forwards traffic, rather than balancing it across nodes.
Creating a network virtual server
Because the outside BIG-IP FireGuard redundant system load balances inbound connections across the outside interfaces of the firewalls, you need to create a virtual server on that system (1a and 1b in Figure 4.1). This virtual server will reference the pool you created in Creating a pool for outside firewall interfaces, on page 4-4, that contains these outside firewall interfaces.
In order to accommodate potential multiple virtual servers on your intranet, create a network virtual server. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address. In Figure 4.1, the virtual server 10.10.40.0 load balances traffic across the firewall set to all virtual servers on the 10.10.40.0/24 network.
To create a network virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - Configure the appropriate attributes on the Add Virtual Server screen.
For additional information about configuring a network virtual server, click the Help button.
Configuration notes
To create the configuration shown in Figure 4.1:· Add a virtual server with address 10.10.40.0, port 0 (this designates a network virtual server), and the Class C netmask 255.255.255.0.
· In the Pool list, select firewalls_outside (having created the firewalls_outside pool in Creating a pool for outside firewall interfaces, on page 4-4).
To create a network virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip <virtual server>:<service> <interface> use pool <pool name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
- <interface> is the interface on the BIG-IP FireGuard on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure. To implement the configuration shown in Figure 4.1, you use the command
bigpipe vip 10.10.40.0:0 none netmask 255.255.255.0 use pool firewalls_outside
Enhancing security
In some situations, you may want to limit the types of traffic that can pass inbound to your intranet. You can use port-specific network virtual servers to restrict traffic in this manner. While a standard network virtual server processes all traffic for a network, a port-specific network virtual server processes traffic specific to only the specified port.
To create a port-specific wildcard server using the Configuration utility
Follow the instructions detailed in To create a network virtual server using the Configuration utility, on page 4-7. When you configure the Port attribute, choose the port to which you want to limit the outgoing traffic for that virtual server. Repeat the process for any other ports you want accessible to incoming traffic.
For example, to implement the configuration shown in 4.1 and limit the traffic forwarded to HTTP and FTP, you complete the instructions in To create a network virtual server using the Configuration utility three times. That is, once for each of three port-specific virtual servers, entering 80, 20, and 21 for the Port attribute.
To create a port-specific wildcard server from the command line
To create a port-specific wildcard server, use the bigpipe vip command as you did in To create a network virtual server from the command line, on page 4-8. Substitute the number of the port to which you want to limit access.
For the configuration shown in Figure 4.1, to limit the traffic forwarded to HTTP and FTP, you would replace the command in To create a network virtual server from the command line with the following commands:
bigpipe vip 10.10.40.0:80 none use pool firewalls_outside
bigpipe vip 10.10.40.0:20 none use pool firewalls_outside
bigpipe vip 10.10.40.0:21 none use pool firewalls_outside
Creating a forwarding virtual server
Because the inside BIG-IP FireGuard redundant system forwards inbound connections to the intranet, you need to create a forwarding virtual server on that system (2a and 2b in Figure 4.1). This virtual server will forward traffic to network 10.10.40.0/24.
To create a forwarding virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - Configure the appropriate attributes on the Add Virtual Server screen.
For additional information about configuring a network virtual server, click the Help button.
Configuration notes
To create the configuration shown in Figure 4.1:· Add a virtual server with address 10.10.40.0, port 0, interface exp0 and the Class C netmask 255.255.255.0.
· In the Resources, click the Forwarding button.
To create a network virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip <virtual server>:<service> <interface> forward
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
- <interface> is the interface on the BIG-IP FireGuard on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure. For example, to implement the configuration shown in Figure 4.1, you use the command
bigpipe vip 10.10.40.0:0 exp0 forward
Designating a last hop pool for inbound traffic
When a BIG-IP FireGuard redundant system is accepting inbound connections for virtual servers from more than one firewall, it is typically necessary to return outbound packets through the same firewall they came through inbound. Returning the data through the originating firewall has two potential benefits:
- It balances the resulting outbound traffic across the firewall set.
- It guarantees, in situations where the firewall is maintaining a connection for a client, that packets can be returned to the originating client.
To configure the firewall sandwich along these lines, use the Configuration utility or the bigpipe vip command with the lasthop keyword to designate the pool containing the inside interfaces of the firewalls as the last hop pool. Designate this pool on the inside BIG-IP FireGuards (2a and 2b in Figure 4.1).
To configure a last hop pool using the Configuration utility
- In the navigation pane, click Virtual Servers.
The Virtual Servers screen opens. - In the virtual server list, click the virtual server for which you want to set up a last hop pool.
For example, to implement the configuration shown in Figure 4.1, you would select 10.10.40.0:0.The properties screen for the virtual server you clicked opens.
- Click the Apply button.
- In the Virtual Server properties screen, select the pool you want to designate as the last hop.
For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 4.1, select firewalls_inside as the last hop pool for the virtual server 10.10.40.0:0.
To configure last hop pools for virtual servers from the command line
Use the bigpipe vip command:
bigpipe vip <virtual server>:<service> lasthop pool <pool name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or Telnet.
- <pool name> is the name of the pool you want this virtual server to use.
For example, to implement the configuration shown in Figure 4.1, you would type:
bigpipe vip 10.10.40.0:0 none lasthop pool firewalls_inside
Creating virtual servers for outbound traffic
After you define a pool for the internal interfaces of your firewalls, you can define virtual servers on the inside BIG-IP FireGuard redundant system to load balance outbound connections. To do this, you:
- Create a wildcard virtual server on the inside BIG-IP FireGuards (2a and 2b in Figure 4.1) to balance traffic outbound to the firewalls.
- Create a forwarding wildcard virtual server on the outside BIG-IP FireGuards (1a and 1b in Figure 4.1) to forward traffic to the Internet.
Creating a wildcard virtual server for balancing outbound traffic to the firewalls
To configure the inside BIG-IP FireGuard redundant system (2a and 2b in Figure 4.1) for outbound connections, create a wildcard virtual server that accepts all traffic from the internal network, then load balances the traffic through the firewalls.
To create a wildcard virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - Configure the following attributes on the Add Virtual Server screen.
For additional information about configuring a virtual server, click the Help button.
Configuration note
To create the configuration shown in Figure 4.1, select firewalls_inside as the last hop pool for the virtual server 0.0.0.0:0.
To create a wildcard virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip 0.0.0.0:0 <interface> use pool <pool name>
In the command, replace the parameters with the appropriate information:
- <interface> is the interface on the BIG-IP FireGuard on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
For example, to use the bigpipe vip command to implement the configuration shown in Figure 4.1, you would type:
bigpipe vip 0.0.0.0:0 none use pool firewalls_inside
Creating a forwarding wildcard virtual server to forward traffic to the Internet
After the appropriate firewall has processed outbound traffic, you want the outside BIG-IP FireGuard redundant system (1a and 1b in Figure 4.1) to forward traffic to the Internet. To accomplish this, create a wildcard virtual server as you did in Creating a wildcard virtual server for balancing outbound traffic to the firewalls, on page 4-13, using either the Configuration utility or the command line.
- If you use the Configuration utility, use the address and port 0.0.0.0:0 and select Forwarding in the Resources section.
- From the command line, to implement the configuration shown in Figure 4.1, you would type:
bigpipe vip 0.0.0.0:0 none forward
Enhancing security
In some situations, you may want to limit the types of traffic that can pass outbound to the Internet. You can use port-specific forwarding wildcard virtual servers to restrict traffic in this manner. While a standard forwarding wildcard virtual server forwards all traffic, a port-specific forwarding wildcard virtual server forwards traffic specific to only the specified port.
To create a port-specific wildcard server using the Configuration utility
Follow the instructions detailed in To create a wildcard virtual server using the Configuration utility, on page 4-13.
- When you configure the Port attribute, choose the port to which you want outgoing traffic to be limited for that virtual server.
- Complete the rest of the steps as detailed on page 4-13, then repeat the process for any other ports you want to be accessible to outgoing traffic.
For example, to implement the configuration shown in 4.1, to limit the traffic forwarded to HTTP and FTP, you would follow the instructions in To create a wildcard virtual server using the Configuration utility three times: That is, once for each of three port-specific virtual servers, entering 80, 20, and 21 for the Port attribute.
To create a port-specific wildcard server from the command line
To create a port-specific wildcard server, use the bigpipe vip command as you did in To create a network virtual server from the command line, on page 4-8. For the sample port numbers, substitute the number of the port to which you want to limit access.
For example, in the configuration shown in Figure 4.1, to limit the traffic forwarded to HTTP and FTP, you replace the command in To create a network virtual server from the command line with the following commands:
bigpipe vip 0.0.0.0:80 none use pool firewall
bigpipe vip 0.0.0.0:20 none use pool firewall
bigpipe vip 0.0.0.0:21 none use pool firewall
Designating a last hop pool for outbound traffic
Just as you used a last hop pool to balance and maintain inbound connections in Designating a last hop pool for inbound traffic, on page 4-11, you now create a last hop pool for outbound traffic for the same purposes. Create the pool on the outside BIG-IP FireGuard redundant system (1a and 1b in Figure 4.1).
Create the last hop pool for outbound traffic as you did for inbound traffic, using either the Configuration utility or the command line.
- If you use the Configuration utility, select the address and port 0.0.0.0:0, then select firewalls_outside in the Last Hop Pool section.
- From the command line, to implement the configuration shown in Figure 4.1, you type:
bigpipe vip 0.0.0.0:0 lasthop pool firewalls_outside
Configuring interfaces
Typically, a BIG-IP FireGuard redundant system has two interfaces:
- An external interface, usually set for destination processing
- An internal interface, usually set for source processing
In order for the firewall sandwich configuration to work, you must set all interfaces on the BIG-IP FireGuard redundant system systems (1a and 1b, and 2a and 2b, in Figure 4.1) to process both source and destination addresses.
Therefore, you must enable both source processing for the external interfaces, and destination processing for the internal interfaces.
To configure source and destination processing using the Configuration utility
- In the navigation pane, click NICs.
The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table. - In the Network Interface Card table, click the name of the interface you want to configure.
The Network Interface Card Properties screen opens. - In the Network Interface Card Properties screen, configure the attributes required for the interface. For additional information about creating a pool, click the Help button.
Configuration notes
To create the configuration shown in Figure 4.1, for both exp0 and exp1, make sure the Enable Source Processing and the Enable Destination Processing check boxes are checked.
To configure source processing from the command line
Use the bigpipe interface command with the source keyword to turn source processing on for an interface:
bigpipe interface <interface> source enable
where <interface> is the identifier for the internal interface of a BIG-IP FireGuard redundant system.
To implement the configuration shown in Figure 4.1, you use the command:
bigpipe interface exp0 source enable
Repeat this process for each BIG-IP FireGuard redundant system.
To configure destination processing from the command line
Use the bigpipe interface command with the dest keyword to turn destination processing on for an interface:
bigpipe interface <interface> dest enable
where <interface> is the identifier for the external interface of a BIG-IP FireGuard redundant system.
To implement the configuration shown in Figure 4.1, you would use the command:
bigpipe interface exp1 dest enable
Repeat this process for each BIG-IP FireGuard.
Configuring administrative routing
In order to administer the outside BIG-IP FireGuard redundant system (BIG-IP FireGuards 1a and 1b in Figure 4.1) from the inside BIG-IP FireGuard redundant system (BIG-IP FireGuards 2a and 2b in Figure 4.1), and to administer the inside redundant system from the outside redundant system, you need to create routes between the systems, using the firewalls as gateways.
To implement the configuration shown in Figure 4.1, you would use the following commands on BIG-IP FireGuards 1a and 1b:
route add -host 10.10.30.1 -gateway 10.10.20.4
route add -host 10.10.30.2 -gateway 10.10.20.5
route add -host 10.10.30.3 -gateway 10.10.20.6
To complete the configuration, you would use the following commands on BIG-IP FireGuards 2a and 2b:
route add -host 10.10.20.1 -gateway 10.10.30.4
route add -host 10.10.20.2 -gateway 10.10.30.5
route add -host 10.10.20.3 -gateway 10.10.30.6