Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.6.1, 4.6.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01, 4.5.9, 4.5.0
12
Balancing Two-Way Traffic Across Firewalls
- Introducing two-way firewall load balancing
- Configuring two-way firewall load balancing
- Additional configuration options
Introducing two-way firewall load balancing
This chapter describes how to set up a configuration that load balances two types of traffic:
- Users on the Internet requesting information from a pair of enterprise servers behind the enterprise's set of firewalls, generating inbound traffic
- Users behind a set of firewalls requesting information from Internet servers, generating outbound traffic
This type of configuration is appropriate for any enterprise that wants to provide information by way of the Internet, while limiting traffic to a specific service; and also wants to maintain a large intranet with fast access to the Internet for internal users.
This configuration calls for two BIG-IP units:
- A BIG-IP system on the outside (that is, the side nearest the Internet) of the firewalls, to balance traffic inbound across the firewalls
- A BIG-IP system on the inside (that is, the side nearest the enterprise servers) of the firewalls to balance traffic outbound across the firewalls, and also to balance traffic inbound across the server array
Collectively, this is known as a firewall sandwich configuration, because the BIG-IP units are on either side of the firewalls sandwiching them. Figure 12.1 , following, illustrates this type of configuration, and provides an example configuration for this entire chapter. When creating your own configuration, remember to use IP addresses, host names, and so on, that are applicable to your own network.
All products except the BIG-IP e-Commerce Controller support this configuration.
Figure 12.1 Load balancing two-way traffic
Configuring two-way firewall load balancing
To load balance enterprise servers as well as two-way traffic across a set of firewalls using a firewall sandwich configuration, you need to complete all the following tasks in order:
- Configure routing to the internal network.
- Create pools for firewalls and servers.
- Enable port 0 traffic.
- Create virtual servers for inbound traffic.
- Create virtual servers for outbound traffic.
- Configure administrative routing.
The following sections provide details on how to set up this configuration, using the sample IP addresses and device names in Figure 12.1 as an example.
Configuring routing to the internal network
The external router should route traffic bound for the network that includes your intranet by way of the external shared alias of the external BIG-IP redundant system.
In Figure 12.1 , the internal BIG-IP system, the network is 10.10.30.0/24, and the external address (or floating alias for redundant system) is 10.10.10.1. Thus, a command to configure this routing might be:
Route add -net 10.10.30.0 -gateway 10.10.10.1
The exact syntax of this command depends on the type of router.
Creating pools for firewalls and servers
To use this configuration, you must create three load balancing pools.
- To load balance incoming requests across the external interfaces of your firewalls, you create a pool that includes these external interfaces.
- Because requests that pass through the firewalls must be load balanced to the enterprise servers, you create a pool that includes these enterprise servers.
- Outgoing requests must be balanced across the internal interfaces of your firewalls, so you create a pool that includes these internal interfaces.
To create a pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - Click the Add button.
The Add Pool screen opens. - Enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)
Configuration notes
When you create the configuration shown in Figure 12.1 :
On the outside BIG-IP system in Figure 12.1 labeled BIG-IP 1, create the pool firewalls_outside containing members 10.10.20.4, 10.10.20.5, and 10.10.20.6.
On the inside BIG-IP system in Figure 12.1 labeled BIG-IP 2, define pool firewalls_inside containing the members 10.10.30.4, 10.10.320.5, and 10.10.30.6.
On the inside BIG-IP 2, define the pool servers containing members 10.10.40.4 and 10.10.20.5.
To define the pools from the command line
Use the bigpipe pool command to create the pool:
b pool <pool name> { member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }
To achieve the configuration in Figure 12.1 , the commands would be:
b pool firewalls_outside { \
member 10.10.20.4:0 \
member 10.10.20.5:0 \
member 10.10.20.6:0 }
b pool firewalls_inside { \
member 10.10.30.4:0 \
member 10.10.30.5:0 \
member 10.10.30.6:0 }
b pool servers { \
member 10.10.40.4:0 \
member 10.10.40.5:0 }
Enabling port 0
For security reasons, the ports on the BIG-IP system do not accept traffic until you enable them. In this configuration, the system accepts traffic on port 0. For this configuration to work, you must enable port 0. Use the following command to enable this port:
b service 0 tcp enable
This step is only required if you create this configuration from the command line. If you create the configuration from the web-based Configuration utility, the port is opened automatically.
Creating virtual servers
After you define the pools, you can define virtual servers on the BIG-IP units to load balance inbound and outbound connections.
- For inbound connections, create a network virtual server on the outside BIG-IP system in Figure 12.1 labeled BIG-IP 1 to load balance the firewalls. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address.
- For inbound connections, create a standard virtual server on the inside BIG-IP system in Figure 12.1 labeled BIG-IP 2 to load balance the enterprise servers.
- For outbound connections, create a wildcard virtual server on the inside BIG-IP system to balance traffic outbound to the firewalls.
- For outbound connections, create a forwarding wildcard virtual server on the outside BIG-IP system to forward traffic to the Internet. A forwarding virtual server is a virtual server that merely forwards traffic, rather than balancing it across nodes.
To define a virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
The Virtual Servers screen opens. - Click the Add button.
The Add Virtual Server screen opens. - Enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)
Configuration notes
When you create the configuration shown in Figure 12.1 :
Add a network virtual server with address 10.10.0.0 and port 80 using pool firewalls_outside.
Add a standard virtual server with address 10.10.30.9 and port 80 using the pool severs.
Create a wildcard virtual server on the inside BIG-IP system with the address 0.0.0.0:0 using pool firewalls_inside.
Create a forwarding wildcard virtual server on the outside BIG-IP system with address 0.0.0.0:0. A forwarding virtual server is a virtual server that merely forwards traffic, rather than using a load-balancing pool.
To define the virtual server from the command line
Use the bigpipe virtual command to configure the virtual servers:
b virtual <virt_ip>:<service> use pool <pool name>
For this example, use the following commands:
b virtual 10.10.0.0 use pool firewall_outsides
b virtual 10.10.30.9:80 use pool servers
b virtual 0.0.0.0:0 use pool firewall_insides vlans disable external
b virtual 0.0.0.0:0 forward vlans external disable
Enhancing security for this configuration
In some situations, you may want to limit the types of traffic that can pass outbound to the Internet. You can use port-specific wildcard virtual servers to restrict traffic in this manner. While a standard wildcard virtual server forwards all traffic, a port-specific wildcard virtual server forwards traffic specific to only the specified port. For more information, see the BIG-IP Reference Guide, Chapter 6, Virtual servers.
To create a port-specific wildcard server using the Configuration utility
Follow the instructions detailed in To define a virtual server using the Configuration utility .
- When you configure the Port attribute, choose the port to which you want outgoing traffic to be limited for that virtual server.
- Complete the rest of the steps , then repeat the process for any other ports you want to be accessible to outgoing traffic.
For example, to implement the configuration shown in Figure 12.1 , to limit the traffic forwarded to HTTP and FTP, you would follow the instructions in To define a virtual server using the Configuration utility, , three times. That is, once for each of three port-specific virtual servers, entering respectively 80, 20, and 21 for the Port attribute.
To create a port-specific wildcard server from the command line
To create a port-specific wildcard server, use the bigpipe virtual command as you did in To define the virtual server from the command line . For the sample port number, substitute the number of the port to which you want to limit access.
For example, in the configuration shown in Figure 12.1 , to limit the traffic forwarded to HTTP and FTP, you replace the command in the preceding section with the following commands:
b virtual 0.0.0.0:80 use pool firewall
b virtual 0.0.0.0:20 use pool firewall
b virtual 0.0.0.0:21 use pool firewall
Configuring administrative routing
In order to administer the outside BIG-IP system from the inside BIG-IP redundant system and the reverse, you need to create routes between the systems, using the firewalls as gateways.
To implement the configuration shown in Figure 12.1 , you use the following commands on the BIG-IP system labeled BIG-IP 1:
route add -host 10.10.30.1 -gateway 10.10.20.4
If BIG-IP 2 is a redundant pair with 10.10.30.2 and 10.10.30.3 as its external addresses and 10.10.30.1 as their floating alias use these commands:
route add -host 10.10.30.1 -gateway 10.10.20.4
route add -host 10.10.30.2 -gateway 10.10.20.5
route add -host 10.10.30.3 -gateway 10.10.20.6
To complete the configuration, you use the following commands on the BIG-IP system in Figure 12.1 labeled BIG-IP 2:
route add -host 10.10.20.1 -gateway 10.10.30.4
If BIG-IP 1 is a redundant pair with 10.10.20.2 and 10.10.20.3 as its internal addresses and 10.10.20.1 as their floating alias:
route add -host 10.10.20.1 -gateway 10.10.30.4
route add -host 10.10.20.2 -gateway 10.10.30.5
route add -host 10.10.20.3 -gateway 10.10.30.6
Additional configuration options
Whenever you configure a BIG-IP system, you have a number of options:
- You have the option in all configurations to configure a BIG-IP redundant system for fail-over. Refer to Chapter 13, Configuring a Redundant System , in the BIG-IP Reference Guide.
- All configurations have health monitoring options. Refer to Chapter 11, Monitors , in the BIG-IP Reference Guide.
- When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Chapter 4, Pools , in the BIG-IP Reference Guide.