You activate Multi-Link for outbound connections in the Firewall Policy with NAT rules that match certain traffic for Outbound Multi-Link address translation. Other NAT rules may translate the source addresses in outbound connections to the IP address space of a particular ISP, so that the traffic is automatically routed through a particular link (even if the link fails). Only the part of traffic that matches a NAT rule with the Outbound Multi-Link element is balanced between different links.
Some protocols cannot use dynamic NAT based on IP/port translation. To achieve high
availability and load balancing for connections that use these protocols, you can use static NAT with an Outbound Multi-Link element in an outbound load balancing NAT rule. When static NAT is used, the size of the source network must be the same as the size of the Multi-Link network.
Using Multi-Link
Multi-Link is mainly used for high availability to ensure that business-critical traffic gets through even when one or more Internet connections fail. Standby NetLinks act as backup Internet connections that are only activated if all the primary NetLinks fail. Using standby NetLinks provides high availability of Internet connectivity, but is less expensive than having multiple NetLinks active at the same time. Using Multi-Link for load balancing can also help reduce costs. Traffic can be balanced between two slower, less expensive, Internet connections instead of one faster connection.
Multi-Link with a Single Firewall
Illustration 20.2 shows how a Single Firewall’s network interfaces are used for Multi-Link.
Illustration 20.2 Single Firewall Interfaces with Multi-Link
In this example, interface 1 is used as the network interface for Internet traffic that is routed through ISP A. Interface 2 is used as the network interface for Internet traffic that is routed through ISP B. It is also possible to configure Multi-Link by defining two or more IP addresses for a single physical interface - the router behind the interface then forwards the traffic to the different ISPs. However, this is not recommended, as it creates an additional single point of failure at the intermediate router, and the associated cabling and network cards.
Single
You can also configure Multi-Link with single firewalls by replacing one or more physical interfaces with Modem Interfaces and 3G modems.
Illustration 20.3 Multi-Link Configuration with Two Modem Interfaces on Single Firewall
In this scenario, Modem Interface 1 is used for Internet traffic that 3G Modem 1 routes through ISP A. Modem Interface 2 is used for Internet traffic that 3G Modem 2 routes through ISP B.
Multi-Link with a Firewall Cluster
Illustration 20.4 shows how Multi-Link works with the CVIs of a Firewall Cluster.
Illustration 20.4 Cluster Interfaces for Multi-Link
In this example, the firewall cluster consists of two nodes. On both nodes, Interface 1 is used as the CVI for Internet traffic that is routed through ISP A. Interface 2 is used as the CVI for Internet traffic that is routed through ISP B. Both nodes have one physical interface for each CVI, so that both nodes are physically connected to both routers leading to the Internet.
It is also possible to configure Multi-Link by connecting two CVIs to a single router, which in turn connects to both ISPs. However, this configuration is not recommended, as it creates a single point of failure.
Single Firewall ISP A
ISP B Internet
Modem Interface 2 Modem Interface 1
3G Modem 2 3G Modem 1
Firewall Cluster Node 1
Node 2 Interface 2
Interface 1
Interface 2 Interface 1
Internet
ISP A
ISP B
Switch
Switch
Examples of Multi-Link 189
Using Multiple Outbound Multi-Link elements
You can create multiple Outbound Multi-Link elements, and each NetLink can belong to more than one Outbound Multi-Link element at the same time. This can be useful, for example, when you want a certain type of traffic to be balanced only between some of the NetLinks, and another type of traffic to be balanced between all of the NetLinks.
Examples of Multi-Link
The examples in this section illustrate some common uses for Multi-Link in StoneGate and general steps on how each scenario is configured.
Preparing for ISP Breakdown
Company A wants to make sure their Internet connection remains available even when one ISP connection fails. The company has subscribed to one Internet connection each from ISP A and ISP B. The administrators decide to use Multi-Link to ensure high availability of Internet connectivity.
The administrators do the following:
1. Create NetLink elements to represent connections to ISP A and ISP B.
2. Place the ISP A and ISP B NetLinks under the correct interfaces in the Routing view.
3. Create an Outbound Multi-Link element and add the ISP A and ISP B NetLinks to it.
4. Define the following NAT rule in the Firewall Policy so that traffic from the internal network (Internal Network element) to destinations that are not internal (Not Internal expression) is handled by the Outbound Multi-Link element (My Multi-Link):
Excluding a NetLink from Handling a QoS Class of Traffic
Company B has three Internet connections: IPS A, ISP B, and ISP C, which is a satellite link.
Because of the long latency in satellite connections, the administrators do not want any VoIP traffic to be routed through ISP C. They decide to use QoS classes so that VoIP traffic is only routed through ISP A and ISP B.
To do this, the administrators:
1. Create NetLink elements to represent connections to ISP A, ISP B, and ISP C.
2. Place the ISP A, ISP B, and ISP C NetLinks under the correct interfaces in the Routing view.
3. Define a QoS class and assign it to VoIP traffic.
4. Create an Outbound Multi-Link element and add the ISP A, ISP B, and ISP NetLinks to it.
Source Destination Service NAT
Internal Network Not Internal ANY Dynamic load balancing: My Multi-Link
5. Select the QoS class for the ISP A NetLink and the ISP B NetLink in the Outbound Multi-Link element properties. No QoS class is assigned to ISP C.
6. Define the following NAT rule for outbound load balancing in the Firewall Policy:
Balancing Traffic According to Link Capacity
Company B has three ISP connections that have different bandwidths:
•ISP A 20 Mbit/s
•ISP B 10 Mbit/s
•ISP C 4 Mbit/s
The administrators want the traffic to be divided between the NetLinks according to the ratio of their relative bandwidths. This means that ISP A handles twice as much traffic as ISP B and 5 times as much traffic as ISP C. The administrators have already created and configured NetLink elements to represent each ISP connection, so now they:
1. Combine the NetLinks for each ISP connection into am Outbound Multi-Link element and select the Ratio load balancing method.
2. Define the following NAT rule for outbound load balancing in the Firewall Policy:
Balancing Traffic between Internet Connections
The administrator at Company B determines that a 4 megabyte Internet connection is needed to handle the volume of traffic their network receives. However, Company B is a small company on a tight budget, and the cost of a single 4 megabyte connection is too high. The administrator decides to subscribe to one 2 megabyte connection each from ISP A and ISP B, and use Multi-Link to balance the load of traffic between the two connections to reduce costs.
The administrator:
1. Creates NetLink elements to represent connections to ISP A and ISP B.
2. Places the ISP A and ISP B NetLinks under the correct interfaces in the Routing view.
3. Creates an Outbound Multi-Link element and adds the ISP A and ISP B NetLinks to it.
4. Defines the following NAT rule in the Firewall Policy so that traffic from the internal network (Internal Network element) to destinations that are not internal (Not Internal expression) is balanced by the Outbound Multi-Link element (My Multi-Link):
Source Destination Service NAT
ANY ANY ANY Dynamic load balancing: Multi-Link Element
Source Destination Service NAT
ANY ANY ANY Dynamic load balancing: Multi-Link Element
Source Destination Service NAT
Internal Network Not Internal ANY Dynamic load balancing: My Multi-Link
191
C HAPTER 21
I NBOUND T RAFFIC M ANAGEMENT
A Server Pool balances the load of incoming connections between a group of servers that function as a single entity. Additionally, Server Pools can be used to utilize dynamic DNS updates to disable access to a single server or a group of servers through non-working Multi-Link Internet connections.
The following sections are included:
Overview to Server Pool Configuration (page 192)
Configuration of Server Pools (page 192)
Using Server Pools (page 195)
Examples of Server Pools (page 197)
Overview to Server Pool Configuration
The Server Pool is a built-in load balancer in the firewall that can be used for distributing incoming traffic between a group of servers to balance the load efficiently and to ensure that services remain available even when a server in the pool fails. The Server Pool has a single external IP address that the clients can connect to and StoneGate then uses NAT to distribute the incoming traffic to the different servers.
The server load is distributed to the Server Pool members based on each server’s availability.
Monitoring Agents installed on each server can be used to monitor server availability and load balancing. Alternatively, the server availability can be checked with simple ICMP Echo Requests (ping) sent from the firewall engines to each server periodically. Whereas the ping test only checks the server’s connectivity, Monitoring Agents provide additional information about the server’s load and functioning.
If the ping test or the Monitoring Agent reports a server failure, the server is taken out of the Server Pool and the connections are distributed to the remaining servers. When a server is taken out of the Server Pool, traffic from existing connections can still be sent to the server (since in typical use scenarios the other servers would not be able to handle them in any case) without sending new connections to the failed member. With Monitoring Agents, the server can be completely excluded from handling traffic.
When a previously unavailable server comes back online, existing connections are not
redistributed, but some of the new connections that are opened are again directed to the server that rejoins the pool.
Additionally, Multi-Link can be used with Server Pools to provide the connecting clients access to the Server Pool through multiple Internet connections, increasing Server Pool availability.
Server Pools can only be used with IPv4 traffic.
Configuration of Server Pools
The illustration below shows how Server Pools and the related elements are used together.
Illustration 21.1 Server Pool Configuration
Host elements represent your servers in the Management Center. One or more Host elements are added as Server Pool members to a Server Pool element. The Server Pool element must be used in an IPv4 Access rule in the Firewall Policy for incoming traffic to be routed to the pool members. There can be several Server Pools for different services. The Access rules define which traffic is directed to which pool.
Firewall Policy
Hosts Server
Pool
Configuration of Server Pools 193
Multi-Link for Server Pools
If you have configured Multi-Link, it can be used to improve Server Pool availability. You can also use Multi-Link with just one server in the Server Pool to take advantage of dynamic DNS updates (as explained below).
Illustration 21.2 Multi-Link Configuration for a Server Pool
As an addition to the basic configuration, the NetLinks and (optionally) the external DNS Server are also specified for the Server Pool.
When dynamic DNS updates are not used, Multi-Link is based on assigning an IP address for the Server Pool in each NetLink. The Server Pool’s DNS entry on the external DNS server must be configured with an IP address for each NetLink so that clients can access the servers through the different NetLinks. When the connecting client requests the IP address for the Server Pool’s DNS name, the DNS server sends the Server Pool’s DNS entry with the IP addresses on the different NetLinks. The client connects to one of these addresses and StoneGate then allocates the connection to one of the Server Pool members. If the first Server Pool IP address is unreachable, the client can connect to the Server Pool’s next IP address on a different NetLink (depending on the client application).
When dynamic DNS updates are used, the firewall updates the DNS entries automatically based on the availability of the NetLinks. When a NetLink becomes unavailable, the Server Pool’s IP address for that link is automatically removed from the DNS entry on the external DNS server.
When the NetLink becomes available, the IP address is again automatically added to the DNS entry (for more information, see Dynamic DNS (DDNS) Updates (page 195)).
Default Elements
You can use Server Pools to balance the load between servers without using Multi-Link for inbound traffic management. To do this, you use the special “Not specified” default NetLink element.
NetLink A
Firewall Policy
NetLink B Hosts
Server Pool
External DNS Server
Configuration Workflow
The following sections provide an overview of the configuration tasks. Detailed step-by-step instructions can be found in the Online Help of the Management Client and the Administrator’s Guide PDF, in the section called Routing.