4. VIRTUAL FORWARDER INTERFACE (VFI)
4.5. Outgoing Load Balancing (OLB)
4.5.1. IP Address Pools
IP address pools, or IP pools, are a sort of “network containers” that store ranges of IP addresses of alternate links. It is from these pools of IP addresses, whether they contain one or more addresses, that the Elfiq Link Balancer will be able to select a balanced IP address for outgoing balancing. An advantage of using IP pools is to be able to modify IP address associations for balancing algorithms easier than modifying all associated access-list rules.
NOTE: Address pools and the related
poolip
commands, can only be used in reference to inside traffic network address translation (outgoing traffic).Each pool can contain up to 256 IP addresses, as long as their IP addresses have the same first 3 bytes. This means that any pool of IP addresses must stay in the same class C network. A maximum of up to 254 pools of IP addresses can be defined in a single VFI.
All the address pools are associated with a unique identification number, the pool id, which is used to identify the pools when used throughout the Link LB VFI configuration. Any pool id must be a unique value between 2 and 255.
Pool ID 1, the self identifying routable address pool
When outgoing sessions get to the Link LB, the source IP address on the packets is already set to a public IP address by the firewall; this IP address should be routable through the primary link as it is.
This original IP address as received by the Link LB is saved in pool ID 1. For each and every session passing through the Link LB, pool ID 1 represents the original IP for the specific session being handled at this time.
When configuring an ACL for outbound load-balancing, you will need to list the available pool IDs for the ACL you are creating. Using the poolip 1 in any rule will command the Link LB to consider the primary link. If the primary link (poolip 1) is chosen, the Link LB will process the session as any other NAT operation but keep the original source IP for the session.
The purpose of NAT in this case is to create control blocks for the session ensuring persistence and complete session handling.
If another pool ID is chosen, then the NAT process will change the source IP to comply with the chosen poolip and again, create control blocks for the session ensuring persistence and complete session handling.
Once the NAT operation is done, the packets will proceed to the rest of the VFI functional stack. Eventually making it to the internet on the link (or GMAC) chosen by the Link LB at this stage.
4.5.1.2. Add Address Pools
Address pools can be created with the poolip command, which takes a unique ID and the desired range of IP addresses as parameters. Since the pool ID 1 is used to represent routable traffic (By default, it’s associated to primary internet connection), the first pool ID that can be used is 2 and the last available one is 255.
poolip [id] [network]/[netmask-bits]|[dhcp:id|pppox:id] [masq]
As an example, we could create a few pools of IP addresses for our second GMAC entries:
LinkLB-enable:vfi0 [single] #poolip 3 212.217.1.3/32 LinkLB-enable:vfi0 [single] #poolip 22 212.217.1.12/32 LinkLB-enable:vfi0 [single] #poolip 115 212.217.1.13/32 LinkLB-enable:vfi0 [single] #poolip 127 212.217.1.14/32 LinkLB-enable:vfi0 [single] #poolip 255 212.217.1.0/28
When you create a poolip 212.217.1.0/28, all of the subnet is used by the Link LB, from 212.217.1.0 to 212.217.1.15.
For the third link which is a dynamic DHCP or PPPoE link, the IP address is unknown in the configuration and the poolip is created with the DHCP or PPPoE identification number which is also used for the GMAC configuration.
LinkLB-enable:vfi0 [single] #poolip 250 dhcp:1 or
LinkLB-enable:vfi0 [single] #poolip 250 pppox:1
If you look carefully at the IP pools we have just created, they are using the required IP addresses in the IP association table in section 4.4.3.2.
You can list the pool of IP addresses that you have created with the
sh poolip
command.LinkLB-enable:vfi0 [single] #sh poolip
NOTE: The pool ID tag is important because it is used to reference the pool IP when you use it in a load balancing rule.
The Link Balancer configuration now looks like the following with the primary link, alternate links, outside NAT rules and persistence:
## Inside interface
acl arp +ip 1 +194.204.1.0/25 +reply fw:194.204.1.3 inside
## Protofix rules protofix ftp 21
## Gmac entries
gmac 1 auto Primary_Link_T1 194.204.1.1/25 1 1544 1544 0 0.0.0.0:0,0.0.0.0:0 66/66 gmac dev 1 eth2
gmac tcpprobe 1 194.204.1.3
gmac 2 auto AlternateLink_xDSL 212.217.1.1/28 2 5000 1000 0 0.0.0.0:0,0.0.0.0:0 95/95 gmac dev 2 eth1
gmac mtu 2 1492 mss
gmac tcpprobe 2 212.217.1.3
gmac 3 auto cable_modem dhcp:1 3 6000 1000 0 0.0.0.0:0,0.0.0.0:0 95/95 gmac dev 3 eth1
## Acl persistence inside
acl per in +tcp 1 +any +any:443-443 +persist 600 acl per in +tcp 2 +any +any:80-80 +persist 600
## Persistence triggers
persist trigger 1 vpn 1800 global
## Acl nat outside
acl nat out +ip 1 +any +194.204.1.0/25 +nat ndnet:194.204.1.0/25 acl nat out +ip 2 +any +212.217.1.3/32 +nat ndnet:194.204.1.3/32 acl nat out +ip 3 +any +212.217.1.12/32 +nat ndnet:194.204.1.22/32 acl nat out +ip 4 +any +212.217.1.14/32 +nat ndnet:194.204.1.115/32 acl nat out +ip 5 +any +212.217.1.15/32 +nat ndnet:194.204.1.127/32 acl nat out +ip 6 +any +212.217.1.0/28 +nat ndnet:194.204.1.0/28
## IP pools
To balance outbound traffic on the different links on the outside of a virtual forwarding interface, the main task is to add network address translation (NAT) rules into the Elfiq Link Balancer’s configuration.
As opposed to regular NAT rules found in other devices, such as firewalls, the inside NAT rules of the Link LB do not just translate addresses, but also take care of balancing outgoing traffic. As they translate inside traffic, the resulting address will always be an IP chosen according to the balancing algorithms, making sure that your outgoing traffic is always balanced accordingly. This task also ensures that all traffic going through one of the links always has a routable IP address inside that network.
However, before creating inside NAT rules to balance outgoing traffic, we must first examine masquerading and the various balancing algorithms that are available when managing outgoing traffic.
4.5.1.3. Delete Address Pools
To delete a pool of IP addresses, simply use the
no poolip
command, followed by the ID of the pool.no poolip [pool id]
LinkLB-enable:vfi0 [single] #no poolip 11
4.5.1.4. Create IP Address Pools Masquerading
By default, address pools are used to perform a 1:1 IP association with primary link IP addresses. The Elfiq Link Balancer will not modify the source and destination ports. It is also possible to combine multiple services on the primary link and to use a single alternate IP address. This is called IP overloading and must be carefully planned to avoid conflicts or ports for both incoming and outgoing services.
With version 3.4.3 of the Elfiq Operating System, it is possible to combine multiple source IP addresses on a single alternate link IP address with a poolip performing masquerading. Masquerading is the action to track the source ports of outgoing sessions in order to ensure no collisions with other sessions on a single alternate IP address, ports are changed on a need basis.
To have a poolip perform masquerading, the masq keyword must be added when creating the poolip:
poolip [id] [network]/[netmask-bits]|[dhcp:id|pppox:id] [masq]
LinkLB-enable:vfi0 [single] #poolip 250 dhcp:1 masq
NOTE: Only poolip with a /32 bitmask can perform masquerading.
NOTE: Multiple servers hosting a given service cannot use a single alternate IP for incoming load balancing. For example, two web servers, each one listening on TCP port 80 on their own separate public IPs from the primary link, cannot use a single IP address on an alternate link because the TCP port 80 of the alternate IP can be redirected only once.
By default, all ports higher than 1024 (except for a few standard ones for VPNs) are available for masquerading.
LinkLB-enable:vfi0 [single] #sh poolip
ID[250] Range[dhcp:1 24.203.146.100/32] Masquerading[usage tcp 0/64468 0.000 %, udp 0/64468 0.000 %, icmp 0/65536 0.000 %] Hit Count[0]
It is possible to specify the range of TCP/UDP ports available for masquerading (globally for the VFI) with the masq range command. This command can be issued more than once to select different ranges of ports.
masq range [start port]-[stop port],[reserved] [description]
For example to perform masquerading on ports 8000 to 50000:
LinkLB-enable:vfi0 [single] #masq range 8000-50000 Available_Ports_for_Masquerading LinkLB-enable:vfi0 [single] #sh poolip
ID[250] Range[dhcp:1 24.203.146.100/32] Masquerading[usage tcp 0/41996 0.000 %, udp 0/41996 0.000 %, icmp 0/65536 0.000 %] Hit Count[0]
NOTE: Reserved port numbers (below 1024) and some others specific to VPN traffic will not be changed of source port by the Link LB. If you have incoming services on a poolip doing masquerading, you must ensure to reserve the ports for those incoming services to prevent conflicts.
It is also possible to use a reservation approach to specify which ports must not be used for masquerading within the available range of ports with the reserved keyword. For example if a web server is using port 8080:
LinkLB-enable:vfi0 [single] #masq range 8080-8080,reserved Reserved_Port_for_webserver LinkLB-enable:vfi0 [single] #sh poolip
ID[250] Range[dhcp:1 0.0.0.0/0] Masquerading[usage tcp 0/41995 0.000 %, udp 0/41995 0.000 %, icmp 0/65536 0.000
%] Hit Count[0]
IMPORTANT: The Link LB will first allocate the available port range(s) for masquerading then substract the reserved ports. The masq range commands are displayed in this order in the configuration.
4.5.1.5. Delete Address Pool Masq Ranges
Since the masquerading ranges do not have an index or ID, a