|
On Fri, 16 Feb 2001, Matthias Weidle wrote:
>
> > Example2: Firewall Load Balancing
> >
> > |-- FW1 --|
> > Internet ----- SH --| |-- DH -- Protected Network
> > |-- FW2 --|
> >
> > Make sure that the firewall boxes are added in the load balancers in the
> > same order. Then, request packets of a session are sent to a firewall,
> > e.g. FW1, the DH can forward the response packets from protected network
> > to the FW1 too. However, I don't have enough hardware to test this setup
> > myself. Please let me know if any of you make it work for you. :)
>
> that really sounds interesting to me ... :))
>
> but i guess that this setup will only work if the firewalls are really
> transparent for the network traffic, i.e. both load balancers do see the
> same addresses in the packets so the hash calculation based on the sourc ip
> and destination ip will lead to the same result (=firewall box to use).
>
Yeah, you are right. Packets for a connection session must go to the
same firewall box.
> if the firewall devices aren't that transparent (consider tunneled traffic
> as an option) you won't get the same src/dst addresses on the load
> balancers. the SH load balancer would see the src/dst from the tunnel
> traffic and the DH load balancer the encapsulated addresses
> (the tunnel endpoint is on the firewall boxes). hence the hash calculation
> may lead to different results what would be very bad indeed ...
> if in addition we have to deal with encrypted tunnel traffic (what happens
> to be the case with IPSEC for example) we even don't have a chance to look
> into the tunnel packets to look up the encapsulated src/dst addresses.
>
In your example, you want to access a virtual host from the protected
network, the actual host is somewhere in the Internet. So, the
destination address of outgoing packet is changed, and the above
out-SH-FW-DH-in setup is broken. If the source address of outgoing
packet is not changed, the out-DH-FW-SH-in might work. I am not sure on
this.
Regards,
Wensong
|
