See my reply Joe. If I understood the issue correctly I think that so
long as incoming traffic (from A in your example) is being handed off to
either of the two firewalls then as it passes through an LVS-NAT load
balancer it gets a new IP address (inside global in Cisco parlance).
So, the return traffic (from B back to A in your exammple) would know
which load balancer to go to by using the new IP as the destination
address. As it passes through this load balancer, the IP address gets
returned back to the original and continues routing as normal.
On Fri, 2006-07-07 at 11:46 -0700, Joseph Mack NA3T wrote:
> On Fri, 7 Jul 2006, David Lang wrote:
>
> > the firewalls are transparent, they are just packet filters (think iptables
> > firewalls). there is no NAT takeing place anywhere.
> >
> > the issue I don't think you are understanding is that we aren't trying to
> > load balance the servers behind the firewalls, we are trying to load
> > balance
> > the firewalls themselves
>
> I understood that this was what you were trying to do, but
> the setup didn't make any sense to me.
>
> >
> > so you have
> >
> > Internet
> > | |
> > switch--------------switch
> > | |
> > load balancer load balancer
> > | |
> > switch--------------switch
> > | |
> > firewall firewall
> > | |
> > switch--------------switch
> > | |
> > load balancer load balancer
> > | |
> > switch--------------switch
> > | | | | | | | | | | |
> > servers
> >
>
> got it.
>
> > the servers themselves are NOT load balanced (at least for the purposes of
> > these discussions, any load balanceing that they have is done by seperate
> > equipment)
>
> got it
>
> > the outside load balancers need to make a decision on which firewall to
> > send
> > the traffic through
>
> how do they do that?
>
> > the packets are sent through that firewall, and then go to the load
> > balancer
> > on the inside which routes them to the server, the server responds and the
> > outbound traffic hits the inside load balancer, it needs to send the
> > response
> > packets back to the same firewall that the inbound packets came through or
> > the firewall will reject them
> >
> > does this clarify things?
>
> yes
>
> > I had thought that the origional post that I refrenced described the
> > problem
> > fairly well which is why I didn't go through everything again in my post.
>
> ah well we've got it worked out now.
>
> Here's my take on what you've got.
>
> A
> / \
> FW1 FW2
> \ /
> B
>
> Machinew A and B want to talk. They can talk through either
> of two routes, both of which contain firewalls. The packets
> of interest are allowed through the firewalls. As far as A
> and B are concerned the firewalls aren't there. The rules of
> IP routing are such that any packet between A and B can pick
> either route. You want packets between A and B to choose a
> route dependant on the route chosen by previously
> transmitted packets.
>
> I assume you want to do this to keep the firewalls happy.
> Presumably they're unhappy if they don't see matching
> packets. If this is what's happening, presumably you know
> what to do from here. Here's what I see.
>
> o firewalls are designed to operate in a spot where all
> traffic goes through them. They can then do their accounting
> etc. Firewalls are not designed (at least yet) to cooperate.
> They need to be fast, they can't be talking to other
> firewalls to make decisions on what to do with a packet.
>
> o your design is being wagged by the tail of the firewall.
> The firewall is supposed to help you. Your firewall
> doesn't work in the current setup. You could get one
> that does, presumably by turning off stateful matching.
>
> o you could rewrite IP routing.
>
> Joe
|