|
Hello David,
<sidenote>
Nice to see a post from such a long time Linux user and lkml poster. As
such I hope you will understand the reasons for having a
subscribers-only mailinglist and why sometimes finding the answer to a
given problem is a tedious task in the OSS world.
<sidenote>
How about a description of your system and an explanation of why the
firewalls aren't transparent,
the firewalls are transparent, they are just packet filters (think
iptables firewalls). there is no NAT takeing place anywhere.
So basically (interpreting your sketch) you want to design/implement a
high-available but also high-performance packet filter for your a
dmz-like zone?
the issue I don't think you are understanding is that we aren't trying
to load balance the servers behind the firewalls, we are trying to load
balance the firewalls themselves
So you want an active/active cluster?
so you have
Do the firewalls have different IPs?
Do you intend to run routing protocols on top of this topology?
Internet
| |
switch--------------switch
Are these both active paths or is it an active/hot-standby setup
implemented using HSRP/VRRP?
| |
load balancer load balancer
| |
switch--------------switch
| |
firewall firewall
| |
switch--------------switch
| |
load balancer load balancer
| |
switch--------------switch
| | | | | | | | | | |
servers
In my opinion, this is not doable with any load balancer, since you need
an interconnect link to exchange session information. Neither with F5,
nor any application switch from Nortel Networks would this be possible
and also not with IPVS. However, what is possible to set up, is an
active/hot-standby cluster using VRRP (keepalive). In such a setup the
SH and DH schedulers (and maybe the port 0 service for persistent
binding of RELATED connections), together with session state
synchronisation might provide you the desired result. I would need to
think about it a bit more in detail, however I'm not quite sure how your
network setup looks like.
the servers themselves are NOT load balanced (at least for the purposes
of these discussions, any load balanceing that they have is done by
seperate equipment)
the outside load balancers need to make a decision on which firewall to
send the traffic through
SH scheduling might do the trick for ingress, if I'm not mistaken. On
the other hand you would need to use DH scheduling for egress.
the packets are sent through that firewall, and then go to the load
balancer on the inside which routes them to the server, the server
responds and the outbound traffic hits the inside load balancer, it
needs to send the response packets back to the same firewall that the
inbound packets came through or the firewall will reject them
Do you plan to use 4 physical machines for the load balancers or do you
want to use 2 physical machines with 3 NICs?
does this clarify things?
Somewhat.
Best regards,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
