|
On Fri, 7 Jul 2006, Joseph Mack NA3T wrote:
On Fri, 7 Jul 2006, David Lang wrote:
the firewalls are transparent, they are just packet filters (think iptables
firewalls). there is no NAT takeing place anywhere.
the issue I don't think you are understanding is that we aren't trying to
load balance the servers behind the firewalls, we are trying to load
balance the firewalls themselves
I understood that this was what you were trying to do, but the setup didn't
make any sense to me.
so you have
Internet
| |
switch--------------switch
| |
load balancer load balancer
| |
switch--------------switch
| |
firewall firewall
| |
switch--------------switch
| |
load balancer load balancer
| |
switch--------------switch
| | | | | | | | | | |
servers
got it.
the servers themselves are NOT load balanced (at least for the purposes of
these discussions, any load balanceing that they have is done by seperate
equipment)
got it
the outside load balancers need to make a decision on which firewall to
send the traffic through
how do they do that?
I was assuming that LVS would do this, I would like to have the options of
round robin
least connections
failover (send it to the primary unless it's down, then send to the backup,
it's not load balancing but it makes troubleshooting much easier)
the packets are sent through that firewall, and then go to the load
balancer on the inside which routes them to the server, the server responds
and the outbound traffic hits the inside load balancer, it needs to send
the response packets back to the same firewall that the inbound packets
came through or the firewall will reject them
does this clarify things?
yes
I had thought that the origional post that I refrenced described the
problem fairly well which is why I didn't go through everything again in my
post.
ah well we've got it worked out now.
Here's my take on what you've got.
A
/ \
FW1 FW2
\ /
B
Machinew A and B want to talk. They can talk through either of two routes,
both of which contain firewalls. The packets of interest are allowed through
the firewalls. As far as A and B are concerned the firewalls aren't there.
The rules of IP routing are such that any packet between A and B can pick
either route. You want packets between A and B to choose a route dependant on
the route chosen by previously transmitted packets.
right
I assume you want to do this to keep the firewalls happy. Presumably they're
unhappy if they don't see matching packets. If this is what's happening,
presumably you know what to do from here. Here's what I see.
o firewalls are designed to operate in a spot where all traffic goes through
them. They can then do their accounting
etc. Firewalls are not designed (at least yet) to cooperate.
They need to be fast, they can't be talking to other
firewalls to make decisions on what to do with a packet.
o your design is being wagged by the tail of the firewall. The firewall is
supposed to help you. Your firewall
doesn't work in the current setup. You could get one
that does, presumably by turning off stateful matching.
o you could rewrite IP routing.
or I can go and buy a commercial load balancing appliance (radware, BigIP,
nortel, foundry, etc) that supports this feature. Just about all of them that
aren't based on LVS do support this.
I am trying to find an option that doesn't have the firewall being a single
point of failure. yes, if these were linux firewalls I could use heartbeat
(linux-ha) to provide failover, but that can't load balance, and it doesn't work
if I use commercial firewalls instead of linux
Oh well, I was hopeing that LVS would support this now (it didn't in 2001 when
the first post happened). at least now it's in the list archives that LVS will
not support this with a later date then the 'yes it does, just search the
archives'. hopefully this will save someone else time hunting for it.
David Lang
Joe
|
