|
On Fri, 7 Jul 2006, Roberto Nibali wrote:
<sidenote>
Nice to see a post from such a long time Linux user and lkml poster. As such
I hope you will understand the reasons for having a subscribers-only
mailinglist and why sometimes finding the answer to a given problem is a
tedious task in the OSS world.
<sidenote>
I understand why finding the answer can be tedious, but as a long time LKML
reader and poster I disagree about the subscriber-only list astatus ;-)
it's not the end of the world by any means, I just added it as a PS to voice my
opinion on the matter
How about a description of your system and an explanation of why the
firewalls aren't transparent,
the firewalls are transparent, they are just packet filters (think iptables
firewalls). there is no NAT takeing place anywhere.
So basically (interpreting your sketch) you want to design/implement a
high-available but also high-performance packet filter for your a dmz-like
zone?
right
the issue I don't think you are understanding is that we aren't trying to
load balance the servers behind the firewalls, we are trying to load
balance the firewalls themselves
So you want an active/active cluster?
Ideally I want the option of active/active and active/standby
so you have
Do the firewalls have different IPs?
yes
Do you intend to run routing protocols on top of this topology?
no
Internet
| |
switch--------------switch
Are these both active paths or is it an active/hot-standby setup implemented
using HSRP/VRRP?
the routers (which I didn't diagram) present a single gateway IP address to the
stiff inside them. they then run BGP across a number of high-bandwidth links. I
think they use VRRP to implement their own HA, but that shouldn't matter to the
firewalls or load balancer.
| |
load balancer load balancer
| |
switch--------------switch
| |
firewall firewall
| |
switch--------------switch
| |
load balancer load balancer
| |
switch--------------switch
| | | | | | | | | | |
servers
In my opinion, this is not doable with any load balancer, since you need an
interconnect link to exchange session information. Neither with F5, nor any
application switch from Nortel Networks would this be possible and also not
with IPVS. However, what is possible to set up, is an active/hot-standby
cluster using VRRP (keepalive). In such a setup the SH and DH schedulers (and
maybe the port 0 service for persistent binding of RELATED connections),
together with session state synchronisation might provide you the desired
result. I would need to think about it a bit more in detail, however I'm not
quite sure how your network setup looks like.
I have been running this setup useing load balancers from Radware for several
years. What happens is that the load balancers on the inside keep track of which
firewall the connection comes through and sends the replies back to that
firewall (I don't know the details, but I assume that they would look at the MAC
address that the packets come from and track that so that the replies go back to
the same one)
the servers themselves are NOT load balanced (at least for the purposes of
these discussions, any load balanceing that they have is done by seperate
equipment) the outside load balancers need to make a decision on which
firewall to send the traffic through
SH scheduling might do the trick for ingress, if I'm not mistaken. On the
other hand you would need to use DH scheduling for egress.
I'll have to lookup what this means.
the packets are sent through that firewall, and then go to the load
balancer on the inside which routes them to the server, the server responds
and the outbound traffic hits the inside load balancer, it needs to send
the response packets back to the same firewall that the inbound packets
came through or the firewall will reject them
Do you plan to use 4 physical machines for the load balancers or do you want
to use 2 physical machines with 3 NICs?
4 physical machines (useing only two machines puts the load balancers in
parallel with the firewalls, meaning a comprimise of the load balancer bypasses
the firewalls.
David Lang
does this clarify things?
Somewhat.
Best regards,
Roberto Nibali, ratz
|
