On internal side were a DMZ and multiple VLANs on one interface.
The actual requirement was WAN link failover which we achieved using the Vyatta LoadBalancer.
Here is a network diagram:
[DMZ] <=======> \
\ /|- Link-3
FireWall <==> Vyatta LB <==>|--- Link-2
/ \|---- Link-1 Fast
[LAN] <========>/
So LAN internet is primarily going to Link-1, in-case of L1 failure goto Link-2, in-case of L2 failure move to Link-3
But the DMZ should only be accessible via Link-3.
Problem:
the problem which they faced is that they achieved Link-Failover/LB but when they request internet from DMZ their Public IP still shows PPPoE link-1. Also if anyone accesses DMZ server from Internet the Vyatta Load-Balancer (Incoming from Link-3) , Vyatta Load-Balances the return reply from DMZ-Server to Link-1 which fails the communication.
Solution:
Use "enable-source-based-routing" in wan load-balancer. i.e
# configure
# set load-balancing wan rule 5 enable-source-based-routing
# commit
This way any request Initiated from Internet cloud will be routed back from the same interface. Only the newer requests from inside will get balanced.
That saved my day and everything worked as expected.
Here is the snippet of the code for WAN-Failover:
load-balancing {
wan {
flush-connections
interface-health eth2 {
failure-count 2
nexthop 56.XX.176.XXX
success-count 1
test 10 {
resp-time 5
target 8.8.8.8
ttl-limit 1
type ping
}
}
interface-health pppoe1 {
failure-count 2
nexthop dhcp
success-count 1
test 10 {
resp-time 5
target 8.8.4.4
ttl-limit 1
type ping
}
}
interface-health pppoe2 {
failure-count 2
nexthop dhcp
success-count 1
test 10 {
resp-time 5
target 180.XX.98.XX
ttl-limit 1
type ping
}
}
rule 5 {
inbound-interface eth1
enable-source-based-routing
interface eth2 {
weight 1
}
protocol all
source {
address 172.23.1.80/28
}
}
rule 10 {
inbound-interface eth0
interface pppoe1 {
weight 50
}
interface pppoe2 {
weight 50
}
protocol all
source {
address !172.23.1.80/28
}
}
rule 20 {
inbound-interface eth+
interface eth1 {
weight 1
}
protocol all
}
}
Hi
ReplyDeleteIf I using the Cisco ASA for Firewall how to forward ports to DMZ(Web, Mail Server)in eth2(with Public IP)
Thanks,
Ya
I'm not exactly a CISO expert. But if you need to do simple PAT then I dont think it should be a problem. Simple NAT rules in ASA just like any other.
DeleteIf you still need assistance let me know and I'll see if any friend of mine can comment for you here.
hi
ReplyDeletehow can i configure wan load balancing on Vayata firewall could you guide ...
I thinks thats what this post is about. I suggest you try a little bit harder.
DeleteHi! Thanks for clear howto!
ReplyDeleteMy question is rule 20 for those "multiple VLANs" you mentioned at the beginning?