Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sjwinick
New Contributor

Internal LAN load balancing

i know that the fortigate permits load balancing from an external virtual IP to multiple internal real servers. ive done that successfully my question is can this be done completely on the internal LAN? ie, have a virtual IP appear on the LAN that is redirected to multiple real IP addresses that are also on the LAN? if yes, how is it done? btw, the manual shows that there are many " types" of load balancing in a pull-down menu, including HTTP, HTTPS, SSL, TCP, etc. however, on my unit, when i create a new virtual server, the only choices are HTTP, TCP, UDP and IP. can' t find any of the other choices described. same thing for persistence. only 2 choices and the SSL one is always greyed out. anyone know why? thanks sjw
14 REPLIES 14
abelio
Valued Contributor

my question is can this be done completely on the internal LAN? ie, have a virtual IP appear on the LAN that is redirected to multiple real IP addresses that are also on the LAN? if yes, how is it done?
Balancing involves some type of NAT, so you cannot do that in the LAN (yes with another interfaces like a DMZ altough)
btw, the manual shows that there are many " types" of load balancing in a pull-down menu, including HTTP, HTTPS, SSL, TCP, etc. however, on my unit, when i create a new virtual server, the only choices are HTTP, TCP, UDP and IP. can' t find any of the other choices described. same thing for persistence. only 2 choices and the SSL one is always greyed out. anyone know why?
LB ' types' are directly related with virtual port settings

regards




/ Abel

regards / Abel
Maik
New Contributor II

Balancing involves some type of NAT, so you cannot do that in the LAN (yes with another interfaces like a DMZ altough)
the destination can be on different interfaces but its not necessary: 10.1.1.1/24 points to 10.1.2.1/24 and 10.1.3.1/24 It also works on the same Interface: LB VIP from 10.1.1.1/24 with destination 10.1.1.2/24 and 10.1.1.3/24 on the same Interface will work. regards Maik
abelio
Valued Contributor

It also works on the same Interface: LB VIP from 10.1.1.1/24 with destination 10.1.1.2/24 and 10.1.1.3/24 on the same Interface will work.
To be able to do such VIPs doesn' t enable LB scenario at all; look rocampo' s above post about 3way handshake.

regards




/ Abel

regards / Abel
Maik
New Contributor II

it works. I can say that, because I have such a setup in a real life environment. regards Maik
TopJimmy
New Contributor

ORIGINAL: Maik it works. I can say that, because I have such a setup in a real life environment. regards Maik
I' d be interested in this. We are looking at load balancing our LDAP requests due to crappy software support. Most of our internal (LAN side) processes LDAP and can load balance or fail over another LDAP server just fine. A few (with lousy support) can only hit one LDAP server period. For those, we would like to load balance on the internal (but it' s doesn' t have to be) interface to multiple LDAP servers.
-TJ
-TJ
Maik
New Contributor II

I' m currently using it for SMTP, RDP and HTTP Loadbalancing on different setups. Good idea to try that with LDAP as well. The VIP: Your " external" interface is the " internal" of course. config firewall vip edit " lbv_xyz" set type server-load-balance set extip 10.1.1.1 set extintf " port10" set server-type tcp set ldb-method round-robin set extport 25 config realservers edit 1 set healthcheck enable set ip 10.1.1.2 set port 25 next edit 2 set healthcheck enable set ip 10.1.1.3 set port 25 next end next end Plus firewall policy
sjwinick
New Contributor

how do you do the firewall policy? this example is exactly what i' m trying to do, internal1 to internal1. however, if i create a virual server on internal1, it doesn' t even show up as a valid choice in the pull-down list for such a policy. if the virtual is on WAN1, it does. is it the GUI that is limiting the possibilities and CLI will permit the configuration?
Maik
New Contributor II

its possible from the GUI. in your case it would be from internal1 to internal1. external interface of the LB- VIP is internal1 please post the CLI output of your load balancing VIP
sjwinick

maybe i have something else wrong. types do not change for me. for example, if i change the port to 443, i don' t get HTTPS, just the same 4 choices. in fact, right now, any thing i try to save for a virtual server gives me an error: " some unknown error!" don' t know what this means
Labels
Top Kudoed Authors