Hot!Internal LAN load balancing

Author
sjwinick
Bronze Member
  • Total Posts : 35
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/07/06 15:56:24
  • Status: offline
2010/09/29 10:03:35 (permalink)
0

Internal LAN load balancing

i know that the fortigate permits load balancing from an external virtual IP to multiple internal real servers. ive done that successfully

my question is can this be done completely on the internal LAN? ie, have a virtual IP appear on the LAN that is redirected to multiple real IP addresses that are also on the LAN? if yes, how is it done?

btw, the manual shows that there are many " types" of load balancing in a pull-down menu, including HTTP, HTTPS, SSL, TCP, etc. however, on my unit, when i create a new virtual server, the only choices are HTTP, TCP, UDP and IP. can' t find any of the other choices described. same thing for persistence. only 2 choices and the SSL one is always greyed out. anyone know why?

thanks

sjw

#1

13 Replies Related Threads

    abelio
    Expert Member
    • Total Posts : 3655
    • Scores: 57
    • Reward points: 0
    • Joined: 2005/03/31 13:28:59
    • Location: Buenos Aires, Argentina
    • Status: offline
    RE: Internal LAN load balancing 2010/09/29 13:34:46 (permalink)
    0


    my question is can this be done completely on the internal LAN? ie, have a virtual IP appear on the LAN that is redirected to multiple real IP addresses that are also on the LAN? if yes, how is it done?

    Balancing involves some type of NAT, so you cannot do that in the LAN (yes with another interfaces like a DMZ altough)


    btw, the manual shows that there are many " types" of load balancing in a pull-down menu, including HTTP, HTTPS, SSL, TCP, etc. however, on my unit, when i create a new virtual server, the only choices are HTTP, TCP, UDP and IP. can' t find any of the other choices described. same thing for persistence. only 2 choices and the SSL one is always greyed out. anyone know why?

    LB ' types' are directly related with virtual port settings



    < Message edited by abelio -- 9/29/2010 1:35:07 PM >

    regards
    --
    Abel
    #2
    Maik
    Gold Member
    • Total Posts : 284
    • Scores: 10
    • Reward points: 0
    • Joined: 2008/04/24 04:38:38
    • Status: offline
    RE: Internal LAN load balancing 2010/09/29 15:02:35 (permalink)
    0
    Balancing involves some type of NAT, so you cannot do that in the LAN (yes with another interfaces like a DMZ altough)


    the destination can be on different interfaces but its not necessary:
    10.1.1.1/24 points to 10.1.2.1/24 and 10.1.3.1/24

    It also works on the same Interface:
    LB VIP from 10.1.1.1/24 with destination 10.1.1.2/24 and 10.1.1.3/24 on the same Interface will work.


    regards
    Maik
    < Message edited by maik -- 9/29/2010 3:06:06 PM >
    #3
    rocampo
    Silver Member
    • Total Posts : 89
    • Scores: 5
    • Reward points: 0
    • Joined: 2006/07/24 02:43:30
    • Status: offline
    RE: Internal LAN load balancing 2010/09/29 18:45:40 (permalink)
    4 (1)

    my question is can this be done completely on the internal LAN? ie, have a virtual IP appear on the LAN that is redirected to multiple real IP addresses that are also on the LAN? if yes, how is it done?


    If this is what you want:
    Virtual IP 192.168.1.1 that load balances to lets say
    192.168.1.2, 192.168.1.3 and 192.168.1.4
    then your client workstation is also on 192.168.1.x network lets say
    192.168.1.100.

    I don' t think this is possible, mainly because the FG cannot
    keep track of the session and the TCP 3way handshake might not happen.

    Look at this scenario.
    192.168.1.100 initiates connection to Virtual IP 192.168.1.1
    FG answers due to proxy ARP and forwards the traffic to 192.168.1.2
    This is where TCP 3 way handshake breaks... 192.168.1.2 responds to
    the TCP SYNC directly to 192.168.1.100. 192.168.1.100 receives this but since
    it is trying to connect to 192.168.1.1 it will discard the response from 192.168.1.2
    3 way handshake does not happen, no TCP connection.

    If you are using windows servers and what to do this, look at clustering.
    < Message edited by rocampo -- 9/29/2010 6:55:21 PM >
    #4
    abelio
    Expert Member
    • Total Posts : 3655
    • Scores: 57
    • Reward points: 0
    • Joined: 2005/03/31 13:28:59
    • Location: Buenos Aires, Argentina
    • Status: offline
    RE: Internal LAN load balancing 2010/09/30 11:44:08 (permalink)
    0

    It also works on the same Interface:
    LB VIP from 10.1.1.1/24 with destination 10.1.1.2/24 and 10.1.1.3/24 on the same Interface will work.

    To be able to do such VIPs doesn' t enable LB scenario at all;
    look rocampo' s above post about 3way handshake.

    < Message edited by abelio -- 9/30/2010 11:44:28 AM >

    regards
    --
    Abel
    #5
    Maik
    Gold Member
    • Total Posts : 284
    • Scores: 10
    • Reward points: 0
    • Joined: 2008/04/24 04:38:38
    • Status: offline
    RE: Internal LAN load balancing 2010/09/30 13:33:43 (permalink)
    0
    it works.
    I can say that, because I have such a setup in a real life environment.

    regards
    Maik
    #6
    TopJimmy
    Gold Member
    • Total Posts : 446
    • Scores: 8
    • Reward points: 0
    • Joined: 2008/09/26 09:18:59
    • Status: offline
    RE: Internal LAN load balancing 2010/09/30 13:43:26 (permalink)
    0

    ORIGINAL: Maik

    it works.
    I can say that, because I have such a setup in a real life environment.

    regards
    Maik



    I' d be interested in this. We are looking at load balancing our LDAP requests due to ****py software support. Most of our internal (LAN side) processes LDAP and can load balance or fail over another LDAP server just fine. A few (with lousy support) can only hit one LDAP server period. For those, we would like to load balance on the internal (but it' s doesn' t have to be) interface to multiple LDAP servers.

    -TJ

    #7
    Maik
    Gold Member
    • Total Posts : 284
    • Scores: 10
    • Reward points: 0
    • Joined: 2008/04/24 04:38:38
    • Status: offline
    RE: Internal LAN load balancing 2010/09/30 13:55:43 (permalink)
    0
    I' m currently using it for SMTP, RDP and HTTP Loadbalancing on different setups.
    Good idea to try that with LDAP as well.

    The VIP: Your " external" interface is the " internal" of course.

    config firewall vip
    edit " lbv_xyz"
    set type server-load-balance
    set extip 10.1.1.1
    set extintf " port10"
    set server-type tcp
    set ldb-method round-robin
    set extport 25
    config realservers
    edit 1
    set healthcheck enable
    set ip 10.1.1.2
    set port 25
    next
    edit 2
    set healthcheck enable
    set ip 10.1.1.3
    set port 25
    next
    end
    next
    end

    Plus firewall policy

    #8
    ede_pfau
    Expert Member
    • Total Posts : 6236
    • Scores: 522
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Internal LAN load balancing 2010/10/04 07:38:46 (permalink)
    0
    I finally found the time to ask " my" Fortinet SE. He set it up in the lab and confirms that it works. My scenario would be to load balance 2 DNS as failover from primary to secondary DNS on a host can take up to 20 sec.

    Quite a surprise! A not-so-recent feature appears to be helpful in a different context. That' s what I call a tool!

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #9
    sjwinick
    Bronze Member
    • Total Posts : 35
    • Scores: 0
    • Reward points: 0
    • Joined: 2007/07/06 15:56:24
    • Status: offline
    RE: Internal LAN load balancing 2010/10/04 08:56:26 (permalink)
    0
    maybe i have something else wrong. types do not change for me. for example, if i change the port to 443, i don' t get HTTPS, just the same 4 choices. in fact, right now, any thing i try to save for a virtual server gives me an error:

    " some unknown error!"

    don' t know what this means
    #10
    sjwinick
    Bronze Member
    • Total Posts : 35
    • Scores: 0
    • Reward points: 0
    • Joined: 2007/07/06 15:56:24
    • Status: offline
    RE: Internal LAN load balancing 2010/10/05 14:33:05 (permalink)
    0
    how do you do the firewall policy? this example is exactly what i' m trying to do, internal1 to internal1. however, if i create a virual server on internal1, it doesn' t even show up as a valid choice in the pull-down list for such a policy. if the virtual is on WAN1, it does. is it the GUI that is limiting the possibilities and CLI will permit the configuration?
    #11
    Maik
    Gold Member
    • Total Posts : 284
    • Scores: 10
    • Reward points: 0
    • Joined: 2008/04/24 04:38:38
    • Status: offline
    RE: Internal LAN load balancing 2010/10/05 14:48:24 (permalink)
    0
    its possible from the GUI.

    in your case it would be from internal1 to internal1.
    external interface of the LB- VIP is internal1

    please post the CLI output of your load balancing VIP
    #12
    ede_pfau
    Expert Member
    • Total Posts : 6236
    • Scores: 522
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Internal LAN load balancing 2010/10/06 00:31:33 (permalink)
    0
    This might be a little confusing if you' re not used to it:

    In the VIP policy the VIP is given as the DESTINATION address, but is defined on the SOURCE interface.

    Example:
    you want to translate an internal IP 192.168.234.104 to your external favorite time server on wan1, 192.53.103.104.
    You define a VIP " ext_NTP_VIP" with ' external IP addr' =192.168.234.104, ' external interface' =internal, ' mapped to addr' =192.53.103.104, [' port' =123 if you like].

    The policy to use the VIP is:
    source IF=internal, source addr=all, dest IF=wan1, dest addr=ext_NTP_VIP, service=NTP.

    If you define the VIP on the wrong IF you won' t see it in the drop down list.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #13
    CHR57
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/06 23:32:01
    • Location: Sweden
    • Status: offline
    Re: RE: Internal LAN load balancing 2020/02/21 01:38:45 (permalink)
    0
    Can someone explain more in detail how to have the Virtual Server on the same lan as the Real Servers?
    #14
    Jump to:
    © 2020 APG vNext Commercial Version 5.5