SlideShare a Scribd company logo

Nat load balance_5.0e_feature_module

Luis Nagasako
Luis Nagasako
1 of 14
Download to read offline
SonicWALL NAT Load Balancing Overview This feature module will detail how to configure the Network Address Translation (NAT) & Load Balancing (LB) features in SonicOS Enhanced 4.0 and newer, to balance incoming traffic across multiple, similar network resources. Do not confuse this with the WAN ISP & LB feature on the SonicWALL appliance. While both features can be used in conjunction, WAN ISP & LB is used to balance outgoing traffic across two ISP connections, and NAT LB is primarily used to balance incoming traffic. Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime. The feature module will detail how to configure the necessary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to access a Virtual IP (VIP) that maps to one or more internal systems, such as Web servers, FTP servers, or SonicWALL SSL-VPN appliances. This Virtual IP may be independent of the SonicWALL appliance or it may be shared, assuming the SonicWALL appliance itself is not using the port(s) in question. In these feature module examples we will be using two SonicWALL PRO 4100 appliances in high-availability mode, two generic Web servers, and two SonicWALL SSL-VPN 2000 appliances. Please note that it is not necessary to have two appliances to perform NAT/LB – it is just another layer of protection that can be easily added to your environment to assure uptime to critical internal resources that have high uptime requirements (typically a driving factor in load balancing systems in the first place). Please note that the load balancing capability in SonicOS Enhanced 4.0, while fairly basic, will satisfy the requirements for many customer network deployments. Customers with environments needing more granular load balancing, persistence, and health-check mechanisms are advised to use a dedicated third-party load balancing appliance (prices run from US$4,000 to US$25,000 per device). Versions • SonicOS Enhanced 4.0 or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered a SonicWALL device on MySonicWALL for the first 90 days. SonicWALL NAT Load Balancing 1
NAT LB Mechanisms NAT LB Mechanisms Advanced Tab Note This tab can only be activated when a group is specified in one of the drop-down fields on the ‘General’ tab of a NAT Policy. Otherwise, the NAT policy defaults to ‘Sticky IP’ as the NAT method. Sticky IP – Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments. Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required. Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is NAT’ed to another). Random Distribution – Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources. ‘NAT Method’ – This drop-down allows the user to specify one of five load balancing methods: Sticky IP, Round Robin, Block Remap, Symmetric Remap, or Random Distribution. For most purposes, Sticky IP is preferred. 2 SonicWALL NAT Load Balancing
Caveats ‘Enable Probing’ – When checked, the SonicWALL will use one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the SonicWALL can direct traffic away from a non-responding resource, and return traffic to the resource once it has begun to respond again. Which NAT LB Method Should I Use? Requirement Deployment Example NAT LB Method Distribute load on server equally External/ Internal servers (i.e. Web, FTP, etc) Round Robin without need for persistence Indiscriminate load balancing without External/ Internal servers (i.e. Web, FTP, etc) Random need for persistence Distribution Requires persistence of client E-commerce site, Email Security, SSL-VPN Sticky IP connection appliance (Any publicly accessible servers requiring persistence) Precise control of remap of source LAN to DMZ Servers Block Remap network to a destination range E-mail Security, SSL-VPN Precise control of remap of source Internal Servers (i.e. Intranets or Extranets) Symmetrical network and destination network Remap Caveats • The NAT Load Balancing Feature is found only in SonicOS Enhanced 4.0 and newer • Only two health-check mechanisms at present (ICMP ping and TCP socket open) • No higher-layer persistence mechanisms at present (Sticky IP only) • No ‘sorry-server’ mechanism at present if all servers in group are not responding • No ‘round robin with persistence’ mechanism at present • No ‘weighted round robin’ mechanism at present • No method for detecting if resource is strained, at present • While there is no limit to the number of internal resources the SonicWALL appliance can load-balance to, and there no limit to the number of hosts it can monitor, abnormally large load-balancing groups (25+resources) may impact performance SonicWALL NAT Load Balancing 3
Tasks (Generic, can be followed for either WWW or SSLVPN) Tasks (Generic, can be followed for either WWW or SSLVPN) 1. Create address objects 2. Create address group 3. Create inbound NAT LB/Monitor Policy 4. Create outbound NAT LB Policy 5. Create Firewall Rule 6. Troubleshooting Before You Begin The examples shown in the ‘Tasklist’ section on the next few pages utilize IP addressing information from a demo setup – please make sure and replace any IP addressing information shown in the examples with the correct addressing information for your setup. Also note that the interface names may be different. Note It is strongly advised that you enable logging for all categories, and enable name resolution for logging. To enable logging and alerting, log into the SonicWALL’s Management GUI, go to ‘Log > Categories’, choose ‘Debug’ from the drop-down next to ‘Logging Level’, chose ‘All Categories’ from the drop-down next to ‘View Style’, check the boxes in the title bar next to ‘Log’ and ‘Alerts’ to capture all categories, and click on the ‘Apply’ button in the upper right hand corner to save and activate the changes. For an example, see the first screenshot below. Debug logs should only be used for initial configuration and troubleshooting, and it is advised that once setup is complete, you set the logging level to a more appropriate level for your network environment. To enable log name resolution, go to ‘Log > Name Resolution’, choose ‘DNS then NetBios’ from the ‘Name Resolution Method’ drop-down list, and click on the ‘Apply’ button in the upper right hand corner to save and activate the changes. For an example, see the second screenshot below. 4 SonicWALL NAT Load Balancing
Before You Begin Network Map SonicWALL NAT Load Balancing 5
Configuration Tasklist Configuration Tasklist Step 1 Create Network Objects -- Go to the ‘Network > Address Objects’ page in the Management GUI and create the network objects for both of the internal Web servers, and the Virtual IP (VIP) on which external users will access the servers. For examples, see the next three screenshots. 6 SonicWALL NAT Load Balancing
Configuration Tasklist Step 2 Create Address Group -- Now create an address group named ‘www_group’ and add the two internal server address objects you just created. For an example see the screenshot below. SonicWALL NAT Load Balancing 7
Configuration Tasklist Step 3 Create Inbound NAT Rule for Group -- Now create a NAT rule to allow anyone attempting to access the VIP to get translated to the address group you just created, using ‘Sticky IP’ as the NAT method. Navigate to NAT Policies and click the Add button. For an example see the screenshot below. Note Don’t save the NAT rule just yet. Step 4 Set LB Type and Server Liveliness Method -- On the ‘Advanced’ tab of the NAT policy configuration control, you can specify that the object (or group of objects, or group of groups) be monitored via ICMP ping or by checking for TCP sockets opened. For this lab, we’re going to check to see if the server is up and responding by monitoring TCP port 80 (which is good, since that’s what people are trying to access). You can now click on the ‘OK’ button to save and activate the changes. 8 SonicWALL NAT Load Balancing
Configuration Tasklist Note Before you go any further, check the logs and the status page to see if the resources have been detected and have been logged as online. If you do not see the two messages (with your IP addresses), check the steps above. SonicWALL NAT Load Balancing 9
Configuration Tasklist Step 5 Create Outbound NAT Rule for LB Group -- Write a NAT rule to allow the internal servers to get translated to the VIP when accessing resources out the WAN interface. Step 6 Create Firewall Rule for VIP -- Write a firewall rule to allow traffic from the outside to access the internal Web servers via the VIP. For an example see the screenshot below. Step 7 Test Your Work – OK, you’re ready to test now. From a laptop outside the WAN, connect via HTTP to the VIP using a Web browser. Note NOTE: If you wish to load balance one or more SSL-VPN Appliances, repeat steps 1-7, using HTTPS instead as the allowed service. 10 SonicWALL NAT Load Balancing
Troubleshooting Troubleshooting If the Web servers do not seem to be accessible, go to the ‘Firewall > Access Rules’ page and mouseover the ‘Statistics’ icon. Click the button for which access rule you would like to view. If the rule is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources. For an example of a working rule, see the screenshot below. You can also check the ‘Firewall > NAT Policies’ page and mouseover the ‘Statistics’ icon . If the policy is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources. For an example of a working NAT LB policy, see the screenshot below. Finally, check the logs and the status page to see if there are any alerts (noted in yellow) about the Network Monitor noting hosts that are offline; it may be that all of your load balancing resources are not reachable by the SonicWALL appliance and that the probing mechanism has marked them offline and out of service. Check the load balancing resources to ensure that they are functional and check the networking connections between them and the SonicWALL appliance. SonicWALL NAT Load Balancing 11
Appendix Appendix If you’re interested in exactly how the security appliance applies the load balancing algorithms, see below. NAT Load Balancing Methods Round Robin Source IP connects to Destination IP alternately Random Distribution Source IP connects to Destination IP randomly Sticky IP Source IP connects to same Destination IP Block Remap Source network is divided by size of the Destination pool to create logical segments Symmetrical Remap Source IP maps to Destination IP Ex: 10.1.1.10 ---- 192.168.60.10 Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example one: 192.168.0.2 to 192.168.0.4 IP H ex Dec Binary Tr anslated Dest = 10.50.165.0 / 30 (Networ k) Pac ket Src IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=2 =3232235522 [modulo] 2 =0 2 divides into numerator evenly. There is no remainder thus 0 Sticky IP Formula yields offset of 0 Destination remapping to 10.50.165.1 12 SonicWALL NAT Load Balancing
Appendix Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example two: 192.168.0.2 to 192.168. 0.4 IP H ex Dec Binary Tr anslated Dest = 10. 50. 165.1 – 10.50.165.3 (Range) Pack et Src IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=3 =3232235522 [modulo] 3 = 1077411840.6666667 – 1077411840 = 0.6666667 X 3 =2 Sticky IP Formula yields offset of 2 Destination remapping to 10.50.165.3 Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example two: 192.168.0.2 to 192.168.0.4 IP Hex Dec Binary Tr an sl ated Dest = 10.50.165.1 – 10.50.165. 3 (Range) Pack et Src IP = 192.168.0.2 192.168.0.2 = C 0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=3 =3232235522 [modulo] 3 = 1077411840.6666667 – 1077411840 = 0.6666667 X 3 =2 Sticky IP Formula yields offset of 2 Destination remapping to 10.50.165.3 SonicWALL NAT Load Balancing 13
Appendix Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example two: 192.168.0.2 to 192.168.0.4 Translated Dest = 10.50.165.1 – 10.50.165.3 (Range) IP Hex Dec Binary Pac ket Src IP = 192.168. 0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=3 =3232235522 [modulo] 3 = 1077411840.6666667 – 1077411840 = 0.6666667 X 3 =2 Sticky IP Formula yields offset of 2 Destination remapping to 10.50.165.3 Created: 10/15/06 Updated: 03/14/07 Version 1.4 Maintained by: dparry@sonicwall.com 14 SonicWALL NAT Load Balancing 232-001235-00 Rev A

Recommended

Ha nam
Ha namHa nam
Ha namrajgurupatil
 
DHCP concept
DHCP conceptDHCP concept
DHCP conceptShopnomoy Prantor
 
3 1 deltatrainingslides
3 1 deltatrainingslides3 1 deltatrainingslides
3 1 deltatrainingslidesYamadou BATHILY
 
Fast Convergence Techniques
Fast Convergence TechniquesFast Convergence Techniques
Fast Convergence TechniquesBangladesh Network Operators Group
 
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS SwitchEMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS SwitchAruba, a Hewlett Packard Enterprise company
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorialtutorialsruby
 
080 DHCP
080 DHCP080 DHCP
080 DHCPVIPAL PATEL
 
Design and Deployment of Enterprise Wirlesss Networks
Design and Deployment of Enterprise Wirlesss NetworksDesign and Deployment of Enterprise Wirlesss Networks
Design and Deployment of Enterprise Wirlesss NetworksCisco Mobility
 

Recommended

Ha nam
Ha namHa nam
Ha namrajgurupatil
 
DHCP concept
DHCP conceptDHCP concept
DHCP conceptShopnomoy Prantor
 
3 1 deltatrainingslides
3 1 deltatrainingslides3 1 deltatrainingslides
3 1 deltatrainingslidesYamadou BATHILY
 
Fast Convergence Techniques
Fast Convergence TechniquesFast Convergence Techniques
Fast Convergence TechniquesBangladesh Network Operators Group
 
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS SwitchEMEA Airheads- Virtual Switching Framework- Aruba OS Switch
EMEA Airheads- Virtual Switching Framework- Aruba OS SwitchAruba, a Hewlett Packard Enterprise company
 
66_pfSenseTutorial
66_pfSenseTutorial66_pfSenseTutorial
66_pfSenseTutorialtutorialsruby
 
080 DHCP
080 DHCP080 DHCP
080 DHCPVIPAL PATEL
 
Design and Deployment of Enterprise Wirlesss Networks
Design and Deployment of Enterprise Wirlesss NetworksDesign and Deployment of Enterprise Wirlesss Networks
Design and Deployment of Enterprise Wirlesss NetworksCisco Mobility
 
Vsat day-2008-comtech
Vsat day-2008-comtechVsat day-2008-comtech
Vsat day-2008-comtechSSPI Brasil
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data CenterNetProtocol Xpert
 
DHCP PROTOCOL
DHCP PROTOCOLDHCP PROTOCOL
DHCP PROTOCOLatharvakale07
 
Durai presentation of dhcp
Durai presentation of dhcpDurai presentation of dhcp
Durai presentation of dhcpduraimurugan89
 
Dhcp edu
Dhcp eduDhcp edu
Dhcp eduEduquity Career Technologies Pvt.Ltd.
 
DHCP and NIS
DHCP and NISDHCP and NIS
DHCP and NISSreenatha Reddy K R
 
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPROIDEA
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedMustafa Golam
 
Linux hpc-cluster-setup-guide
Linux hpc-cluster-setup-guideLinux hpc-cluster-setup-guide
Linux hpc-cluster-setup-guidejasembo
 
RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015Netgate
 
#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health Session#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health SessionBrocade
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Netgate
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionMahmmoud Mahdi
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerHolger Winkelmann
 
Dynamic Host Configuration Protocol
Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol
Dynamic Host Configuration Protocolgueste98b36
 
DHCP Server & Client Presentation
DHCP Server & Client PresentationDHCP Server & Client Presentation
DHCP Server & Client Presentationraini
 
DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)Netwax Lab
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
Dhcp
DhcpDhcp
DhcpTapan Khilar
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)Amit Kumar , Jaipur Engineers
 
Nat presentation
Nat presentationNat presentation
Nat presentationhassoon3
 

More Related Content

What's hot

Vsat day-2008-comtech
Vsat day-2008-comtechVsat day-2008-comtech
Vsat day-2008-comtechSSPI Brasil
 
Durai presentation of dhcp
Durai presentation of dhcpDurai presentation of dhcp
Durai presentation of dhcpduraimurugan89
 
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPROIDEA
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedMustafa Golam
 
Linux hpc-cluster-setup-guide
Linux hpc-cluster-setup-guideLinux hpc-cluster-setup-guide
Linux hpc-cluster-setup-guidejasembo
 
RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015Netgate
 
#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health Session#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health SessionBrocade
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Netgate
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionMahmmoud Mahdi
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerHolger Winkelmann
 
Dynamic Host Configuration Protocol
Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol
Dynamic Host Configuration Protocolgueste98b36
 
DHCP Server & Client Presentation
DHCP Server & Client PresentationDHCP Server & Client Presentation
DHCP Server & Client Presentationraini
 
DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)Netwax Lab
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 

What's hot (19)

Vsat day-2008-comtech
Vsat day-2008-comtechVsat day-2008-comtech
Vsat day-2008-comtech
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
 
DHCP PROTOCOL
DHCP PROTOCOLDHCP PROTOCOL
DHCP PROTOCOL
 
Durai presentation of dhcp
Durai presentation of dhcpDurai presentation of dhcp
Durai presentation of dhcp
 
Dhcp edu
Dhcp eduDhcp edu
Dhcp edu
 
DHCP and NIS
DHCP and NISDHCP and NIS
DHCP and NIS
 
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAMPLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
PLNOG 5: Rafał Szarecki - EXPERIENCE FROM L2TP IMPLEMENTATION FOR BITSTREAM
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To Advanced
 
Linux hpc-cluster-setup-guide
Linux hpc-cluster-setup-guideLinux hpc-cluster-setup-guide
Linux hpc-cluster-setup-guide
 
RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015
 
#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health Session#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health Session
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name Resolution
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
 
Dynamic Host Configuration Protocol
Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol
Dynamic Host Configuration Protocol
 
DHCP Server & Client Presentation
DHCP Server & Client PresentationDHCP Server & Client Presentation
DHCP Server & Client Presentation
 
DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)DHCP (dynamic host configuration protocol)
DHCP (dynamic host configuration protocol)
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
Dhcp
DhcpDhcp
Dhcp
 

Viewers also liked

How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
 
Nat presentation
Nat presentationNat presentation
Nat presentationhassoon3
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
 
Implementación de NAT/PAT en routers Cisco
Implementación de NAT/PAT en routers CiscoImplementación de NAT/PAT en routers Cisco
Implementación de NAT/PAT en routers CiscoPaulo Colomés
 
Network address translation pdf
Network address translation pdfNetwork address translation pdf
Network address translation pdfMadhusudhan Anand
 

Viewers also liked (10)

How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routers
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)
 
Nat presentation
Nat presentationNat presentation
Nat presentation
 
Network address translation
Network address translationNetwork address translation
Network address translation
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
 
NAT Ccna
NAT CcnaNAT Ccna
NAT Ccna
 
NAT Scneario
NAT ScnearioNAT Scneario
NAT Scneario
 
NAT|PAT
NAT|PATNAT|PAT
NAT|PAT
 
Implementación de NAT/PAT en routers Cisco
Implementación de NAT/PAT en routers CiscoImplementación de NAT/PAT en routers Cisco
Implementación de NAT/PAT en routers Cisco
 
Network address translation pdf
Network address translation pdfNetwork address translation pdf
Network address translation pdf
 

Similar to Nat load balance_5.0e_feature_module

Cymphonix active-passive high availability v9
Cymphonix active-passive high availability v9Cymphonix active-passive high availability v9
Cymphonix active-passive high availability v9encikkidal
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBLFei Ji Siao
 
AWS Atlanta meetup load-balancing
AWS Atlanta meetup load-balancingAWS Atlanta meetup load-balancing
AWS Atlanta meetup load-balancingAdam Book
 
Ct nyc-philly open stack meetups april 2014 final
Ct nyc-philly open stack meetups april 2014 finalCt nyc-philly open stack meetups april 2014 final
Ct nyc-philly open stack meetups april 2014 finalozkan01
 
Netforce: extending neutron to support routed networks at scale in ebay
Netforce: extending neutron to support routed networks at scale in ebayNetforce: extending neutron to support routed networks at scale in ebay
Netforce: extending neutron to support routed networks at scale in ebayAliasgar Ginwala
 
Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...RedHatTelco
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SAMeh Zaghloul
 
Apache Geode Clubhouse - WAN-based Replication
Apache Geode Clubhouse - WAN-based ReplicationApache Geode Clubhouse - WAN-based Replication
Apache Geode Clubhouse - WAN-based ReplicationPivotalOpenSourceHub
 
VMware vSphere 6.0 - Troubleshooting Training - Day 3
VMware vSphere 6.0 - Troubleshooting Training - Day 3 VMware vSphere 6.0 - Troubleshooting Training - Day 3
VMware vSphere 6.0 - Troubleshooting Training - Day 3 Sanjeev Kumar
 
VMware Advance Troubleshooting Workshop - Day 3
VMware Advance Troubleshooting Workshop - Day 3VMware Advance Troubleshooting Workshop - Day 3
VMware Advance Troubleshooting Workshop - Day 3Vepsun Technologies
 
Basic concepts for_clustered_data_ontap_8.3_v1.1-lab_guide
Basic concepts for_clustered_data_ontap_8.3_v1.1-lab_guideBasic concepts for_clustered_data_ontap_8.3_v1.1-lab_guide
Basic concepts for_clustered_data_ontap_8.3_v1.1-lab_guideVikas Sharma
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorialequinonesr
 
An Evaluators Guide To Net Flow Tracker
An Evaluators Guide To Net Flow TrackerAn Evaluators Guide To Net Flow Tracker
An Evaluators Guide To Net Flow Trackereegger
 

Similar to Nat load balance_5.0e_feature_module (20)

Cymphonix active-passive high availability v9
Cymphonix active-passive high availability v9Cymphonix active-passive high availability v9
Cymphonix active-passive high availability v9
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBL
 
AWS Atlanta meetup load-balancing
AWS Atlanta meetup load-balancingAWS Atlanta meetup load-balancing
AWS Atlanta meetup load-balancing
 
Ct nyc-philly open stack meetups april 2014 final
Ct nyc-philly open stack meetups april 2014 finalCt nyc-philly open stack meetups april 2014 final
Ct nyc-philly open stack meetups april 2014 final
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
Netforce: extending neutron to support routed networks at scale in ebay
Netforce: extending neutron to support routed networks at scale in ebayNetforce: extending neutron to support routed networks at scale in ebay
Netforce: extending neutron to support routed networks at scale in ebay
 
Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...
 
Whatsup
WhatsupWhatsup
Whatsup
 
Whatsup
WhatsupWhatsup
Whatsup
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
 
ACE - Comcore
ACE - ComcoreACE - Comcore
ACE - Comcore
 
SDN and NFV
SDN and NFVSDN and NFV
SDN and NFV
 
Apache Geode Clubhouse - WAN-based Replication
Apache Geode Clubhouse - WAN-based ReplicationApache Geode Clubhouse - WAN-based Replication
Apache Geode Clubhouse - WAN-based Replication
 
VMware vSphere 6.0 - Troubleshooting Training - Day 3
VMware vSphere 6.0 - Troubleshooting Training - Day 3 VMware vSphere 6.0 - Troubleshooting Training - Day 3
VMware vSphere 6.0 - Troubleshooting Training - Day 3
 
VMware Advance Troubleshooting Workshop - Day 3
VMware Advance Troubleshooting Workshop - Day 3VMware Advance Troubleshooting Workshop - Day 3
VMware Advance Troubleshooting Workshop - Day 3
 
PLB
PLBPLB
PLB
 
Basic concepts for_clustered_data_ontap_8.3_v1.1-lab_guide
Basic concepts for_clustered_data_ontap_8.3_v1.1-lab_guideBasic concepts for_clustered_data_ontap_8.3_v1.1-lab_guide
Basic concepts for_clustered_data_ontap_8.3_v1.1-lab_guide
 
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsEMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorial
 
An Evaluators Guide To Net Flow Tracker
An Evaluators Guide To Net Flow TrackerAn Evaluators Guide To Net Flow Tracker
An Evaluators Guide To Net Flow Tracker
 

Nat load balance_5.0e_feature_module

  • 1. SonicWALL NAT Load Balancing Overview This feature module will detail how to configure the Network Address Translation (NAT) & Load Balancing (LB) features in SonicOS Enhanced 4.0 and newer, to balance incoming traffic across multiple, similar network resources. Do not confuse this with the WAN ISP & LB feature on the SonicWALL appliance. While both features can be used in conjunction, WAN ISP & LB is used to balance outgoing traffic across two ISP connections, and NAT LB is primarily used to balance incoming traffic. Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime. The feature module will detail how to configure the necessary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to access a Virtual IP (VIP) that maps to one or more internal systems, such as Web servers, FTP servers, or SonicWALL SSL-VPN appliances. This Virtual IP may be independent of the SonicWALL appliance or it may be shared, assuming the SonicWALL appliance itself is not using the port(s) in question. In these feature module examples we will be using two SonicWALL PRO 4100 appliances in high-availability mode, two generic Web servers, and two SonicWALL SSL-VPN 2000 appliances. Please note that it is not necessary to have two appliances to perform NAT/LB – it is just another layer of protection that can be easily added to your environment to assure uptime to critical internal resources that have high uptime requirements (typically a driving factor in load balancing systems in the first place). Please note that the load balancing capability in SonicOS Enhanced 4.0, while fairly basic, will satisfy the requirements for many customer network deployments. Customers with environments needing more granular load balancing, persistence, and health-check mechanisms are advised to use a dedicated third-party load balancing appliance (prices run from US$4,000 to US$25,000 per device). Versions • SonicOS Enhanced 4.0 or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered a SonicWALL device on MySonicWALL for the first 90 days. SonicWALL NAT Load Balancing 1
  • 2. NAT LB Mechanisms NAT LB Mechanisms Advanced Tab Note This tab can only be activated when a group is specified in one of the drop-down fields on the ‘General’ tab of a NAT Policy. Otherwise, the NAT policy defaults to ‘Sticky IP’ as the NAT method. Sticky IP – Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments. Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required. Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is NAT’ed to another). Random Distribution – Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources. ‘NAT Method’ – This drop-down allows the user to specify one of five load balancing methods: Sticky IP, Round Robin, Block Remap, Symmetric Remap, or Random Distribution. For most purposes, Sticky IP is preferred. 2 SonicWALL NAT Load Balancing
  • 3. Caveats ‘Enable Probing’ – When checked, the SonicWALL will use one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the SonicWALL can direct traffic away from a non-responding resource, and return traffic to the resource once it has begun to respond again. Which NAT LB Method Should I Use? Requirement Deployment Example NAT LB Method Distribute load on server equally External/ Internal servers (i.e. Web, FTP, etc) Round Robin without need for persistence Indiscriminate load balancing without External/ Internal servers (i.e. Web, FTP, etc) Random need for persistence Distribution Requires persistence of client E-commerce site, Email Security, SSL-VPN Sticky IP connection appliance (Any publicly accessible servers requiring persistence) Precise control of remap of source LAN to DMZ Servers Block Remap network to a destination range E-mail Security, SSL-VPN Precise control of remap of source Internal Servers (i.e. Intranets or Extranets) Symmetrical network and destination network Remap Caveats • The NAT Load Balancing Feature is found only in SonicOS Enhanced 4.0 and newer • Only two health-check mechanisms at present (ICMP ping and TCP socket open) • No higher-layer persistence mechanisms at present (Sticky IP only) • No ‘sorry-server’ mechanism at present if all servers in group are not responding • No ‘round robin with persistence’ mechanism at present • No ‘weighted round robin’ mechanism at present • No method for detecting if resource is strained, at present • While there is no limit to the number of internal resources the SonicWALL appliance can load-balance to, and there no limit to the number of hosts it can monitor, abnormally large load-balancing groups (25+resources) may impact performance SonicWALL NAT Load Balancing 3
  • 4. Tasks (Generic, can be followed for either WWW or SSLVPN) Tasks (Generic, can be followed for either WWW or SSLVPN) 1. Create address objects 2. Create address group 3. Create inbound NAT LB/Monitor Policy 4. Create outbound NAT LB Policy 5. Create Firewall Rule 6. Troubleshooting Before You Begin The examples shown in the ‘Tasklist’ section on the next few pages utilize IP addressing information from a demo setup – please make sure and replace any IP addressing information shown in the examples with the correct addressing information for your setup. Also note that the interface names may be different. Note It is strongly advised that you enable logging for all categories, and enable name resolution for logging. To enable logging and alerting, log into the SonicWALL’s Management GUI, go to ‘Log > Categories’, choose ‘Debug’ from the drop-down next to ‘Logging Level’, chose ‘All Categories’ from the drop-down next to ‘View Style’, check the boxes in the title bar next to ‘Log’ and ‘Alerts’ to capture all categories, and click on the ‘Apply’ button in the upper right hand corner to save and activate the changes. For an example, see the first screenshot below. Debug logs should only be used for initial configuration and troubleshooting, and it is advised that once setup is complete, you set the logging level to a more appropriate level for your network environment. To enable log name resolution, go to ‘Log > Name Resolution’, choose ‘DNS then NetBios’ from the ‘Name Resolution Method’ drop-down list, and click on the ‘Apply’ button in the upper right hand corner to save and activate the changes. For an example, see the second screenshot below. 4 SonicWALL NAT Load Balancing
  • 5. Before You Begin Network Map SonicWALL NAT Load Balancing 5
  • 6. Configuration Tasklist Configuration Tasklist Step 1 Create Network Objects -- Go to the ‘Network > Address Objects’ page in the Management GUI and create the network objects for both of the internal Web servers, and the Virtual IP (VIP) on which external users will access the servers. For examples, see the next three screenshots. 6 SonicWALL NAT Load Balancing
  • 7. Configuration Tasklist Step 2 Create Address Group -- Now create an address group named ‘www_group’ and add the two internal server address objects you just created. For an example see the screenshot below. SonicWALL NAT Load Balancing 7
  • 8. Configuration Tasklist Step 3 Create Inbound NAT Rule for Group -- Now create a NAT rule to allow anyone attempting to access the VIP to get translated to the address group you just created, using ‘Sticky IP’ as the NAT method. Navigate to NAT Policies and click the Add button. For an example see the screenshot below. Note Don’t save the NAT rule just yet. Step 4 Set LB Type and Server Liveliness Method -- On the ‘Advanced’ tab of the NAT policy configuration control, you can specify that the object (or group of objects, or group of groups) be monitored via ICMP ping or by checking for TCP sockets opened. For this lab, we’re going to check to see if the server is up and responding by monitoring TCP port 80 (which is good, since that’s what people are trying to access). You can now click on the ‘OK’ button to save and activate the changes. 8 SonicWALL NAT Load Balancing
  • 9. Configuration Tasklist Note Before you go any further, check the logs and the status page to see if the resources have been detected and have been logged as online. If you do not see the two messages (with your IP addresses), check the steps above. SonicWALL NAT Load Balancing 9
  • 10. Configuration Tasklist Step 5 Create Outbound NAT Rule for LB Group -- Write a NAT rule to allow the internal servers to get translated to the VIP when accessing resources out the WAN interface. Step 6 Create Firewall Rule for VIP -- Write a firewall rule to allow traffic from the outside to access the internal Web servers via the VIP. For an example see the screenshot below. Step 7 Test Your Work – OK, you’re ready to test now. From a laptop outside the WAN, connect via HTTP to the VIP using a Web browser. Note NOTE: If you wish to load balance one or more SSL-VPN Appliances, repeat steps 1-7, using HTTPS instead as the allowed service. 10 SonicWALL NAT Load Balancing
  • 11. Troubleshooting Troubleshooting If the Web servers do not seem to be accessible, go to the ‘Firewall > Access Rules’ page and mouseover the ‘Statistics’ icon. Click the button for which access rule you would like to view. If the rule is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources. For an example of a working rule, see the screenshot below. You can also check the ‘Firewall > NAT Policies’ page and mouseover the ‘Statistics’ icon . If the policy is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources. For an example of a working NAT LB policy, see the screenshot below. Finally, check the logs and the status page to see if there are any alerts (noted in yellow) about the Network Monitor noting hosts that are offline; it may be that all of your load balancing resources are not reachable by the SonicWALL appliance and that the probing mechanism has marked them offline and out of service. Check the load balancing resources to ensure that they are functional and check the networking connections between them and the SonicWALL appliance. SonicWALL NAT Load Balancing 11
  • 12. Appendix Appendix If you’re interested in exactly how the security appliance applies the load balancing algorithms, see below. NAT Load Balancing Methods Round Robin Source IP connects to Destination IP alternately Random Distribution Source IP connects to Destination IP randomly Sticky IP Source IP connects to same Destination IP Block Remap Source network is divided by size of the Destination pool to create logical segments Symmetrical Remap Source IP maps to Destination IP Ex: 10.1.1.10 ---- 192.168.60.10 Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example one: 192.168.0.2 to 192.168.0.4 IP H ex Dec Binary Tr anslated Dest = 10.50.165.0 / 30 (Networ k) Pac ket Src IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=2 =3232235522 [modulo] 2 =0 2 divides into numerator evenly. There is no remainder thus 0 Sticky IP Formula yields offset of 0 Destination remapping to 10.50.165.1 12 SonicWALL NAT Load Balancing
  • 13. Appendix Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example two: 192.168.0.2 to 192.168. 0.4 IP H ex Dec Binary Tr anslated Dest = 10. 50. 165.1 – 10.50.165.3 (Range) Pack et Src IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=3 =3232235522 [modulo] 3 = 1077411840.6666667 – 1077411840 = 0.6666667 X 3 =2 Sticky IP Formula yields offset of 2 Destination remapping to 10.50.165.3 Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example two: 192.168.0.2 to 192.168.0.4 IP Hex Dec Binary Tr an sl ated Dest = 10.50.165.1 – 10.50.165. 3 (Range) Pack et Src IP = 192.168.0.2 192.168.0.2 = C 0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=3 =3232235522 [modulo] 3 = 1077411840.6666667 – 1077411840 = 0.6666667 X 3 =2 Sticky IP Formula yields offset of 2 Destination remapping to 10.50.165.3 SonicWALL NAT Load Balancing 13
  • 14. Appendix Sticky IP Algorithm Source IP is modulo with the size of the server cluster to determine the server to remap to Example two: 192.168.0.2 to 192.168.0.4 Translated Dest = 10.50.165.1 – 10.50.165.3 (Range) IP Hex Dec Binary Pac ket Src IP = 192.168. 0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 Sticky IP Formula = Packet Src IP=3232235522 [modulo] TransDest Size=3 =3232235522 [modulo] 3 = 1077411840.6666667 – 1077411840 = 0.6666667 X 3 =2 Sticky IP Formula yields offset of 2 Destination remapping to 10.50.165.3 Created: 10/15/06 Updated: 03/14/07 Version 1.4 Maintained by: dparry@sonicwall.com 14 SonicWALL NAT Load Balancing 232-001235-00 Rev A