Skip to main content
cgustave
Staff
cgustave
Staff
September 29, 2011

Technical Note : Conditional DNAT using load balanced vip / Load-balanced VIP with realserver and client-ip

  • September 29, 2011
  • 0 replies
  • 8390 views

Purpose

This technical note provides an example using load-balanced VIP where the realservers are configured to use 'client-ip' configuration statement.

This allows the choice of the realserver to forward the traffic to based on the client IP address.

In addition, it is possible to have the VIP external IP address being the same as one realserver IP address.

This is an interesting option if one server (so far used without a VIP on the FortiGate) needs a part of its traffic to be offloaded to another server without changing its IP addressing.

Configuration of the load-balanced vip in this example cannot be done via the GUI (CLI only).


Scope


Diagram

cgustave_33298_diagram.png


Expectations, Requirements
Expectations:

We expect the clients request to 172.31.211.254 to be handled as follow:

  • Client W, part of range 10.183.0.1-10.183.0.100 is sent to server Z 172.31.227.254 after DNAT (172.31.211.254->172.31.227.254) 
  • Client X, part of range 10.183.0.101-10.183.0.254 is sent to server Y 172.31.211.254

Doing this, we offload the original server 172.31.211.254 from a part of his load which is transfered to 172.31.227.254.


Important notes concerning client-ip ranges:

  • Only 4 ranges are allowed to be configured with "client-ip" statement per realserver (separated by a space character)
  • If there are overlapping IPs within the realservers "client-ip" definition, a loadbalancing would take place between the different realservers following the load-balancing method configured in the VIP.
  • When no 'client-ip' is defined in a realserver configuration, all client IPs are accepted.


Configuration
Configuration highlights:

  • Load-balanced VIP:
    • where the external ip is the same as one of the realserver ip
    • realserver configured with different client ip ranges in config statement "client-ip"
    • proxy-arp disabled (requirement when the vip external IP is the same as one realserver ip)
  • Firewall policies for all realservers where the destination address is the load-balanced VIP

    config system interface
        edit "amc-dw1/2"
            set vdom "root"
            set type physical
        next
        edit "amc2.1"
            set vdom "traffic"
            set ip 10.185.1.28 255.255.254.0
            set allowaccess ping https ssh http telnet
            set interface "amc-dw1/2"
            set vlanid 185
        next
        edit "amc2.2"
            set vdom "traffic"
            set ip 172.31.209.28 255.255.254.0
            set allowaccess ping https ssh http telnet
            set interface "amc-dw1/2"
            set vlanid 208
        next
        edit "amc2.3"
            set vdom "traffic"
            set ip 172.31.225.28 255.255.254.0
            set allowaccess ping https ssh http telnet
            set interface "amc-dw1/2"
            set vlanid 224
        next
    end


    config router static
        edit 1
            set device "amc2.2"
            set dst 172.31.210.0 255.255.254.0
            set gateway 172.31.209.254
        next
        edit 2
            set device "amc2.3"
            set dst 172.31.226.0 255.255.254.0
            set gateway 172.31.225.254
        next
        edit 3
            set device "amc2.1"
            set dst 10.183.0.0 255.255.254.0
            set gateway 10.185.0.125
        next
    end


    config firewall vip
        edit "VS"
            set type server-load-balance
            set extip 172.31.211.254
            set extintf "amc2.1"
            set arp-reply disable
            set server-type ip
                config realservers
                    edit 1
                        set client-ip 10.183.0.1-10.183.0.100
                        set ip 172.31.227.254
                    next
                    edit 2
                        set client-ip 10.183.0.101-10.183.0.254
                        set ip 172.31.211.254
                    next
                end
        next
    end


    config firewall policy
        edit 1
            set srcintf "amc2.1"
            set dstintf "amc2.2"
                set srcaddr "all"
                set dstaddr "VS"
            set action accept
            set schedule "always"
                set service "ANY"
        next
        edit 2
            set srcintf "amc2.1"
            set dstintf "amc2.3"
                set srcaddr "all"
                set dstaddr "VS"
            set action accept
            set schedule "always"
                set service "ANY"
        next
    end
    Documentation links:

    The VIP section of the CLI Guide at http://docs.fortinet.com/fgt/handbook/40mr2/fortigate-cli-40-mr2.pdf  provides VIP configuration information (especially related to client-ip and load-balancing).


Verification
Debug flow and sniffer trace for request from client W (10.183.0.1):

id=36870 trace_id=1 func=resolve_ip_tuple_fast line=3403 msg="vd-traffic received a packet(proto=1, 10.183.0.1:20399->172.31.211.254:8) from amc2.1."
id=36870 trace_id=1 func=resolve_ip_tuple line=3526 msg="allocate a new session-00000207"
id=36870 trace_id=1 func=fw_pre_route_handler line=127 msg="VIP-172.31.227.254:8, outdev-unkown"
id=36870 trace_id=1 func=__ip_session_run_tuple line=1853 msg=" DNAT 172.31.211.254:8->172.31.227.254:8"
id=36870 trace_id=1 func=vf_ip4_route_input line=1585 msg="find a route: gw-172.31.225.254 via amc2.3"
id=36870 trace_id=1 func=fw_forward_handler line=474 msg="Allowed by Policy-2:"

FG5A01-5140-D-7 (traffic) # diagnose sniffer packet any 'src 10.183.0.1' 4
interfaces=[any]
filters=[src 10.183.0.1]
48.271756 amc2.1 in 10.183.0.1 -> 172.31.211.254: icmp: echo request
48.280542 amc2.3 out 10.183.0.1 -> 172.31.227.254: icmp: echo request
48.280545 amc-dw1/2 out 10.183.0.1 -> 172.31.227.254: icmp: echo request

=> Traffic sent to server Z

Debug flow and sniffer trace for request from client X (10.183.0.150):

id=36870 trace_id=2 func=resolve_ip_tuple_fast line=3403 msg="vd-traffic received a packet(proto=1, 10.183.0.150:20491->172.31.211.254:8) from amc2.1."
id=36870 trace_id=2 func=resolve_ip_tuple line=3526 msg="allocate a new session-000002ff"
id=36870 trace_id=2 func=fw_pre_route_handler line=127 msg="VIP-172.31.211.254:8, outdev-unkown"
id=36870 trace_id=2 func=__ip_session_run_tuple line=1853 msg=" DNAT 172.31.211.254:8->172.31.211.254:8"
id=36870 trace_id=2 func=vf_ip4_route_input line=1585 msg="find a route: gw-172.31.209.254 via amc2.2"
id=36870 trace_id=2 func=fw_forward_handler line=474 msg="Allowed by Policy-1:"


FG5A01-5140-D-7 (traffic) # diagnose sniffer packet any 'src 10.183.0.150' 4
interfaces=[any]
filters=[src 10.183.0.150]
15.973801 amc2.1 in 10.183.0.150 -> 172.31.211.254: icmp: echo request
15.980138 amc2.2 out 10.183.0.150 -> 172.31.211.254: icmp: echo request
15.980142 amc-dw1/2 out 10.183.0.150 -> 172.31.211.254: icmp: echo request

=> Traffic sent to original server Y


Troubleshooting

FG5A01-5140-D-7 (traffic) # diagnose firewall vip realserver list
alloc=3
------------------------------
vf=1 name=VS/1 type=0 172.31.211.254:(0-0), protocol=0
total=2 alive=2 power=2 ptr=2639
ip=172.31.227.254-172.31.227.254:0 adm_status=0 holddown_interval=300 max_connections=0 weight=1 option=00
   alive=1 total=1 enable=00000001 alive=00000001 power=1
   src_sz=1
      10.183.0.1-10.183.0.100
   id=0 status=up ks=0 us=0 events=0 bytes=168 rtt=0
ip=172.31.211.254-172.31.211.254:0 adm_status=0 holddown_interval=300 max_connections=0 weight=1 option=00
   alive=1 total=1 enable=00000001 alive=00000001 power=1
   src_sz=1
      10.183.0.101-10.183.0.254
   id=0 status=up ks=0 us=0 events=0 bytes=168 rtt=0





Terms & ConditionsAccessibility statement