Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sjwinick
New Contributor

Created on ‎09-29-2010 10:03 AM

Internal LAN load balancing

i know that the fortigate permits load balancing from an external virtual IP to multiple internal real servers. ive done that successfully my question is can this be done completely on the internal LAN? ie, have a virtual IP appear on the LAN that is redirected to multiple real IP addresses that are also on the LAN? if yes, how is it done? btw, the manual shows that there are many " types" of load balancing in a pull-down menu, including HTTP, HTTPS, SSL, TCP, etc. however, on my unit, when i create a new virtual server, the only choices are HTTP, TCP, UDP and IP. can' t find any of the other choices described. same thing for persistence. only 2 choices and the SSL one is always greyed out. anyone know why? thanks sjw
14863
0 Kudos
14 REPLIES 14
abelio
SuperUser
SuperUser

Created on ‎09-29-2010 01:34 PM

my question is can this be done completely on the internal LAN? ie, have a virtual IP appear on the LAN that is redirected to multiple real IP addresses that are also on the LAN? if yes, how is it done?
Balancing involves some type of NAT, so you cannot do that in the LAN (yes with another interfaces like a DMZ altough)
btw, the manual shows that there are many " types" of load balancing in a pull-down menu, including HTTP, HTTPS, SSL, TCP, etc. however, on my unit, when i create a new virtual server, the only choices are HTTP, TCP, UDP and IP. can' t find any of the other choices described. same thing for persistence. only 2 choices and the SSL one is always greyed out. anyone know why?
LB ' types' are directly related with virtual port settings

regards




/ Abel

regards / Abel
6118
0 Kudos
Maik
New Contributor II
In response to abelio

Created on ‎09-29-2010 03:02 PM

Balancing involves some type of NAT, so you cannot do that in the LAN (yes with another interfaces like a DMZ altough)
the destination can be on different interfaces but its not necessary: 10.1.1.1/24 points to 10.1.2.1/24 and 10.1.3.1/24 It also works on the same Interface: LB VIP from 10.1.1.1/24 with destination 10.1.1.2/24 and 10.1.1.3/24 on the same Interface will work. regards Maik
6118
0 Kudos
abelio
SuperUser
SuperUser
In response to Maik

Created on ‎09-30-2010 11:44 AM

It also works on the same Interface: LB VIP from 10.1.1.1/24 with destination 10.1.1.2/24 and 10.1.1.3/24 on the same Interface will work.
To be able to do such VIPs doesn' t enable LB scenario at all; look rocampo' s above post about 3way handshake.

regards




/ Abel

regards / Abel
6118
0 Kudos
Maik
New Contributor II
In response to abelio

Created on ‎09-30-2010 01:33 PM

it works. I can say that, because I have such a setup in a real life environment. regards Maik
6118
0 Kudos
TopJimmy
New Contributor
In response to Maik

Created on ‎09-30-2010 01:43 PM

ORIGINAL: Maik it works. I can say that, because I have such a setup in a real life environment. regards Maik
I' d be interested in this. We are looking at load balancing our LDAP requests due to crappy software support. Most of our internal (LAN side) processes LDAP and can load balance or fail over another LDAP server just fine. A few (with lousy support) can only hit one LDAP server period. For those, we would like to load balance on the internal (but it' s doesn' t have to be) interface to multiple LDAP servers.
-TJ
-TJ
6118
0 Kudos
Maik
New Contributor II
In response to TopJimmy

Created on ‎09-30-2010 01:55 PM

I' m currently using it for SMTP, RDP and HTTP Loadbalancing on different setups. Good idea to try that with LDAP as well. The VIP: Your " external" interface is the " internal" of course. config firewall vip edit " lbv_xyz" set type server-load-balance set extip 10.1.1.1 set extintf " port10" set server-type tcp set ldb-method round-robin set extport 25 config realservers edit 1 set healthcheck enable set ip 10.1.1.2 set port 25 next edit 2 set healthcheck enable set ip 10.1.1.3 set port 25 next end next end Plus firewall policy
6118
0 Kudos
sjwinick
New Contributor
In response to Maik

Created on ‎10-05-2010 02:33 PM

how do you do the firewall policy? this example is exactly what i' m trying to do, internal1 to internal1. however, if i create a virual server on internal1, it doesn' t even show up as a valid choice in the pull-down list for such a policy. if the virtual is on WAN1, it does. is it the GUI that is limiting the possibilities and CLI will permit the configuration?
6118
0 Kudos
Maik
New Contributor II
In response to sjwinick

Created on ‎10-05-2010 02:48 PM

its possible from the GUI. in your case it would be from internal1 to internal1. external interface of the LB- VIP is internal1 please post the CLI output of your load balancing VIP
6118
0 Kudos
sjwinick
New Contributor
In response to abelio

Created on ‎10-04-2010 08:56 AM

maybe i have something else wrong. types do not change for me. for example, if i change the port to 443, i don' t get HTTPS, just the same 4 choices. in fact, right now, any thing i try to save for a virtual server gives me an error: " some unknown error!" don' t know what this means
6118
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.