Technical Note : Conditional DNAT using load balanced vip / Load-balanced VIP with realserver and client-ip

cgustave · ‎09-29-2011

Purpose

This technical note provides an example using load-balanced VIP where the realservers are configured to use 'client-ip' configuration statement.

This allows the choice of the realserver to forward the traffic to based on the client IP address.

In addition, it is possible to have the VIP external IP address being the same as one realserver IP address.

This is an interesting option if one server (so far used without a VIP on the FortiGate) needs a part of its traffic to be offloaded to another server without changing its IP addressing.

Configuration of the load-balanced vip in this example cannot be done via the GUI (CLI only).

Scope

Diagram

Expectations, Requirements
Expectations:

We expect the clients request to 172.31.211.254 to be handled as follow:

Client W, part of range 10.183.0.1-10.183.0.100 is sent to server Z 172.31.227.254 after DNAT (172.31.211.254->172.31.227.254)
Client X, part of range 10.183.0.101-10.183.0.254 is sent to server Y 172.31.211.254

Doing this, we offload the original server 172.31.211.254 from a part of his load which is transfered to 172.31.227.254.

Important notes concerning client-ip ranges:

Only 4 ranges are allowed to be configured with "client-ip" statement per realserver (separated by a space character)
If there are overlapping IPs within the realservers "client-ip" definition, a loadbalancing would take place between the different realservers following the load-balancing method configured in the VIP.
When no 'client-ip' is defined in a realserver configuration, all client IPs are accepted.

Configuration
Configuration highlights:

Load-balanced VIP:
- where the external ip is the same as one of the realserver ip
- realserver configured with different client ip ranges in config statement "client-ip"
- proxy-arp disabled (requirement when the vip external IP is the same as one realserver ip)

Firewall policies for all realservers where the destination address is the load-balanced VIP

config system interface
    edit "amc-dw1/2"
        set vdom "root"
        set type physical
    next
    edit "amc2.1"
        set vdom "traffic"
        set ip 10.185.1.28 255.255.254.0
        set allowaccess ping https ssh http telnet
        set interface "amc-dw1/2"
        set vlanid 185
    next
    edit "amc2.2"
        set vdom "traffic"
        set ip 172.31.209.28 255.255.254.0
        set allowaccess ping https ssh http telnet
        set interface "amc-dw1/2"
        set vlanid 208
    next
    edit "amc2.3"
        set vdom "traffic"
        set ip 172.31.225.28 255.255.254.0
        set allowaccess ping https ssh http telnet
        set interface "amc-dw1/2"
        set vlanid 224
    next
end


config router static
    edit 1
        set device "amc2.2"
        set dst 172.31.210.0 255.255.254.0
        set gateway 172.31.209.254
    next
    edit 2
        set device "amc2.3"
        set dst 172.31.226.0 255.255.254.0
        set gateway 172.31.225.254
    next
    edit 3
        set device "amc2.1"
        set dst 10.183.0.0 255.255.254.0
        set gateway 10.185.0.125
    next
end


config firewall vip
    edit "VS"
        set type server-load-balance
        set extip 172.31.211.254
        set extintf "amc2.1"
        set arp-reply disable
        set server-type ip
            config realservers
                edit 1
                    set client-ip 10.183.0.1-10.183.0.100
                    set ip 172.31.227.254
                next
                edit 2
                    set client-ip 10.183.0.101-10.183.0.254
                    set ip 172.31.211.254
                next
            end
    next
end


config firewall policy
    edit 1
        set srcintf "amc2.1"
        set dstintf "amc2.2"
            set srcaddr "all"
            set dstaddr "VS"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 2
        set srcintf "amc2.1"
        set dstintf "amc2.3"
            set srcaddr "all"
            set dstaddr "VS"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

Documentation links:

The VIP section of the CLI Guide at http://docs.fortinet.com/fgt/handbook/40mr2/fortigate-cli-40-mr2.pdf provides VIP configuration information (especially related to client-ip and load-balancing).

Verification
Debug flow and sniffer trace for request from client W (10.183.0.1):

id=36870 trace_id=1 func=resolve_ip_tuple_fast line=3403 msg="vd-traffic received a packet(proto=1, 10.183.0.1:20399->172.31.211.254:8) from amc2.1."
id=36870 trace_id=1 func=resolve_ip_tuple line=3526 msg="allocate a new session-00000207"
id=36870 trace_id=1 func=fw_pre_route_handler line=127 msg="VIP-172.31.227.254:8, outdev-unkown"
id=36870 trace_id=1 func=__ip_session_run_tuple line=1853 msg=" DNAT 172.31.211.254:8->172.31.227.254:8"
id=36870 trace_id=1 func=vf_ip4_route_input line=1585 msg="find a route: gw-172.31.225.254 via amc2.3"
id=36870 trace_id=1 func=fw_forward_handler line=474 msg="Allowed by Policy-2:"

FG5A01-5140-D-7 (traffic) # diagnose sniffer packet any 'src 10.183.0.1' 4
interfaces=[any]
filters=[src 10.183.0.1]
48.271756 amc2.1 in 10.183.0.1 -> 172.31.211.254: icmp: echo request
48.280542 amc2.3 out 10.183.0.1 -> 172.31.227.254: icmp: echo request
48.280545 amc-dw1/2 out 10.183.0.1 -> 172.31.227.254: icmp: echo request

=> Traffic sent to server Z

Debug flow and sniffer trace for request from client X (10.183.0.150):

id=36870 trace_id=2 func=resolve_ip_tuple_fast line=3403 msg="vd-traffic received a packet(proto=1, 10.183.0.150:20491->172.31.211.254:8) from amc2.1."
id=36870 trace_id=2 func=resolve_ip_tuple line=3526 msg="allocate a new session-000002ff"
id=36870 trace_id=2 func=fw_pre_route_handler line=127 msg="VIP-172.31.211.254:8, outdev-unkown"
id=36870 trace_id=2 func=__ip_session_run_tuple line=1853 msg=" DNAT 172.31.211.254:8->172.31.211.254:8"
id=36870 trace_id=2 func=vf_ip4_route_input line=1585 msg="find a route: gw-172.31.209.254 via amc2.2"
id=36870 trace_id=2 func=fw_forward_handler line=474 msg="Allowed by Policy-1:"


FG5A01-5140-D-7 (traffic) # diagnose sniffer packet any 'src 10.183.0.150' 4
interfaces=[any]
filters=[src 10.183.0.150]
15.973801 amc2.1 in 10.183.0.150 -> 172.31.211.254: icmp: echo request
15.980138 amc2.2 out 10.183.0.150 -> 172.31.211.254: icmp: echo request
15.980142 amc-dw1/2 out 10.183.0.150 -> 172.31.211.254: icmp: echo request

=> Traffic sent to original server Y

Troubleshooting

FG5A01-5140-D-7 (traffic) # diagnose firewall vip realserver list
alloc=3
------------------------------
vf=1 name=VS/1 type=0 172.31.211.254:(0-0), protocol=0
total=2 alive=2 power=2 ptr=2639
ip=172.31.227.254-172.31.227.254:0 adm_status=0 holddown_interval=300 max_connections=0 weight=1 option=00
   alive=1 total=1 enable=00000001 alive=00000001 power=1
   src_sz=1
      10.183.0.1-10.183.0.100
   id=0 status=up ks=0 us=0 events=0 bytes=168 rtt=0
ip=172.31.211.254-172.31.211.254:0 adm_status=0 holddown_interval=300 max_connections=0 weight=1 option=00
   alive=1 total=1 enable=00000001 alive=00000001 power=1
   src_sz=1
      10.183.0.101-10.183.0.254
   id=0 status=up ks=0 us=0 events=0 bytes=168 rtt=0