firewall sandwich load balancing (fwd)

David Lang dlang at digitalinsight.com
Fri Jul 7 17:06:02 BST 2006 

On Fri, 7 Jul 2006, Joseph Mack NA3T wrote:

> On Thu, 6 Jul 2006, David Lang wrote:
>
>> I have been diging in the list archives for the last hour without finding 
>> the answer so I'm asking directly.
>> 
>> in 2001 this post 
>> http://archive.linuxvirtualserver.org/html/lvs-users/2001-01/msg00322.html
>
> I just reread this post. I don't understand why all the firewalls are where 
> they are (are they just there and you have to fit in with the pre-existing 
> system, or is this optimal for a setup whose purpose I don't understand). As 
> well the poster doesn't seem to understand the packet flow of LVS (or I don't 
> understand his posting). With this as input to the mailing list, he's 
> guaranteed an answer of "no".
>
>> I'm not finding it in the several hunder posts that I've read that google 
>> found for me in the list archives, could someone point out where to find 
>> the information? (this would be a good addition to the wiki for the 
>> examples page as well)
>
> How about a description of your system and an explanation of why the 
> firewalls aren't transparent,

the firewalls are transparent, they are just packet filters (think iptables 
firewalls). there is no NAT takeing place anywhere.

the issue I don't think you are understanding is that we aren't trying to load 
balance the servers behind the firewalls, we are trying to load balance the 
firewalls themselves

so you have

         Internet
   |                    |
switch--------------switch
   |                    |
load balancer      load balancer
   |                    |
switch--------------switch
   |                    |
firewall            firewall
   |                    |
switch--------------switch
   |                    |
load balancer      load balancer
   |                    |
switch--------------switch
   | | | | | | | | | | |
           servers


the servers themselves are NOT load balanced (at least for the purposes of these 
discussions, any load balanceing that they have is done by seperate equipment)

the outside load balancers need to make a decision on which firewall to send the 
traffic through

the packets are sent through that firewall, and then go to the load balancer on 
the inside which routes them to the server, the server responds and the outbound 
traffic hits the inside load balancer, it needs to send the response packets 
back to the same firewall that the inbound packets came through or the firewall 
will reject them

does this clarify things?

I had thought that the origional post that I refrenced described the problem 
fairly well which is why I didn't go through everything again in my post.

David Lang

>> P.S. count this as a vote against having a subscribers-only list. I almost 
>> decided it wasn't worth it and didn't subscribe to send this message. the 
>> last thing I need is yet another mailing list filling my inbox when I just 
>> need a simple answer
>
> Subscribing to a mailing list for what you hope is a simple answer to a 
> simple question is a real pain indeed. However if you've searched several 
> hundred postings and not found an answer, you can only conclude that the 
> problem is trivial or hasn't been solved. You should be prepared for a 
> complicated answer. You say what you don't want, but you don't give us any 
> information about what would work for you. We're happy to help, but we can't 
> do anything with a statement like this.

given that the response to the later post was a simple 'yes we can do it, search 
the archives' I expected the response to be a simple 'here it is' or something 
like that.

> Joe
>
>

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list