firewall sandwich load balancing (fwd)

[Roberto Nibali]

>> how do they do that?
> 
> I was assuming that LVS would do this, I would like to have the options of
> round robin
> least connections
> failover (send it to the primary unless it's down, then send to the 
> backup, it's not load balancing but it makes troubleshooting much easier)

Have VRRP running on the internet-side of your network path with a VSR 
using persistent binding and RR scheduler. On the outgoing path of the 
packet filters you won't exactly need a load balancer, the routing takes 
care of it.

>> Here's my take on what you've got.
>>
>>           A
>>          / \
>>        FW1 FW2
>>          \ /
>>           B
>>
>> Machinew A and B want to talk. They can talk through either of two 
>> routes, both of which contain firewalls. The packets of interest are 
>> allowed through the firewalls. As far as A and B are concerned the 
>> firewalls aren't there. The rules of IP routing are such that any 
>> packet between A and B can pick either route. You want packets between 
>> A and B to choose a route dependant on the route chosen by previously 
>> transmitted packets.
> 
> right

... at least for a session. Which might put you into the suboptimal 
position of the different session timing expiration regarding TCP 
sessions between what the LB thinks is a session and what the PF thinks 
is a session.

>> o firewalls are designed to operate in a spot where all traffic goes 
>> through them. They can then do their accounting
>> etc. Firewalls are not designed (at least yet) to cooperate.
>> They need to be fast, they can't be talking to other
>> firewalls to make decisions on what to do with a packet.
>>
>> o your design is being wagged by the tail of the firewall. The 
>> firewall is supposed to help you. Your firewall
>> doesn't work in the current setup. You could get one
>> that does, presumably by turning off stateful matching.
>>
>> o you could rewrite IP routing.
> 
> or I can go and buy a commercial load balancing appliance (radware, 
> BigIP, nortel, foundry, etc) that supports this feature. Just about all 
> of them that aren't based on LVS do support this.

And they also do not work correctly, as I've seen in numerous ways. Just 
right now I'm debugging an active/hotstandby firewall cluster system 
implemented using 2208 NAS from Nortel. Same issue with F5 from BigIP, 
although their session synchronisation is somewhat improved ... until 
you go up to 1Gbit/s of filtering. I've never used radware, and I reckon 
we don't have to talk about Cisco :).

Are you talking about a setup as described for example in chapter 19 of 
this:

http://www116.nortelnetworks.com/docs/bvdoc/alteon/appl_switch/315394-J.00.pdf

> I am trying to find an option that doesn't have the firewall being a 
> single point of failure. yes, if these were linux firewalls I could use 
> heartbeat (linux-ha) to provide failover, but that can't load balance, 
> and it doesn't work if I use commercial firewalls instead of linux

If you buy a commercial firewall, you will most probably have some sort 
of built-in failover.

> Oh well, I was hopeing that LVS would support this now (it didn't in 
> 2001 when the first post happened). at least now it's in the list

If back then it didn't support it, I would go as far as to stating that 
it is not possible now either. I would say that all attempts to load 
balance firewalls (be it based on commercial or OSS) using LVS ends up 
being a hackerish setup which is prone to weird failures or features. 
This is just my opinion, but then again I've intensively worked on the 
LVS code and also wrote a packet filter :).

> archives that LVS will not support this with a later date then the 'yes 
> it does, just search the archives'. hopefully this will save someone 
> else time hunting for it.

Fair enough.

Regards,
Roberto Nibali, ratz
-- 
echo 
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc