D-Link DFL-260E User Manual for DFL-260E - Page 519
Setting Up SLB_SAT Rules, Note: FwdFast rules should not be used with SLB
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 519 highlights
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 10.4.6. Setting Up SLB_SAT Rules The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that should be followed for setting up such rules are: 1. Define an IP address object for each server for which SLB is to enabled. 2. Define an IP address group object which includes all these individual objects. 3. Define an SLB_SAT rule in the IP rule set which refers to this IP address group and where all other SLB parameters are defined. 4. Define a further rule that duplicates the source/destination interface/network of the SLB_SAT rule that permits the traffic through. This could be one rule or a combination of rules using the actions: • Allow • NAT Note: FwdFast rules should not be used with SLB In order to function, SLB requires that the NetDefendOS state engine keeps track of connections. FwdFast IP rules should not be used with SLB since packets that are forwarded by these rules are under state engine control. The table below shows the rules that would be defined for a typical scenario of a set of webservers behind the NetDefend Firewall for which the load is being balanced. The Allow rule allows external clients to access the webservers. Rule Name WEB_SLB WEB_SLB_ALW Rule Type SLB_SAT Allow Src Interface any any Src Network all-nets all-nets Dest Interface core core Dest Network ip_ext ip_ext If there are clients on the same network as the webservers that also need access to those webservers then an NAT rule would also be used: Rule Name WEB_SLB WEB_SLB_NAT WEB_SLB_ALW Rule Type SLB_SAT NAT Allow Src Interface any lan any Src Network all-nets lannet all-nets Dest Interface core core core Dest Network ip_ext ip_ext ip_ext Note that the destination interface is specified as core, meaning NetDefendOS itself deals with this. The key advantage of having a separate Allow rule is that the webservers can log the exact IP address that is generating external requests. Using only a NAT rule, which is possible, means that webservers would see only the IP address of the NetDefend Firewall. Example 10.3. Setting up SLB In this example server load balancing is to be done between 2 HTTP webservers which are situated behind the NetDefend Firewall. The 2 webservers have the private IPv4 addresses 192.168.1.10 and 192.168.1.11 respectively. The default SLB values for monitoring, distribution method and stickiness are used. A NAT rule is used in conjunction with the SLB_SAT rule so that clients behind the firewall can access the webservers. An Allow rule is used to allow access by external clients. 519