2.2 Advanced Network Configuration
2.2.1 Configuration Guidelines
To better assist you with configuration strategies that maximize the power of the FortiBalancer appliance, please take a moment to familiarize yourself with the network architecture for advanced network configuration.
Figure 2-5 Advanced Network Architecture
The table below shows the most critical pieces of configurations from the figure above:
Table 2-2 Advanced Network Configurations
| IP Address | Description |
| 10.10.0.1/24 | Gateway IP Address |
| 10.10.0.2/24 | Management IP Address |
| 192.168.10.1/24 | Port2 Interface IP Address |
| 192.168.10.0/24 | NAT |
| 192.168.10.10 | Real Server #1 |
| 192.168.10.11 | Real Server #2 |
| 192.168.10.12 | Real Server #3 |
| 192.168.10.13 | Real Server #4 |
| 192.168.10.14 | Real Server #5 |
| 10.10.0.3 | Nameserver/NTP server |
Table 2-3 General Settings of Advanced Network Configuration
| Operation | Command |
| Configure VLAN | vlan {system_ifname|bond_ifname} <user_interface_name> <vlan_tag> |
| Configure MNET | mnet {system_ifname|bond_ifname} <user_interface_name> |
| Configure Port Forwarding | fwd tcp <local_ip> <local_port> <remote_ip> <remote_port> [timeout] fwd udp <local_ip> <local_port> <remote_ip> <remote_port> [timeout] |
| Configure NAT | nat port {pool_name|vip} <source_ip> {netmask|prefix} [timeout]
[gateway] [description] nat static <vip> <network_ip> [timeout] [gateway] [description] |
| Configure Dynamic Routing | rip {on|off} rip network <ip_address> <netmask> |
| Operation | Command |
| ospf {on|off} ospf network <ip_address> <netmask> <area_id> | |
| Configure IP pool | ip pool <pool_name> <start_ip> [end_ip] slb proxyip global <pool_name>
slb proxyip group <group_name> <pool_name> |
2.2.2 Configuration Example via CLI
2.2.2.1 VLAN Configuration
In our example, we are going to create two VLANs, “inside-vlan1” and “inside-vlan2”. The “inside-vlan1” has a tag of 500 and “inside-vlan2” has a tag of 3001. These tags are inserted into the Ethernet frame.
- Step 1 Define a VLAN interface by using the “vlan” command
FortiBalancer(config)#vlan port2 inside-vlan1 500
FortiBalancer(config)#vlan port2 inside-vlan2 3001
- Step 2 Assign an IP address to each VLAN interface by using the “ip address” command
FortiBalancer(config)#ip address inside-vlan1 192.168.1.1 255.255.255.0
FortiBalancer(config)#ip address inside-vlan2 192.168.2.1 255.255.255.0
For the interface with VLAN configuration, it needs to be connected to a switch or router with Tag VLAN or Trunking turned on. See your switch vendors’ documentation on how to setup Tag VLAN.
2.2.2.2 MNET Configuration
Configuring MNET on the port2 interfaces is very similar to VLAN configuration. For our example network, we will run two networks over the port2 interface, 192.168.1.1/24 and 192.168.2.1/24.
- Step 1 Define our mnet interfaces by using the “mnet” command
FortiBalancer(config)#mnet port2 mnet1
FortiBalancer(config)#mnet port2 mnet2
- Step 2 Assign an IP address to each MNET by using the “ip address” command
FortiBalancer(config)#ip address mnet1 192.168.1.1 255.255.255.0
FortiBalancer(config)#ip address mnet2 192.168.2.1 255.255.255.0
Again you need to refer to your vendor’s switch/router documentation on how to setup their interface for use with MNET.
2.2.2.3 Port Forwarding Configuration
For our example configuration, we will be adopting the TCP port forwarding protocols as such:
FortiBalancer(config)#fwd tcp 10.10.0.2 4000 192.168.10.10 22 300
We picked an arbitrary high port to use. You should not use a port below 1024 on the
FortiBalancer appliance since other services might be listening on those ports, i.e. 443 (for SSL) and 80 (for HTTP). We can choose a port below 1024 on the real server since that is the service that we want to connect to. To view or alter these forwarding instructions, employ the show, no or clear versions of the above commands.
2.2.2.4 NAT Configuration
For our configuration example strategy, use the command as:
FortiBalancer(config)#nat port 10.10.0.2 192.168.10.0 255.255.255.0 60 10.10.0.1
This command will perform NAT on the 192.168.10.0/24 network. In our example, the VIP 10.10.0.2 and the route gateway 10.10.0.1 are within the same network segment. Therefore the parameter “gateway” in the command “nat port” can be set to the default value 0.0.0.0 or the route gateway. If the VIP and the route gateway are not in the same network segment, the parameter “gateway” in the command “nat port” must be set to the route gateway.
We can change the netmask to allow only certain blocks of your inside network to access the external network. For example, the following command will only allow the IP addresses ranging 192.168.10.0 through192.168.10.128, to access the external network:
FortiBalancer(config)#nat port 10.10.0.2 192.168.10.0 255.255.255.128 60 0.0.0.0
If we want to allow the top half of the IP address space range that is left over
(192.168.10.129-192.168.10.254), to access the external network, we will do the following:
FortiBalancer(config)#nat port 10.10.0.2 192.168.10.129 255.255.255.128 60 0.0.0.0
If we want to allow one real IP address to access the external network, we will configure static NAT:
FortiBalancer(config)#nat static 10.10.0.2 192.168.10.12
2.2.2.5 Dynamic Routing Configuration
Figure 2-6 Dynamic Routing Configuration
- Step 1 RIP Configurations
FortiBalancer(config)#rip on
FortiBalancer(config)#rip version 2
FortiBalancer(config)#rip network 172.16.31.0 255.255.255.0
FortiBalancer(config)#rip network 172.16.32.0 255.255.255.0
- Step 2 OSPF Configurations
FortiBalancer(config)#ospf on
FortiBalancer(config)#ospf network 172.16.32.0 255.255.255.0 0
FortiBalancer(config)#ospf network 172.16.31.0 255.255.255.0 0
After these configurations, you can view the dynamically generated routes by using the “show ip route” command.
FortiBalancer(config)#show ip route Destination Netmask Gateway RIP routes:
Destination Netmask Gateway
172.16.39.0 255.255.255.0 172.16.31.67
OSPF routes:
Destination Netmask Gateway
172.16.41.0 255.255.255.0 172.16.32.2
Now that the very basics of our example network configurations are implemented, it is time to move forward to configure the FortiBalancer appliance to operate seamlessly within the network architecture.
2.2.2.6 IP Pool Configuration
Configuration Example for NAT IP Pool via CLI
In our example, we are going to configure IP pools for NAT.
- Step 1 Define IP pools by using the “ip pool” command
FortiBalancer(config)#ip pool “pool1” 124.0.0.22 124.0.0.22
FortiBalancer(config)#ip pool “pool2” 124.0.1.22 124.0.1.22
- Step 2 Define the IP pool for NAT via the “nat port” command
FortiBalancer(config)#nat port “pool1” 1.1.1.0 255.255.255.0 60 124.0.0.125 FortiBalancer(config)#nat port “pool2” 1.1.1.0 255.255.255.0 60 124.0.1.125
Configuration Example for SLB IP Pool via CLI
In our example, we are going to configure IP pools for SLB.
- Step 1 Define IP pools by using the “ip pool” command
FortiBalancer(config)#ip pool “pool1” 124.0.0.22 124.0.0.22
FortiBalancer(config)#ip pool “pool2” 124.0.1.22 124.0.1.22
- Step 2 Define the IP pool as the global proxy IP pool by using the “slb proxyip global” command
FortiBalancer(config)#slb proxyip global “pool2”
- Step 3 Assign the IP pools for SLB group
FortiBalancer(config)#slb proxyip group “gpi” “pool1”
Note: The priority of group IP pools is higher than global IP pools.