13.3 LLB Configuration
13.3.1 Outbound LLB Configuration (One FortiBalancer Appliance)
In this implementation example, one FortiBalancer appliance will be configured to load balance outbound traffic through two ISPs.
If the single FortiBalancer appliance stopped working, the network connectivity would be interrupted. Therefore, we recommend the implementation example with two FortiBalancer appliances in section 13.3.2 Outbound LLB Configuration (Two FortiBalancer Appliances).
13.3.1.1 Configuration Guidelines
Figure 13-1 Outbound LLB (One FortiBalancer Appliance)
Table 13-2 General Settings of Outbound LLB
Operation | Command |
Configure interface IP address | ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname} <ip_address> {netmask|prefix} |
Configure MNET | mnet {system_ifname|bond_ifname} <user_interface_name> |
Operation | Command |
Configure LLB health check | llb link route <link_name> <route_ip> [weight] [hc_srcip]
[bandwidth_threshold] llb link health {on|off} llb link health checker icmp <link_name> <host> [hc_interval] [timeout] [hc_up] [hc_down] |
Configure outbound LLB method | llb method outbound {rr|wrr|sr|hi} llb method outbound dd [netmask] [prefix] |
Configure Eroutes and manage link bandwidth | ip eroute <name> <priority> <srcip> {srcmask|prefix} <srcport> <dsthost> {dstmask|prefix} <dstport> <proto> <gatewayip> [weight] llb link route <link_name> <route_ip> [weight] [hc_srcip]
[bandwidth_threshold] llb link bw_priority <priority> |
Configure NAT | nat port {pool_name|vip} <source_ip> {netmask|prefix} [timeout] [gateway] [description] |
Enable IPflow and RTS | ip ipflow {on|off} ip rts {on|off} |
13.3.1.2 Configuration Example via the CLI
- Step 1 Configure interface IP addresses
The Port1 interface IP will have an address from ISP1’s address range. In order to assign an additional IP address on the Port1 interface, you must define and configure a multi-netted virtual interface (MNET). You will create an MNET named “outside_isp2” and assign it an IP address from ISP2’s address range.
FortiBalancer(config)#ip address port1 100.10.1.2 255.255.255.0
FortiBalancer(config)#mnet port1 outside_isp2
FortiBalancer(config)#ip address outside_isp2 200.20.1.2 255.255.255.0
Then, configure the IP address of the Port2 interface.
FortiBalancer(config)#ip address port2 192.168.1.1 255.255.255.0
- Step 2 Configure basic LLB health check
ISP link health checks are performed to ensure that the WAN link between the local router and the ISP router is up. This health check uses ICMP Ping to test connectivity.
Perform health check on an IP address on the other side of ISP1’s WAN router:
FortiBalancer(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 0Mbps
Perform health check on an IP address on the other side of ISP2’s WAN router:
FortiBalancer(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 0Mbps
Enter the following command to enable link health check:
FortiBalancer(config)#llb link health on
If a link is unstable, administrators can manually disable the link via the command “llb link disable <link_name>”. For example, if the link ISP1 is found unstable, executing the command “llb link disable ISP1” will disable the link, and no outbound traffic will go through this link anymore. To enable a link, use the command “llb link enable <link_name>”.
- Step 3 Configure additional LLB health check
Multiple health checkers can be configured for an ISP link.
FortiBalancer(config)#llb link health checker icmp ISP1 100.1.1.2 10
FortiBalancer(config)#llb link health checker icmp ISP1 100.1.1.3 10
FortiBalancer(config)#llb link health checker icmp ISP1 100.1.1.4 10
Here, 100.1.1.2, 100.1.1.3 and 100.1.1.4 are another three WAN routers of ISP1. Only when all the health checks (including basic health check) for ISP1 have failed, will the link ISP1 be deemed as down.
- Step 4 Configure outbound LLB method (optional) The outbound LLB supports the following methods:
- Round Robin (rr)
- Weighted Round Robin (wrr)
- Shortest Response (sr)
- Dynamic Detecting (dd)
- Hash IP (hi)
The default method is “rr”.
In this example, we use the “wrr” method.
FortiBalancer(config)#llb method outbound wrr
Ø Step 5 Configure Eroutes and manage link bandwidth
To make different traffic go through different links, configure the Eroutes for two LLB links.
FortiBalancer(config)#ip eroute “er1” 1600 10.3.0.0 255.255.0.0 0 192.168.4.0 255.255.255.0 0 any 100.10.1.1 1
FortiBalancer(config)#ip eroute “er2” 1400 10.4.0.0 255.255.0.0 0 192.168.5.0 255.255.255.0 0 any 200.20.1.1 1
To make traffic that does not match the preceding Eroute configurations go through ISP1, configure the following Eroute:
FortiBalancer(config)#ip eroute “er3” 1001 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 any 100.10.1.1 1
If necessary, update the LLB link bandwidth thresholds.
FortiBalancer(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 500Mbps
FortiBalancer(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 300Mbps
You can set a priority for the link bandwidth threshold to determine whether the configured link bandwidth threshold takes effect for the relevant LLB link.
FortiBalancer(config)#llb link bw_priority 1500
Because the priority of Eroute “er1” is higher than the bandwidth priority, the gateway specified by the Eroute is not affected by the bandwidth threshold of ISP1. By comparison, the gateway specified by Eroute “er2” is affected by the bandwidth threshold of ISP2.
- Step 6 Configure NAT rules for outbound LLB
For an ISP that is selected for a session based on specific LLB method, the NAT rules for the ISP VIP must be pre-configured. These rules will be applied to the outbound traffic.
NAT for ISP1:
FortiBalancer(config)#nat port 100.10.1.10 192.168.1.0 255.255.0.0
NAT for ISP2:
FortiBalancer(config)#nat port 200.20.1.10 192.168.1.0 255.255.0.0
- Step 7 Other required configuration
Execute the following command to ensure that packets from the same connection will be directed to the same link by using the same NAT rule. By default, the IPflow function is disabled.
FortiBalancer(config)#ip ipflow on
RTS (Return to Sender) should be turned on by executing the following command to ensure that a response packet (e.g. ICMP response) will be directed to the link from which its corresponding request packet (e.g. ICMP request) is sent. By default, the RTS function is disabled.
FortiBalancer(config)#ip rts on
13.3.2 Outbound LLB Configuration (Two FortiBalancer Appliances)
In this implementation example, two FortiBalancer appliances will be configured to load balance outbound traffic through two ISPs. This is the preferred implementation approach because the secondary FortiBalancer appliance provides physical fault tolerance. If either FortiBalancer appliance should fail, network connectivity will not be interrupted.
13.3.2.1 Configuration Guidelines
Figure 13-2 Outbound LLB (Two FortiBalancer Appliances)
Table 13-3 General Settings of Outbound LLB
Operation | Command |
Configure interface IP address | ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname} <ip_address> {netmask|prefix} |
Configure MNET | mnet {system_ifname|bond_ifname} <user_interface_name> |
Configure a cluster virtual router | cluster virtual {on|off} [cluster_id|0] [interface_name] cluster virtual ifname <interface_name> <cluster_id> cluster virtual vip <interface_name> <cluster_id> <vip>
cluster virtual priority <interface_name> <cluster_id> <priority> [synconfig_peer_name] |
Operation | Command |
Configure LLB health check | llb link route <link_name> <route_ip> [weight] [hc_srcip]
[bandwidth_threshold] llb link health {on|off} |
Configure cluster
Virtual IPs for NATing traffic |
cluster virtual {on|off} [cluster_id|0] [interface_name] cluster virtual ifname <interface_name> <cluster_id> cluster virtual vip <interface_name> <cluster_id> <vip>
cluster virtual priority <interface_name> <cluster_id> <priority> [synconfig_peer_name] |
Configure Eroutes and manage link bandwidth | ip eroute <name> <priority> <srcip> {srcmask|prefix} <srcport> <dsthost> {dstmask|prefix} <dstport> <proto> <gatewayip> [weight] llb link route <link_name> <route_ip> [weight] [hc_srcip]
[bandwidth_threshold] llb link bw_priority <priority> |
Configure NAT | nat port {pool_name|vip} <source_ip> {netmask|prefix} [timeout] [gateway] [description] |
Enable IPflow and RTS | ip ipflow {on|off} ip rts {on|off} |
13.3.2.2 Configuration Example via the CLI
Follow these steps to configure Outbound Link Load Balancing with clustered FortiBalancer appliances. Due to the additional configuration required for a secondary FortiBalancer appliance and to eliminate redundancy, this example assumes an understanding of the basic configuration that was illustrated in the previous section. Also, optional configuration settings will be left at their default values, and as a result, will not be illustrated in this example.
Ø Step 1 Configure interface IP addresses
You will need to define IP addresses on both FortiBalancer appliances. The same MNET names may be used on both FortiBalancer appliances.
(FortiBalancer1) Port1 and Port2 IP address configuration:
FortiBalancer1(config)#ip address port1 100.10.1.2 255.255.255.0
FortiBalancer1(config)#mnet port1 outside_isp2
FortiBalancer1(config)#ip address outside_isp2 200.20.1.2 255.255.255.0 FortiBalancer1(config)#ip address port2 192.168.1.2 255.255.255.0
(FortiBalancer2) Port1 and Port2 IP address configuration:
FortiBalancer2(config)#ip address port1 100.10.1.3 255.255.255.0
FortiBalancer2(config)#mnet port1 outside_isp2
FortiBalancer2(config)#ip address outside_isp2 200.20.1.3 255.255.255.0
FortiBalancer2(config)#ip address port2 192.168.1.3 255.255.255.0
Ø Step 2 Configure a cluster virtual router for outbound traffic
Outbound traffic (from behind the FortiBalancer appliances) must be forwarded to an IP address on the FortiBalancer appliances. To provide a fault tolerant gateway for inside devices, a virtual cluster VIP must be configured.
(FortiBalancer1) Configure the first FortiBalancer appliance as the master virtual router for all interfaces so it will process outbound traffic. Assign it a higher priority than the secondary FortiBalancer appliance.
FortiBalancer1(config)#cluster virtual ifname port2 1
FortiBalancer1(config)#cluster virtual vip port2 1 192.168.1.1
FortiBalancer1(config)#cluster virtual priority port2 1 200
FortiBalancer1(config)#cluster virtual on 1 port2
(FortiBalancer2) Configure the secondary FortiBalancer appliance as a backup virtual router for all interfaces so it will not process outbound traffic unless the primary FortiBalancer appliance fails. Assign it a lower priority than the primary FortiBalancer appliance.
FortiBalancer2(config)#cluster virtual ifname port2 1
FortiBalancer2(config)#cluster virtual vip port2 1 192.168.1.1
FortiBalancer2(config)#cluster virtual priority port2 1 100
FortiBalancer2(config)#cluster virtual on 1 port2
- Step 3 Configure basic LLB health check
(Both FortiBalancers) Health check an interface on the other side of both ISPs’ WAN routers and turn on default gateway health check:
FortiBalancer1(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 0Mbps
FortiBalancer1(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 0Mbps
FortiBalancer1(config)#llb link health on
FortiBalancer2(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 0Mbps
FortiBalancer2(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 0Mbps
FortiBalancer2(config)#llb link health on
- Step 4 Configure Eroutes and manage link bandwidth
To make different traffic go through different links, configure the Eroutes for two LLB links.
FortiBalancer(FortiBalancer1)#ip eroute “er1” 1600 10.3.0.0 255.255.0.0 0 192.168.4.0
255.255.255.0 0 any 100.10.1.1 1
FortiBalancer(FortiBalancer1)#ip eroute “er2” 1400 10.4.0.0 255.255.0.0 0 192.168.5.0
255.255.255.0 0 any 200.20.1.1 1
FortiBalancer(FortiBalancer2)#ip eroute “er1” 1600 10.3.0.0 255.255.0.0 0 192.168.4.0
255.255.255.0 0 any 100.10.1.1 1
FortiBalancer(FortiBalancer2)#ip eroute “er2” 1400 10.4.0.0 255.255.0.0 0 192.168.5.0 255.255.255.0 0 any 200.20.1.1 1
To make traffic that does not match the preceding Eroute configurations go through ISP1, configure the following Eroute:
FortiBalancer(FortiBalancer1)#ip eroute “er3” 1001 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 any
100.10.1.1 1
FortiBalancer(FortiBalancer2)#ip eroute “er3” 1001 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 any
100.10.1.1 1
If necessary, update the LLB link bandwidth thresholds.
FortiBalancer(FortiBalancer1)#llb link route ISP1 100.10.1.1 1 100.10.1.2 500Mbps
FortiBalancer(FortiBalancer1)#llb link route ISP2 200.20.1.1 2 200.20.1.2 300Mbps
FortiBalancer(FortiBalancer2)#llb link route ISP1 100.10.1.1 1 100.10.1.2 500Mbps
FortiBalancer(FortiBalancer2)#llb link route ISP2 200.20.1.1 2 200.20.1.2 300Mbps
You can set a priority for the link bandwidth threshold to determine whether the configured link bandwidth threshold takes effect for the relevant LLB link.
FortiBalancer(FortiBalancer1)#llb link bw_priority 1500
FortiBalancer(FortiBalancer2)#llb link bw_priority 1500
Because the priority of Eroute “er1” is higher than the bandwidth priority, the gateway specified by the Eroute is not affected by the bandwidth threshold of ISP1. By comparison, the gateway specified by Eroute “er2” is affected by the bandwidth threshold of ISP2.
Ø Step 5 Configure cluster Virtual IPs for NATing traffic
(FortiBalancer1) Cluster VIPs for NAT on each ISP. Assign a higher priority than the secondary FortiBalancer appliance.
FortiBalancer1(config)#cluster virtual ifname port1 1
FortiBalancer1(config)#cluster virtual vip port1 1 100.10.1.10
FortiBalancer1(config)#cluster virtual prio port1 1 200
FortiBalancer1(config)#cluster virtual on 1 port1
FortiBalancer1(config)#cluster virtual ifname outside-isp2 1
FortiBalancer1(config)#cluster virtual vip outside-isp2 1 200.20.1.10
FortiBalancer1(config)#cluster virtual prio outside-isp2 1 200
FortiBalancer1(config)#cluster virtual on 1 outside-isp2
(FortiBalancer2) Cluster VIPs for NAT on each ISP. Assign them a lower priority than the primary FortiBalancer appliance.
FortiBalancer2(config)#cluster virtual ifname port1 1
FortiBalancer2(config)#cluster virtual vip port1 1 100.10.1.10
FortiBalancer2(config)#cluster virtual prio port1 1 100
FortiBalancer2(config)#cluster virtual on 1 port1
FortiBalancer2(config)#cluster virtual ifname outside-isp2 1
FortiBalancer2(config)#cluster virtual vip outside-isp2 1 200.20.1.10
FortiBalancer2(config)#cluster virtual prio outside-isp2 1 100
FortiBalancer2(config)#cluster virtual on 1 outside-isp2
- Step 6 Configure NAT for outbound LLB sessions (Both FortiBalancers) NAT rules for ISP1 and ISP2:
FortiBalancer1(config)#nat port 100.10.1.10 192.168.1.0 255.255.0.0 FortiBalancer1(config)#nat port 200.20.1.10 192.168.1.0 255.255.0.0
FortiBalancer2(config)#nat port 100.10.1.10 192.168.1.0 255.255.0.0 FortiBalancer2(config)#nat port 200.20.1.10 192.168.1.0 255.255.0.0
- Step 7 Other required configuration
Execute the following command to ensure that packets from the same connection will be directed to the same link by using the same NAT rule. By default, the IPflow function is disabled.
FortiBalancer(config)#ip ipflow on
RTS (Return to Sender) should be turned on by executing the following command to ensure that a response packet (e.g. ICMP response) will be directed to the link from which its corresponding request packet (e.g. ICMP request) is sent. By default, the RTS function is disabled.
FortiBalancer(config)#ip rts on