Tag Archives: fortinet fortibalancer

Advanced Network Configuration – FortiBalancer

Chapter 2 Advanced Network Configuration

2.1 Overview

This section focuses on introducing the advanced network configurations, including VLAN, MNET, Port Forwarding, NAT, Dynamic Routing and IP Pool functionalities and configurations on the FortiBalancer appliance.

2.1.1 VLAN

VLAN (Virtual Local Area Network) is used to logically segment a network into smaller networks by application, or function, without regard to the physical location of the users. Each VLAN is considered a separate logical network. There are two types of VLAN specifications for Ethernet network.

  • Port-based VLAN

Define VLAN based on port number of the switch. Port-based VLAN is easy to configure but often limited to one single switch.

  • Tag-based VLAN

Tag-based VLAN allows a group of devices on different physical LAN segments to communicate with each other as if they were all on the same physical LAN segment. In tag-based VLAN, an identifying number, called a “VLAN ID” or a “tag”, is written into the Ethernet frame itself, so that switches and routers can use this information to make switching decisions. A tagged frame is four bytes longer than an untagged frame and contains two bytes of Tag Protocol Identifier (TPID) and two bytes of Tag Control Information (TCI).

The FortiBalancer appliance supports Tag-based VLAN on all interfaces. Tag-based VLAN (also known as Trunking by some vendors) is where a tag is inserted into the Ethernet frame so that switches and routers can use this information to make switching decisions.

The FortiBalancer appliance’s VLAN can work in both the IPv4 and IPv6 network environments. Administrator can view all the IPv4 and IPv6-based VLAN configurations by executing the command “show interface”.

For example:

IPv4-based VLAN:

FortiBalancer(config)#show interface

……

V1(vlan1): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500         inet 10.8.66.96 netmask 0xffffff00 broadcast 10.8.66.255         ether 00:25:90:39:97:f3          media: autoselect         status: no carrier

vlan : 3 parent interface: port1         webwall status: OFF         packet drop (not permit): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0         packet drop (deny): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

IPv6-based VLAN:

FortiBalancer(config)#show interface

……

V2(vlan2): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500         inet6 fe80::230:48ff:fe93:a73e prefixlen 64 scopeid 0xc          ether 00:30:48:93:a7:41          media: autoselect         status: no carrier

vlan : 20 parent interface: port2         webwall status: OFF         packet drop (not permit): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0         packet drop (deny): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

2.1.2 MNET

MNET (Multi-Netting) is used to assign more than one IP address on a physical interface. Here is an example for MNET:

A new Internet site is under development for a small corporation. The network administrator knows that the site will grow in the future but today there is no need for a complex network. A server is installed that will be used as Web server, FTP server, mail server, and the corporation’s DNS server. Later, when the use of the network services grows, new servers will be used for each of the functions.

When the time comes to address the current server, the administrator has a choice. A single IP address can be used on the server. Later when the new servers are needed, new IP addresses can be assigned to them.

Another way of assigning addresses can be used. The administrator can assign four IP addresses to the server. Each IP address will match the IP address to be used in the future on the new servers. The administrator now knows what addresses will be used and can create DNS entries for the new devices with the correct addresses. This process of providing more than one IP address on an interface is often called multi-netting.

The FortiBalancer appliance’s MNET can work in both the IPv4 and IPv6 network environments.

2.1.3 Port Forwarding

Port forwarding allows you to forward any traffic that is destined to an IP/port pair on the FortiBalancer appliance, to an IP/port pair on the inside network. External clients can directly access the internal servers via an address on the outside subnet.

Note: Port Forwarding feature cannot support FTP, users are recommended to use SLB feature instead.

For example, say that you are running SSH on a real server on the port2 interface subnet, and you want to connect to the server from a client in the outside. To get this information from the outside world to the desired inside IP/port pair, we will have to add a port forward on the FortiBalancer appliance.

 

Figure 2-1 Port Forwarding

2.1.4 NAT

NAT (Network Address Translation) is the translation of an IP address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. NAT is used when you want your real servers on the inside network to access the outside network. Using NAT, all packets will appear as though they came from the FortiBalancer appliance.

2.1.4.1 How NAT Works

When a client on the inside network contacts a machine on the outside network, it sends out IP packets destined for that machine. These packets contain all the addressing information necessary to get them to their destination.

When the packets pass through the NAT gateway, they will be modified so that they appear to be coming from the NAT gateway itself. The NAT gateway will record the changes it makes in its state table so that it can reverse the changes on return packets and ensure that return packets are passed through the firewall without being blocked.

NAT Traversal of PPTP

The FortiBalancer appliance supports NAT traversal of PPTP (Point-to-Point Tunneling Protocol). PPTP is a tunneling mechanism to transfer PPP (Point-to-Point Protocol) frames across intermediate networks. PPTP uses GRE (Generic Routing Encapsulation) encapsulation for PPP payload. However, typically GRE tunnels cannot traverse the NAT device (i.e. the FortiBalancer appliance). To resolve this problem, a PPTP NAT editor is used on the FortiBalancer appliance. This editor is an additional software component on the NAT device to perform translation for IP addresses, TCP ports, and call ID.

2.1.4.2 Supported NAT Types

The FortiBalancer appliance supports four types of NAT:

  • Static NAT

Mapping an IP address on one-to-one basis. By configuring static NAT, the FortiBalancer appliance maps an inside real IP address to a VIP address on the outside. For inbound traffic directed from an outside VIP, the traffic will be forwarded to a corresponding inside real IP without any change in the port number or protocol value. Thus, hosts on the inside network will be directly accessible via the VIP on the port1 interface. The outbound traffic coming from an inside host will use the corresponding outside VIP as the source IP for the outgoing traffic. The port number and protocol remain unchanged. TCP, UDP and ICMP are supported for static NAT.

In static NAT, the computer with the IP address (192.168.10.13) will be always translated into 10.10.0.3:

 

Figure 2-2 Static NAT

  • Port-level NAT

Mapping multiple inside real IP addresses to a single VIP address with a different port number assignment on the port1 interface. By configuring port-level NAT, the group of hosts on the inside network will be directly accessible via the VIP on the port1 interface.

In port-level NAT, the computers with the IP address in the range from 192.168.10.11 to 192.168.10.13 will be translated into 10.0.0.3 with a different port on the outside network:

 

 

Figure 2-3 Port-level NAT

If a port-level NAT is configured for an inside real IP address, static NAT should take precedence over the regular NAT policy. VIPs used by static NAT should not be used by regular NAT. Also, one static NAT VIP should not map to multiple real IP addresses.

  • IP pool-based dynamic NAT

Mapping one or multiple inside real IP addresses to an IP pool which contains multiple IP addresses. By configuring IP pool-based dynamic NAT, a group of hosts on the inside network will be translated into via the multiple IP addresses in IP pool.

As shown below, in IP pool-based dynamic NAT, the client IP addresses in the range from 192.168.10.11 to 192.168.10.13 will be translated into 10.0.0.1 to 10.0.0.3 and get connected to the Internet.

 

Figure 2-4 IP Pool-based Dynamic NAT

  • Destination IP based NAT

FortiBalancer supports NAT based on destination IP address. The destination IP based NAT can be performed only when the destination IP address is in the specified network segment and in the same network segment as the route gateway. If the gateway is set to the default value 0.0.0.0, the destination IP/IP pool for NAT and the route gateway should be within the same network segment.

Note: For IPv6 address, only TCP and UDP packets can be NATTed and no gateway can be configured.

Configuration Example via CLI

  • Step 1 Configure IP pool

FortiBalancer(config)#ip pool “pool1” 172.16.72.45 172.16.72.55

FortiBalancer(config)#ip pool “pool3” 3ffd::45 3ffd::46

  • Step 2 Configure destination NAT

FortiBalancer(config)#nat portdst “pool1” 172.16.72.0 255.255.255.0 500 172.16.72.101

FortiBalancer(config)#nat portdst “pool3” 3ff1:: 65 50

Check NAT configurations and statistics

The following two commands can be used to check the NAT configurations and statistics. Ø             Check NAT table

FortiBalancer(config)#show nat table

From 172.16.73.108(5208) through 172.16.72.53(50776) to 172.16.72.77(80)

From 172.16.73.108(5200) through 172.16.72.53(50768) to 172.16.72.77(80)

From 172.16.73.108(5880) through 172.16.72.53(51448) to 172.16.72.77(80)

From 172.16.73.108(6008) through 172.16.72.53(51576) to 172.16.72.77(80)

From 3ffd::108(42720) through 3ffd (45672) to 3ff1::77(80)

From 3ffd::108(42728) through 3ffd (45680) to 3ff1::77(80)

From 3ffd::108(43336) through 3ffd (46288) to 3ff1::77(80)

From 3ffd::108(43376) through 3ffd (46328) to 3ff1::77(80)

From 3ffd::108(43464) through 3ffd (46416) to 3ff1::77(80)

From 3ffd::108(43408) through 3ffd (46360) to 3ff1::77(80)

From 3ffd::108(43840) through 3ffd (46792) to 3ff1::77(80)

From 3ffd::108(43896) through 3ffd (46848) to 3ff1::77(80)

Ø    Check NAT statistics

FortiBalancer(config)#show statistics nat

nat portdst “pool1” 172.16.72.0 255.255.255.0 500 172.16.72.101         protol(total/current):icmp(1/1) udp(0/0) tcp(23724/251)  nat portdst “pool3” 3ff1:: 65 50

protol(total/current):icmp(0/0) udp(0/0) tcp(23716/246)

2.1.5 Dynamic Routing

Dynamic Routing is a process in which routers automatically adjust to changes in network topology or traffic. It is more robust than static routing. Now, there are several protocols used to support dynamic routing including RIPv1 (Routing Information Protocol version 1), RIPv2 (Routing Information Protocol version 2) and OSPFv2 (Open Shortest Path First version 2) and OSPFv3 (Open Shortest Path First version 3).

Dynamic Routing is especially suitable for today’s large, constantly changed networks. It improves performance by allowing network routers to adjust to changes in the network topology. And it distributes routing information between routers and chooses the best path for the network, saving money and improving performance.

2.1.6 IP Pool

An IP pool contains multiple IP addresses from one IP segment. Administrators can use the pre-defined IP pools for NAT and SLB configurations.

For the NAT module, IP pool can be defined on the outside interface to realize translation of multiple outgoing IP addresses. This helps increase the concurrent capacity and fully utilize the IP resources. For the SLB module, IP pool can be defined for real server groups. Under the SLB reverse mode, when different real server groups are selected, FortiBalancer can select different IP addresses in IP pools to connect to real servers. This not only increases the concurrent connection capacity, but also provides a more flexible configuration method for administrators.

FortiBalancer appliance supports multiple IP pools, and at most 256 IP addresses can be added in one IP pool. The maximum number of IP pools allowed on the FortiBalancer appliance varies with different system memories. Please see the table below for details.

Table 2-1 Maximum IP Pool Entry

System Memory Maximum IP Pool Number
4GB 32
8GB 64
16GB 128
32GB 256

Both IPv4 and IPv6 addresses can be configured in the IP pool.

When configuring the IP pool, please note:

  • Each IP pool should be assigned with a unique name in the system.
  • The IP addresses in one IP pool must belong to the same subnet.
  • The subnet can be the same between two or more pools.
  • One IP address can belong to multiple IP pools.
  • IP segment is composed of continuous IPs, and an IP pool can be composed of multiple IP segments.
  • IP addresses in IP pool must be legal.
    • IP addresses which are not covered by any interface subnet are illegal.
    • Broadcast IP address is illegal. Ÿ IP with hostID 0 is illegal.