LSLB | Farms | Update | L4xNAT Profile

POSTED BY Zevenet | 25 October, 2021

Global Settings for L4xNAT Farm Profile

The L4xNAT farm profile allows the creation of LSLB farms that works at layer 4 with very high performance and more concurrent connections than load balancer cores in layer 7. Layer 4 performance improvement counteracts the advanced content handling that the layer 7 farm profile could manage.

The L4xNAT farm profile supports multiple ports with ranges and lists of ports against layer 7 farm profiles that only support one port.

This section provides an in-depth explanation of the necessary commands for configuring an L4xNAT farm profile. Our recommendation is to use Farmguardian with this profile to check the status of each backend configured on the farm as this profile doesn’t implement any native health check.

In the right upper corner, notice that there is a status indicator and an actions section. The actions will enable you to restart, start or stop the farm:

These are the Status color indicators and their meanings:

  • Green: Means UP. The farm is running and all backends are UP or the redirect is configured.
  • Red: Means DOWN. The farm has stopped.
  • Black: Means CRITICAL. The farm is UP but there is no backend available, or all backends are in maintenance mode.
  • Blue: Means PROBLEM. The farm is running but at least one backend is down.
  • Orange: Means MAINTENANCE. The farm is running but at least one backend is in maintenance mode.

These color codes are the same all over the graphical user interface. Find an in-depth explanation about these color codes in the LSLB Farms Section.

Basic configuration

These are the parameters for the L4xNAT profile.

Name. A label that easily identifies a farm service. To change this value, you must stop the farm first. Ensure that the new farm name isn’t already in use or else an error message will appear.

Virtual IP and Port. This is a virtual IP address or a virtual PORT in which the farm will be bound to listen from inside the load balance system. To make changes in these fields, ensure that the new virtual IP and virtual Ports are not in use. After saving the changes, the farm service will restart automatically.

To select a single port or a range of virtual ports in the L4xNAT farm profile, a Protocol type is mandatory. In case the protocol is set to ALL, the farm will listen on all ports from the virtual IP. The virtual port will not be editable and will be set with an asterisk (*).
Once TCP, UDP, or any other protocol is selected, use it to specify a port, several ports, or port ranges.

Advanced configuration


Protocol Type. This field specifies the protocol layer to be balanced. By default, the farm uses the TCP protocol.

  • ALL. The farm will listen for incoming connections to the current virtual IP and port(s) over all protocols. If you selected this option, the virtual port will change to the default “*”, and you’ll not edit it. So, the farm will listen through all ports.
  • TCP. Enabling this option allows the farm to listen for incoming TCP connections to the current virtual IP and port(s).
  • UDP. Enabling this option allows the farm to listen for incoming UDP connections to the current virtual IP and port(s).
  • SCTP. Enabling this option allows the farm to listen for incoming SCTP connections to the current virtual IP.
  • SIP. Enabling this option allows the farm to listen for incoming UDP packets to the virtual IP and the default port, 5060. The farm will then parse the SIP headers of each packet to be correctly distributed to the backends.
  • FTP. Enabling this option allows the farm to listen for incoming TCP connections to the current virtual IP and the default port, 21. The farm will then parse the FTP headers of each packet to be correctly distributed to the backends. Two modes are supported: The Active and the Passive mode.
  • TFTP. Enabling this option allows the farm to listen for incoming UDP packets to the current virtual IP and the default port, 69. The farm will then parse the TFTP headers of each packet to be correctly distributed to the backends.
  • PPTP. Enabling this option allows the farm to listen for incoming TCP connections to the current virtual IP and port. The farm will then parse the PPTP headers of each packet to be correctly distributed to the backends.
  • SNMP. Enabling this option allows the farm to listen for incoming UDP packets to the current virtual IP and port. The farm will then parse the SNMP headers of each packet to be correctly distributed to the backends.

NAT Type. The NAT type controls how the layer 4 topologies operate. Selecting the option that fits your service and infrastructure will depend on the network architecture defined. By default, the farm operates in NAT mode.

  • NAT. The NAT mode or SNAT (source NAT) uses the load balancer IP as its backend connection source IP address. Therefore, the backend doesn’t know the client IP address at TCP, UDP, or any other layer 4 protocol. In this way, the backend responds to the load balancer to send the response for the request. This topology permits the deployment of a one-armed load balancer (load balancing with 1 network interface).

    layer 4 source NAT lb topology

  • DNAT. The DNAT (Destination NAT) mode uses the client IP address as the backend connection source IP address. Therefore, the backend will respond directly to the client IP. In this case, the load balancer IP needs to be configured as the backend default gateway and will isolate the backend network from the client service network. This topology is used for performing transparency between clients and backends.

    layer 4 destination NAT lb topology

  • DSR. In DSR (Direct Server Return) mode, the client connects to the VIP, followed by the load balancer changing the destination MAC address of the backend (the server must be on the same link media as the load balancer) and forwarding it without changing its IP address. The backend answers the petition directly without passing through the load balancer.

    Requirements for DSR:

    • VIP and backends need to be in the same network
    • The Virtual Port and the Backend Port must be the same
    • Backends need to configure a loopback interface with the same IP as the VIP configured in the load balancer and disable ARP in this interface
      # ifconfig lo:0 192.168.0.99 netmask 255.255.255.255 -arp up

      Needs to disable invalid ARP replies in the backend.

      # echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
      # echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
  • Stateless DNAT. In Stateless DNAT, the load balancer switches the destination address to the backend address and forwards it to the backend, but it doesn’t manage any connection information. DNAT configuration reduces the load on the system since it is performed in an early data path, being the most indicated NAT mode for layer 4 protocols with high load and not connection-oriented nor stream-oriented protocols as it is in RTP or SYSLOG UDP mode.

Logs. To save the connections received on the farm, enable the Log command. This is only recommended for debugging or monitoring purposes because it will slow the amount of traffic that can be handled by the load balancer.

Service settings

The service created in the L4 layer provides the following configuration options for managing the data paths and connection behaviors.

Load balancing scheduler. This field specifies the load balancing algorithm to be used for determining the backend server. By default, the weight algorithm will be the default selected algorithm.

  • Weight: connection linear dispatching by weight. Balances the connections depending on the weight value that has been assigned to each backend. The requests are delivered using a probabilistic algorithm using the defined weight.
  • Source Hash: Hash per Source IP and Source Port. Balances the packets that match the same source IP and port to the same backend using a hash scheduler.
  • Simple Source Hash: Hash per Source IP only. Balances the packets that match the same source IP to the same backend using a hash scheduler.
  • Symmetric Hash: Round trip hash per IP and Port. Balances the packets that match the same source IP and port, and the destination IP and port. So, it could hash a connection in both ways (during inbound and outbound).
  • Round Robin: Sequential backend selection. It balances each incoming connection to a backend, sequentially switching between backends.
  • Least Connections: connection always to the least connection server. Selects the backend with the least number of active connections to ensure that the traffic load of the active requests is balanced with the traffic load of the most connected available real server.

Persistence

Select persistence. This field determines if any persistence is used in the configured farm. By default, no persistence is used.

  • No persistence. The farm will not use any persistence between the client and the backend.
  • IP: Source IP. With this option, the farm will assign the same backend for each incoming connection depending on the source IP address only.
  • Port: Source Port. With this option, the farm will assign the same backend for each incoming connection depending on the source port only.
  • MAC: Source MAC. With this option, the farm will assign the same backend for each incoming connection depending on the link-layer MAC address of the packet.
  • Source IP and Source Port. With this option, the farm will assign the same backend for each incoming connection depending on both, source IP and source port.
  • Source IP and Destination Port. With this option, the farm will assign the same backend for each incoming connection depending on both, source IP and destination port.

Farmguardian

L4xNAT farms don’t provide any native health checks for backends. So, the Farmguardian configuration is required in this virtual service.

Built-in or customized advanced health checks can be assigned to this service from any existing farmguardian check.

For further information about Farmguardian, go to the Monitoring >> Farmguardian section.

Notice that after selecting the farmguardian, it will be automatically applied to the farm.

Backends

In this section, you will be able to modify the configurations of backends or add new ones to a given farm.

Create backend. This button will show the Add backend form when clicked. The configurations are meant to add a new backend to a given farm.

  • Alias. This field shows the drop-down list with all the available backend aliases.
  • IP. The Network-Layer IP Address to be used when forwarding traffic to the backend.
  • Port. The Port to be used when forwarding traffic to the backend.
  • Priority. The priority value for the current real server. Lower values have higher priority. The default service priority value is 1. When a backend fails, the service priority will be increased by 1. When the backend goes live again, the service priority value will be decreased by 1. Active backends contain priority values less than or equal to the service priority.
  • Max. Conns. The number of connections that will be allowed to connect to the backend. If the limit is reached, the new connections will be discarded.
  • Weight. The backend weight for traffic balancing when the weight algorithm is set. This weight determines how preferable the backend is against other backends. This field allows integer values higher than or equal to 1 (lowest value).

Bulk actions. On the right of ADD BACKEND, you will see the following actions which could be performed for one or more backends at the same time.

bulk actions dropdown
Actions: These are the actions for configuring the backends.

  • Enable Maintenance. This action is available if the backend is up. It puts a real backend server in maintenance mode. Therefore, no new connections will be redirected to it. There are two methods for enabling the maintenance mode:
    • Drain Mode. Keeps the established connections and persistence if enabled, but will not admit new connections.
    • Cut Mode. Directly drops all active connections against the backend, closing any connection between the backend and clients
  • Edit. Opens the edit form, the same as the add form, to change any backend value.
  • Disable Maintenance. This action is only available if the backend is in maintenance mode. It will enable new connections to be forwarded to the backend server again.
  • Delete. Remove the backend server of the virtual service. If the backend has an alias, the alias won’t be deleted.

Backends. This table shows all the backends already configured on the farm.

  • Alias. A backend Alias if one alias has been previously defined for the backend.
  • IP. The IP address of the backend where the connections will be forwarded.
  • Port. The port where the connections will be redirected to at the backend. If a blank space or an asterisk‘*’ is set, connections will be redirected to the same port that was received.
  • Priority. The priority value for the backend server. The accepted value is an integer higher or equal to 1. A lesser value indicates higher priority to the current real server. By default, a priority value of 1 will be set.
  • Weight. The weight value for the current real server. A higher value indicates more connections delivered to the current backend. By default, a weight value of 1 will be set.
  • Max. Conns. This value will be the maximum number of flows or established connections to a certain backend. If the limit of clients connected to a given backend is reached, the backend will not accept more traffic. The client will reconnect to another suitable backend. The default value is 0, which means unlimited.

IPDS Rules for L4xNAT farms

This section let you enable IPDS rules. The list shows different types of protection and a select box to enable them. For further information please go to the IPDS >> Blacklists rules, IPDS >> DoS rules, IPDS >> RBL rules or IPDS >> WAF rules specific documentation.

zevenet ipds view

For each of the four types of IPDS rules, Blacklist, DoS, WAF, and RBL, there are two tables, Available and enabled. There is also a chain icon. Under the Available table, you will see that all the available rules are of the same kind, and can be applied to a given farm. Regarding the enabled table, you will see that the rules applied to the selected farm are of the same type. There is also a status symbol for each rule which tells if the rule is stopped (red color) color or if it is running (green color).

Each rule can be accessed by clicking on the edit icon which will allow you to change rule parameters or even start/stop the rule. You will not be able to create a new rule inside this farm view. Change it through the IPDS section.

Add a rule by clicking on the desired rule followed by clicking on the right single arrow. Or, you can select more than one by simultaneously keying the shift key and selecting the rules that you want to add. You will then click the right single arrow. You can also add all the available blacklists by clicking on the right double arrow.

To delete one or more rules, select them and click on the left arrow or click on the double arrow to remove all.

Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles