Link Load Balancing – FortiBalancer

13.3 LLB Configuration

13.3.1 Outbound LLB Configuration (One FortiBalancer Appliance)

In this implementation example, one FortiBalancer appliance will be configured to load balance outbound traffic through two ISPs.

If the single FortiBalancer appliance stopped working, the network connectivity would be interrupted. Therefore, we recommend the implementation example with two FortiBalancer appliances in section 13.3.2 Outbound LLB Configuration (Two FortiBalancer Appliances).

13.3.1.1 Configuration Guidelines

 

Figure 13-1 Outbound LLB (One FortiBalancer Appliance)

Table 13-2 General Settings of Outbound LLB

Operation Command
Configure interface IP address ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname} <ip_address> {netmask|prefix}
Configure MNET mnet {system_ifname|bond_ifname} <user_interface_name>
Operation Command
Configure LLB health check llb link route <link_name> <route_ip> [weight] [hc_srcip]

[bandwidth_threshold] llb link health {on|off} llb link health checker icmp <link_name> <host> [hc_interval] [timeout] [hc_up] [hc_down]

Configure outbound LLB method llb method outbound {rr|wrr|sr|hi} llb method outbound dd [netmask] [prefix]
Configure Eroutes and manage link bandwidth ip eroute <name> <priority> <srcip> {srcmask|prefix} <srcport> <dsthost> {dstmask|prefix} <dstport> <proto> <gatewayip> [weight] llb link route <link_name> <route_ip> [weight] [hc_srcip]

[bandwidth_threshold] llb link bw_priority <priority>

Configure NAT nat port {pool_name|vip} <source_ip> {netmask|prefix} [timeout] [gateway] [description]
Enable IPflow and RTS ip ipflow {on|off} ip rts {on|off}

13.3.1.2 Configuration Example via the CLI

  • Step 1 Configure interface IP addresses

The Port1 interface IP will have an address from ISP1’s address range. In order to assign an additional IP address on the Port1 interface, you must define and configure a multi-netted virtual interface (MNET). You will create an MNET named “outside_isp2” and assign it an IP address from ISP2’s address range.

FortiBalancer(config)#ip address port1 100.10.1.2 255.255.255.0

FortiBalancer(config)#mnet port1 outside_isp2

FortiBalancer(config)#ip address outside_isp2 200.20.1.2 255.255.255.0

Then, configure the IP address of the Port2 interface.

FortiBalancer(config)#ip address port2 192.168.1.1 255.255.255.0

  • Step 2 Configure basic LLB health check

ISP link health checks are performed to ensure that the WAN link between the local router and the ISP router is up. This health check uses ICMP Ping to test connectivity.

Perform health check on an IP address on the other side of ISP1’s WAN router:

FortiBalancer(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 0Mbps

Perform health check on an IP address on the other side of ISP2’s WAN router:

FortiBalancer(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 0Mbps

Enter the following command to enable link health check:

FortiBalancer(config)#llb link health on

If a link is unstable, administrators can manually disable the link via the command “llb link disable <link_name>”. For example, if the link ISP1 is found unstable, executing the command “llb link disable ISP1” will disable the link, and no outbound traffic will go through this link anymore. To enable a link, use the command “llb link enable <link_name>”.

  • Step 3 Configure additional LLB health check

Multiple health checkers can be configured for an ISP link.

FortiBalancer(config)#llb link health checker icmp ISP1 100.1.1.2 10

FortiBalancer(config)#llb link health checker icmp ISP1 100.1.1.3 10

FortiBalancer(config)#llb link health checker icmp ISP1 100.1.1.4 10

Here, 100.1.1.2, 100.1.1.3 and 100.1.1.4 are another three WAN routers of ISP1. Only when all the health checks (including basic health check) for ISP1 have failed, will the link ISP1 be deemed as down.

  • Step 4 Configure outbound LLB method (optional) The outbound LLB supports the following methods:
  • Round Robin (rr)
  • Weighted Round Robin (wrr)
  • Shortest Response (sr)
  • Dynamic Detecting (dd)
  • Hash IP (hi)

The default method is “rr”.

In this example, we use the “wrr” method.

FortiBalancer(config)#llb method outbound wrr

Ø    Step 5 Configure Eroutes and manage link bandwidth

To make different traffic go through different links, configure the Eroutes for two LLB links.

FortiBalancer(config)#ip eroute “er1” 1600 10.3.0.0 255.255.0.0 0 192.168.4.0 255.255.255.0 0 any 100.10.1.1 1

FortiBalancer(config)#ip eroute “er2” 1400 10.4.0.0 255.255.0.0 0 192.168.5.0 255.255.255.0 0 any 200.20.1.1 1

To make traffic that does not match the preceding Eroute configurations go through ISP1, configure the following Eroute:

FortiBalancer(config)#ip eroute “er3” 1001 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 any 100.10.1.1 1

If necessary, update the LLB link bandwidth thresholds.

FortiBalancer(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 500Mbps

FortiBalancer(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 300Mbps

You can set a priority for the link bandwidth threshold to determine whether the configured link bandwidth threshold takes effect for the relevant LLB link.

FortiBalancer(config)#llb link bw_priority 1500

Because the priority of Eroute “er1” is higher than the bandwidth priority, the gateway specified by the Eroute is not affected by the bandwidth threshold of ISP1. By comparison, the gateway specified by Eroute “er2” is affected by the bandwidth threshold of ISP2.

  • Step 6 Configure NAT rules for outbound LLB

For an ISP that is selected for a session based on specific LLB method, the NAT rules for the ISP VIP must be pre-configured. These rules will be applied to the outbound traffic.

NAT for ISP1:

FortiBalancer(config)#nat port 100.10.1.10 192.168.1.0 255.255.0.0

NAT for ISP2:

FortiBalancer(config)#nat port 200.20.1.10 192.168.1.0 255.255.0.0

  • Step 7 Other required configuration

Execute the following command to ensure that packets from the same connection will be directed to the same link by using the same NAT rule. By default, the IPflow function is disabled.

FortiBalancer(config)#ip ipflow on

RTS (Return to Sender) should be turned on by executing the following command to ensure that a response packet (e.g. ICMP response) will be directed to the link from which its corresponding request packet (e.g. ICMP request) is sent. By default, the RTS function is disabled.

FortiBalancer(config)#ip rts on

13.3.2 Outbound LLB Configuration (Two FortiBalancer Appliances)

In this implementation example, two FortiBalancer appliances will be configured to load balance outbound traffic through two ISPs. This is the preferred implementation approach because the secondary FortiBalancer appliance provides physical fault tolerance. If either FortiBalancer appliance should fail, network connectivity will not be interrupted.

13.3.2.1 Configuration Guidelines

 

Figure 13-2 Outbound LLB (Two FortiBalancer Appliances)

Table 13-3 General Settings of Outbound LLB

Operation Command
Configure interface IP address ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname} <ip_address> {netmask|prefix}
Configure MNET mnet {system_ifname|bond_ifname} <user_interface_name>
Configure a cluster virtual router cluster virtual {on|off} [cluster_id|0] [interface_name] cluster virtual ifname <interface_name> <cluster_id> cluster virtual vip <interface_name> <cluster_id> <vip>

cluster virtual priority <interface_name> <cluster_id> <priority> [synconfig_peer_name]

Operation Command
Configure LLB health check llb link route <link_name> <route_ip> [weight] [hc_srcip]

[bandwidth_threshold] llb link health {on|off}

Configure cluster

Virtual IPs for

NATing traffic

cluster virtual {on|off} [cluster_id|0] [interface_name] cluster virtual ifname <interface_name> <cluster_id> cluster virtual vip <interface_name> <cluster_id> <vip>

cluster virtual priority <interface_name> <cluster_id> <priority> [synconfig_peer_name]

Configure Eroutes and manage link bandwidth ip eroute <name> <priority> <srcip> {srcmask|prefix} <srcport> <dsthost> {dstmask|prefix} <dstport> <proto> <gatewayip> [weight] llb link route <link_name> <route_ip> [weight] [hc_srcip]

[bandwidth_threshold] llb link bw_priority <priority>

Configure NAT nat port {pool_name|vip} <source_ip> {netmask|prefix} [timeout] [gateway] [description]
Enable IPflow and RTS ip ipflow {on|off} ip rts {on|off}

13.3.2.2 Configuration Example via the CLI

Follow these steps to configure Outbound Link Load Balancing with clustered FortiBalancer appliances. Due to the additional configuration required for a secondary FortiBalancer appliance and to eliminate redundancy, this example assumes an understanding of the basic configuration that was illustrated in the previous section. Also, optional configuration settings will be left at their default values, and as a result, will not be illustrated in this example.

Ø    Step 1 Configure interface IP addresses

You will need to define IP addresses on both FortiBalancer appliances. The same MNET names may be used on both FortiBalancer appliances.

(FortiBalancer1) Port1 and Port2 IP address configuration:

FortiBalancer1(config)#ip address port1 100.10.1.2 255.255.255.0

FortiBalancer1(config)#mnet port1 outside_isp2

FortiBalancer1(config)#ip address outside_isp2 200.20.1.2 255.255.255.0 FortiBalancer1(config)#ip address port2 192.168.1.2 255.255.255.0

(FortiBalancer2) Port1 and Port2 IP address configuration:

FortiBalancer2(config)#ip address port1 100.10.1.3 255.255.255.0

FortiBalancer2(config)#mnet port1 outside_isp2

FortiBalancer2(config)#ip address outside_isp2 200.20.1.3 255.255.255.0

FortiBalancer2(config)#ip address port2 192.168.1.3 255.255.255.0

Ø    Step 2 Configure a cluster virtual router for outbound traffic

Outbound traffic (from behind the FortiBalancer appliances) must be forwarded to an IP address on the FortiBalancer appliances. To provide a fault tolerant gateway for inside devices, a virtual cluster VIP must be configured.

(FortiBalancer1) Configure the first FortiBalancer appliance as the master virtual router for all interfaces so it will process outbound traffic. Assign it a higher priority than the secondary FortiBalancer appliance.

FortiBalancer1(config)#cluster virtual ifname port2 1

FortiBalancer1(config)#cluster virtual vip port2 1 192.168.1.1

FortiBalancer1(config)#cluster virtual priority port2 1 200

FortiBalancer1(config)#cluster virtual on 1 port2

(FortiBalancer2) Configure the secondary FortiBalancer appliance as a backup virtual router for all interfaces so it will not process outbound traffic unless the primary FortiBalancer appliance fails. Assign it a lower priority than the primary FortiBalancer appliance.

FortiBalancer2(config)#cluster virtual ifname port2 1

FortiBalancer2(config)#cluster virtual vip port2 1 192.168.1.1

FortiBalancer2(config)#cluster virtual priority port2 1 100

FortiBalancer2(config)#cluster virtual on 1 port2

  • Step 3 Configure basic LLB health check

(Both FortiBalancers) Health check an interface on the other side of both ISPs’ WAN routers and turn on default gateway health check:

FortiBalancer1(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 0Mbps

FortiBalancer1(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 0Mbps

FortiBalancer1(config)#llb link health on

FortiBalancer2(config)#llb link route ISP1 100.10.1.1 1 100.10.1.2 0Mbps

FortiBalancer2(config)#llb link route ISP2 200.20.1.1 2 200.20.1.2 0Mbps

FortiBalancer2(config)#llb link health on

  • Step 4 Configure Eroutes and manage link bandwidth

To make different traffic go through different links, configure the Eroutes for two LLB links.

FortiBalancer(FortiBalancer1)#ip eroute “er1” 1600 10.3.0.0 255.255.0.0 0 192.168.4.0

255.255.255.0 0 any 100.10.1.1 1

FortiBalancer(FortiBalancer1)#ip eroute “er2” 1400 10.4.0.0 255.255.0.0 0 192.168.5.0

255.255.255.0 0 any 200.20.1.1 1

FortiBalancer(FortiBalancer2)#ip eroute “er1” 1600 10.3.0.0 255.255.0.0 0 192.168.4.0

255.255.255.0 0 any 100.10.1.1 1

FortiBalancer(FortiBalancer2)#ip eroute “er2” 1400 10.4.0.0 255.255.0.0 0 192.168.5.0 255.255.255.0 0 any 200.20.1.1 1

To make traffic that does not match the preceding Eroute configurations go through ISP1, configure the following Eroute:

FortiBalancer(FortiBalancer1)#ip eroute “er3” 1001 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 any

100.10.1.1 1

FortiBalancer(FortiBalancer2)#ip eroute “er3” 1001 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 any

100.10.1.1 1

If necessary, update the LLB link bandwidth thresholds.

FortiBalancer(FortiBalancer1)#llb link route ISP1 100.10.1.1 1 100.10.1.2 500Mbps

FortiBalancer(FortiBalancer1)#llb link route ISP2 200.20.1.1 2 200.20.1.2 300Mbps

FortiBalancer(FortiBalancer2)#llb link route ISP1 100.10.1.1 1 100.10.1.2 500Mbps

FortiBalancer(FortiBalancer2)#llb link route ISP2 200.20.1.1 2 200.20.1.2 300Mbps

You can set a priority for the link bandwidth threshold to determine whether the configured link bandwidth threshold takes effect for the relevant LLB link.

FortiBalancer(FortiBalancer1)#llb link bw_priority 1500

FortiBalancer(FortiBalancer2)#llb link bw_priority 1500

Because the priority of Eroute “er1” is higher than the bandwidth priority, the gateway specified by the Eroute is not affected by the bandwidth threshold of ISP1. By comparison, the gateway specified by Eroute “er2” is affected by the bandwidth threshold of ISP2.

Ø    Step 5 Configure cluster Virtual IPs for NATing traffic

(FortiBalancer1) Cluster VIPs for NAT on each ISP. Assign a higher priority than the secondary FortiBalancer appliance.

FortiBalancer1(config)#cluster virtual ifname port1 1

FortiBalancer1(config)#cluster virtual vip port1 1 100.10.1.10

FortiBalancer1(config)#cluster virtual prio port1 1 200

FortiBalancer1(config)#cluster virtual on 1 port1

FortiBalancer1(config)#cluster virtual ifname outside-isp2 1

FortiBalancer1(config)#cluster virtual vip outside-isp2 1 200.20.1.10

FortiBalancer1(config)#cluster virtual prio outside-isp2 1 200

FortiBalancer1(config)#cluster virtual on 1 outside-isp2

(FortiBalancer2) Cluster VIPs for NAT on each ISP. Assign them a lower priority than the primary FortiBalancer appliance.

FortiBalancer2(config)#cluster virtual ifname port1 1

FortiBalancer2(config)#cluster virtual vip port1 1 100.10.1.10

FortiBalancer2(config)#cluster virtual prio port1 1 100

FortiBalancer2(config)#cluster virtual on 1 port1

FortiBalancer2(config)#cluster virtual ifname outside-isp2 1

FortiBalancer2(config)#cluster virtual vip outside-isp2 1 200.20.1.10

FortiBalancer2(config)#cluster virtual prio outside-isp2 1 100

FortiBalancer2(config)#cluster virtual on 1 outside-isp2

  • Step 6 Configure NAT for outbound LLB sessions (Both FortiBalancers) NAT rules for ISP1 and ISP2:

FortiBalancer1(config)#nat port 100.10.1.10 192.168.1.0 255.255.0.0 FortiBalancer1(config)#nat port 200.20.1.10 192.168.1.0 255.255.0.0

FortiBalancer2(config)#nat port 100.10.1.10 192.168.1.0 255.255.0.0 FortiBalancer2(config)#nat port 200.20.1.10 192.168.1.0 255.255.0.0

  • Step 7 Other required configuration

Execute the following command to ensure that packets from the same connection will be directed to the same link by using the same NAT rule. By default, the IPflow function is disabled.

FortiBalancer(config)#ip ipflow on

RTS (Return to Sender) should be turned on by executing the following command to ensure that a response packet (e.g. ICMP response) will be directed to the link from which its corresponding request packet (e.g. ICMP request) is sent. By default, the RTS function is disabled.

FortiBalancer(config)#ip rts on


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.