Advanced Network Configuration – FortiBalancer

2.2 Advanced Network Configuration

2.2.1 Configuration Guidelines

To better assist you with configuration strategies that maximize the power of the FortiBalancer appliance, please take a moment to familiarize yourself with the network architecture for advanced network configuration.

 

Figure 2-5 Advanced Network Architecture

The table below shows the most critical pieces of configurations from the figure above:

Table 2-2 Advanced Network Configurations

IP Address Description
10.10.0.1/24 Gateway IP Address
10.10.0.2/24 Management IP Address
192.168.10.1/24 Port2 Interface IP Address
192.168.10.0/24 NAT
192.168.10.10 Real Server #1
192.168.10.11 Real Server #2
192.168.10.12 Real Server #3
192.168.10.13 Real Server #4
192.168.10.14 Real Server #5
10.10.0.3 Nameserver/NTP server

Table 2-3 General Settings of Advanced Network Configuration

Operation Command
Configure VLAN vlan {system_ifname|bond_ifname} <user_interface_name> <vlan_tag>
Configure MNET mnet {system_ifname|bond_ifname} <user_interface_name>
Configure Port Forwarding fwd tcp <local_ip> <local_port> <remote_ip> <remote_port> [timeout] fwd udp <local_ip> <local_port> <remote_ip> <remote_port> [timeout]
Configure NAT nat port {pool_name|vip} <source_ip> {netmask|prefix} [timeout]

[gateway] [description]

nat static <vip> <network_ip> [timeout] [gateway] [description]

Configure Dynamic Routing rip {on|off} rip network <ip_address> <netmask>
Operation Command
  ospf {on|off} ospf network <ip_address> <netmask> <area_id>
Configure IP pool ip pool <pool_name> <start_ip> [end_ip] slb proxyip global <pool_name>

slb proxyip group <group_name> <pool_name>

2.2.2 Configuration Example via CLI

2.2.2.1 VLAN Configuration

In our example, we are going to create two VLANs, “inside-vlan1” and “inside-vlan2”. The “inside-vlan1” has a tag of 500 and “inside-vlan2” has a tag of 3001. These tags are inserted into the Ethernet frame.

  • Step 1 Define a VLAN interface by using the “vlan” command

FortiBalancer(config)#vlan port2 inside-vlan1 500

FortiBalancer(config)#vlan port2 inside-vlan2 3001

  • Step 2 Assign an IP address to each VLAN interface by using the “ip address” command

FortiBalancer(config)#ip address inside-vlan1 192.168.1.1 255.255.255.0

FortiBalancer(config)#ip address inside-vlan2 192.168.2.1 255.255.255.0

For the interface with VLAN configuration, it needs to be connected to a switch or router with Tag VLAN or Trunking turned on. See your switch vendors’ documentation on how to setup Tag VLAN.

2.2.2.2 MNET Configuration

Configuring MNET on the port2 interfaces is very similar to VLAN configuration. For our example network, we will run two networks over the port2 interface, 192.168.1.1/24 and 192.168.2.1/24.

  • Step 1 Define our mnet interfaces by using the “mnet” command

FortiBalancer(config)#mnet port2 mnet1

FortiBalancer(config)#mnet port2 mnet2

  • Step 2 Assign an IP address to each MNET by using the “ip address” command

FortiBalancer(config)#ip address mnet1 192.168.1.1 255.255.255.0

FortiBalancer(config)#ip address mnet2 192.168.2.1 255.255.255.0

Again you need to refer to your vendor’s switch/router documentation on how to setup their interface for use with MNET.

2.2.2.3 Port Forwarding Configuration

For our example configuration, we will be adopting the TCP port forwarding protocols as such:

FortiBalancer(config)#fwd tcp 10.10.0.2 4000 192.168.10.10 22 300

We picked an arbitrary high port to use. You should not use a port below 1024 on the

FortiBalancer appliance since other services might be listening on those ports, i.e. 443 (for SSL) and 80 (for HTTP). We can choose a port below 1024 on the real server since that is the service that we want to connect to. To view or alter these forwarding instructions, employ the show, no or clear versions of the above commands.

2.2.2.4 NAT Configuration

For our configuration example strategy, use the command as:

FortiBalancer(config)#nat port 10.10.0.2 192.168.10.0 255.255.255.0 60 10.10.0.1

This command will perform NAT on the 192.168.10.0/24 network. In our example, the VIP 10.10.0.2 and the route gateway 10.10.0.1 are within the same network segment. Therefore the parameter “gateway” in the command “nat port” can be set to the default value 0.0.0.0 or the route gateway. If the VIP and the route gateway are not in the same network segment, the parameter “gateway” in the command “nat port” must be set to the route gateway.

We can change the netmask to allow only certain blocks of your inside network to access the external network. For example, the following command will only allow the IP addresses ranging 192.168.10.0 through192.168.10.128, to access the external network:

FortiBalancer(config)#nat port 10.10.0.2 192.168.10.0 255.255.255.128 60 0.0.0.0

If we want to allow the top half of the IP address space range that is left over

(192.168.10.129-192.168.10.254), to access the external network, we will do the following:

FortiBalancer(config)#nat port 10.10.0.2 192.168.10.129 255.255.255.128 60 0.0.0.0

If we want to allow one real IP address to access the external network, we will configure static NAT:

FortiBalancer(config)#nat static 10.10.0.2 192.168.10.12

2.2.2.5 Dynamic Routing Configuration

 

Figure 2-6 Dynamic Routing Configuration

  • Step 1 RIP Configurations

FortiBalancer(config)#rip on

FortiBalancer(config)#rip version 2

FortiBalancer(config)#rip network 172.16.31.0 255.255.255.0

FortiBalancer(config)#rip network 172.16.32.0 255.255.255.0

  • Step 2 OSPF Configurations

FortiBalancer(config)#ospf on

FortiBalancer(config)#ospf network 172.16.32.0 255.255.255.0 0

FortiBalancer(config)#ospf network 172.16.31.0 255.255.255.0 0

After these configurations, you can view the dynamically generated routes by using the “show ip route” command.

FortiBalancer(config)#show ip route Destination     Netmask         Gateway RIP routes:

Destination     Netmask         Gateway

172.16.39.0     255.255.255.0   172.16.31.67

OSPF routes:

Destination     Netmask         Gateway

172.16.41.0     255.255.255.0   172.16.32.2

Now that the very basics of our example network configurations are implemented, it is time to move forward to configure the FortiBalancer appliance to operate seamlessly within the network architecture.

2.2.2.6 IP Pool Configuration

Configuration Example for NAT IP Pool via CLI

In our example, we are going to configure IP pools for NAT.

  • Step 1 Define IP pools by using the “ip pool” command

FortiBalancer(config)#ip pool “pool1” 124.0.0.22 124.0.0.22

FortiBalancer(config)#ip pool “pool2” 124.0.1.22 124.0.1.22

  • Step 2 Define the IP pool for NAT via the “nat port” command

FortiBalancer(config)#nat port “pool1” 1.1.1.0 255.255.255.0 60 124.0.0.125 FortiBalancer(config)#nat port “pool2” 1.1.1.0 255.255.255.0 60 124.0.1.125

Configuration Example for SLB IP Pool via CLI

In our example, we are going to configure IP pools for SLB.

  • Step 1 Define IP pools by using the “ip pool” command

FortiBalancer(config)#ip pool “pool1” 124.0.0.22 124.0.0.22

FortiBalancer(config)#ip pool “pool2” 124.0.1.22 124.0.1.22

  • Step 2 Define the IP pool as the global proxy IP pool by using the “slb proxyip global” command

FortiBalancer(config)#slb proxyip global “pool2”

  • Step 3 Assign the IP pools for SLB group

FortiBalancer(config)#slb proxyip group “gpi” “pool1”

Note: The priority of group IP pools is higher than global IP pools.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.