NAT Load Balancing Overview

Topics:

•

NAT LB Mechanisms

•

Determining the NAT LB Method to Use

•

Caveats

•

Details of Load Balancing Algorithms

Network Address Translation (NAT) and Load Balancing (LB) provides the ability to balance incoming traffic across multiple, similar network resources. Do not confuse this with the WAN ISP and LB feature on the firewall. While both features can be used in conjunction, WAN ISP and LB is used to balance outgoing traffic across two ISP connections, and NAT LB is primarily used to balance incoming traffic.

Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime.

This section details how to configure the necessary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to access a Virtual IP (VIP) that maps to one or more internal systems, such as Web servers, FTP servers, or SonicWALL SRA appliances. This Virtual IP may be independent of the firewall or it may be shared, assuming the firewall itself is not using the port(s) in question.


	NOTE: The load balancing capability in SonicOS, while fairly basic, satisfies the requirements for many customer network deployments. Customers with environments needing more granular load balancing, persistence and health-check mechanisms are advised to use a dedicated third-party load-balancing appliance.

NAT LB Mechanisms

NAT load balancing is configured on the Advanced tab of the Add/Edit NAT Policy dialog:


	NOTE: Except for the Disable Source Port Remap option, the options on this tab can only be activated when a group is specified in one of the drop-down menus on the General tab. Otherwise, the NAT policy defaults to Sticky IP as the NAT method.

SonicOS offers the following advanced configuration options:

•

NAT Methods

•

High Availability

Sticky IP – Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments.

•

Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required.

•

Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (for example, when you want to precisely control how traffic from one subnet is translated to another).

•

Random Distribution – Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources.

Optionally, force the appliance to only do IP address translation and no port translation for the NAT policy, select the Disable Source Port Remap checkbox. SonicOS preserves the source port of the connection while executing other NAT mapping. This option is available when adding or editing a NAT policy if the source IP address is being translated. This option is not selected by default.


	NOTE: This option is unavailable and dimmed if the Translated Source (on the General tab) is set to Original.

You can select this option to temporarily take the interface offline for maintenance or other reasons. If connected, the link goes down. Clear the checkbox to activate the interface and allow the link to come back up.

High Availability

Optionally, select Enable Probing. When checked, the firewall uses one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the firewall can direct traffic away from a non-responding resource, and return traffic to the resource after it has begun to respond again.

When Enable Probing is selected, the following options become available:

•

Probe hosts every n seconds – Specify the interval between host probes. The default is 5 seconds.

•

Probe type — Select the probe type, such as TCP, from the drop-down menu. The default is TCP.

•

Port – Specify the port. The default is 80.

•

Reply time out – Specify the maximum length of time before a time out. The default is 3 seconds.

•

Deactivate host after n missed intervals – Specify the maximum number of intervals that a host can miss before being deactivated. The default is 3.

•

Reactivate host after n successful intervals – Specify the minimum number of successful intervals before a host can be reactivated. The default is 3.

•

Enable Port Probing – Select to enable port probing for TCP. Selecting this option enhances NAT to also consider the port while load balancing. This option is disabled by default.

•

RST Response Counts as Miss – Select to count RST responses as misses. The option is selected by default if Enable Port Probing is selected.

Determining the NAT LB Method to Use

Table 34. Deciding which NAT LB method to use
Requirement	Deployment Example	NAT LB Method
Distribute load on server equally without need for persistence	External/ Internal servers (such as, Web or FTP)	Round Robin
Indiscriminate load balancing without need for persistence	External/ Internal servers (such as, Web or FTP)	Random Distribution
Requires persistence of client connection	E-commerce site, Email Security, SonicWALL SRA appliance (Any publicly accessible servers requiring persistence)	Sticky IP
Precise control of remap of source network to a destination range	LAN to DMZ Servers Email Security, SonicWALL SRA appliance	Block Remap
Precise control of remap of source network and destination network	Internal Servers (such as, Intranets or Extranets)	Symmetrical Remap