NAT Load Balancing Overview

Topics:

Network Address Translation (NAT) & Load Balancing (LB) provides the ability to balance incoming traffic across multiple, similar network resources. Do not confuse this with the WAN ISP & LB feature on the firewall. While both features can be used in conjunction, WAN ISP & LB is used to balance outgoing traffic across two ISP connections, and NAT LB is primarily used to balance incoming traffic.

Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime.

This section details how to configure the necessary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to access a Virtual IP (VIP) that maps to one or more internal systems, such as Web servers, FTP servers, or SonicWALL SRA appliances. This Virtual IP may be independent of the firewall or it may be shared, assuming the firewall itself is not using the port(s) in question.

NAT LB Mechanisms

NAT load balancing is configured on the Advanced tab of the Add/Edit NAT Policy dialog:

NOTE: This tab can only be activated when a group is specified in one of the drop-down fields on the General tab of a NAT Policy. Otherwise, the NAT policy defaults to Sticky IP as the NAT method.

SonicOS offers the following advanced configuration options:

NAT Methods
1
Sticky IP – Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments.
Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required.
Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is translated to another).
Random Distribution – Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources.
2
High Availability
1
Optionally, select Enable Probing. When checked, the firewall uses one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the firewall can direct traffic away from a non-responding resource, and return traffic to the resource after it has begun to respond again.

When Enable Probing is selected, the following options become available:

Probe hosts every n seconds – Specify the interval between host probes. The default is 5 seconds.
Probe type — Select the probe type, such as TCP, from the drop-down menu. The default is TCP.
Port – Specify the port. The default is 80.
Reply time out – Specify the maximum length of time before a time out. The default is 3 seconds.
Deactivate host after n missed intervals – Specify the maximum number of intervals that a host can miss before being deactivated. The default is 3.
Reactivate host after n successful intervals – Specify the minimum number of successful intervals before a host can be reactivated. The default is 3.
Enable Port Probing – Select to enable port probing.
RST Response Counts as Miss – Select to count RST responses as misses. The option is selected by default.

Determining the NAT LB Method to Use

 

Table 36. Deciding which NAT LB method to use

Requirement

Deployment Example

NAT LB Method

Distribute load on server equally without need for persistence

External/ Internal servers (such as, Web or FTP)

Round Robin

Indiscriminate load balancing without need for persistence

External/ Internal servers (such as, Web or FTP)

Random Distribution

Requires persistence of client connection

E-commerce site, Email Security, SonicWALL SRA appliance

(Any publicly accessible servers requiring persistence)

Sticky IP

Precise control of remap of source network to a destination range

LAN to DMZ Servers

Email Security, SonicWALL SRA appliance

Block Remap

Precise control of remap of source network and destination network

Internal Servers (such as, Intranets or Extranets)

Symmetrical Remap

Caveats

The following are not available at present:

While there is no limit to the number of internal resources that the Dell SonicWALL network security appliance can load-balance to, and there no limit to the number of hosts it can monitor, abnormally large load-balancing groups (25+resources) may impact performance.

Details of Load Balancing Algorithms

The following describes how the firewall applies the load balancing algorithms:

Round Robin - Source IP connects to Destination IP alternately
Random Distribution - Source IP connects to Destination IP randomly
Sticky IP - Source IP connects to same Destination IP
Block Remap - Source network is divided by size of the Destination pool to create logical segments
Symmetrical Remap - Source IP maps to Destination IP (for example, 10.1.1.10 -> 192.168.60.10.)
Sticky IP Algorithm

Source IP is modulo with the size of the server cluster to determine the server to remap it to. The following two examples show how the Sticky IP algorithm works.

Example one - Mapping to a network:

192.168.0.2 to 192.168.0.4
Translated Destination = 10.50.165.0/30 (Network)

Packet Source IP = 192.168.0.2
192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010
(IP -> Hex -> Dec -> Binary)

Sticky IP Formula = Packet Src IP = 3232235522 [modulo] TransDest Size = 2
= 3232235522 [modulo] 2
= 0
(2 divides into numerator evenly. There is no remainder, thus 0)

Stickyt IP Formula yields offset of 0.
Destination remapping to 10.50.165.1.

Example two - Mapping to a IP address range:

192.168.0.2 to 192.168.0.4
Translated Destination = 10.50.165.1 -10.50.165.3 (Range)

Packet Src IP = 192.168.0.2
192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010
(IP -> Hex -> Dec -> Binary)

Sticky IP Formula = Packet Src IP = 3232235522 [modulo] TransDest Size = 3
= 3232235522 [modulo] 4
= 1077411840.6666667 - 1077411840
= 0.6666667 * 3
= 2

Stickyt IP Formula yields offset of 2.

Destionation remapping to 10.50.165.3.