OK, so you want six different listeners all to be served by the same
machine. As a kicker, you'd like incoming connections to be load balanced,
if possible. Is that right?
I'm going to assume that connections are coming from outside your firewall.
I'm calling the machine that is offering the service the server .
Firstly, you say you're going to use virtual IP addresses (I guess that
means multihoming) on the server. Can you also multiplex by port - in other
words have daemon1 on port 1111 daemon2 on 2222, etc? This gives you more
flexibility.
So, you can either:
Simple solution: Create six NAT mappings on the outside of the firewall (so,
different IP addresses), all listening on the "standard" daemon port. You
then have ONE IP address on the server, with six daemons running on
different ports. Each of these mappings forwards to a different port on the
server. This is okay if you know that all the people that will connect will
only connect to their "normal" host to get the service.
Load balancing solution one: Have six NAT mappings on the firewall, with one
external DNS entry like "daemon-out.mysite.com". Have ONE IP address on the
server, with all the daemons on different ports. All incoming connections
get aimed at daemon-out.mysite.com, and you perform DNS round-robin on your
DNS server. This means that clients will get answers to their DNS queries in
a different order each time. This will affect which NAT mapping they try and
connect to, and therefore which port on the server they end up talking to.
Load balancing solution two: If the firewall can handle it, some
implementations of NAT let you do a similar round robin thing. Cisco routers
will do this for example. If you do it _this_ way, you go back to your
multi-homed server, and have a round-robin NAT mapping using a SINGLE IP
address for daemon-out on the firewall. Each connection to this mapping will
send you through to a different IP address on the server, and therefore a
different daemon. Uh...in theory. You may not get a new daemon for each
extra IP address - you may need to check that. 8)
None of these are "smart" solutions - they're just spreading incoming
connections evenly. You may have to get tricky and probably write some
software if you want intelligent load balancing for a custom app. You could
check out things like Cisco LocalDirector, but I have a feeling that they're
geared for webservers.
Oh, and I hammered this out pretty fast, so I reserve the right to be Wrong
as Hell. ;)
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Igor Gashinsky [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 3 November 1999 12:37 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Port Redirection with Cisco Pix and Axent Raptor
>
>
> We are merging 6 servers into 1 MUCH more powerfull server,
> all of which ran
> the same daemon on the same port. This daemon is not
> multi-threaded, but is
> select() blocking I/O, and when we are going to merge the
> machines, this
> daemon won't be able to handle all the requests. Since we are
> mapping all of
> the IP's to the same machine (Virtual IP's), I was wondering
> if I could use
> a firewall to "load ballance the ports", where I could say
> that all the
> traffic destined for A.A.A.1 port 1111 goes to B.B.B.B port
> 1111, but all
> the traffic destined for A.A.A.2 port 1111 goes to B.B.B.B
> port 2222, etc...
>
> I am just wondering what FW software is capable of doing
> something like this
> (FW-1, Raptor, PIX..)?
>
> This is, also, probably the best way to justify implementing a $200K+
> security budget <G>
>
> -Igor Gashinsky
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
