relayd clients on same network with servers

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd clients on same network with servers

Kapetanakis Giannis
Hi,

I'm designing a new setup with relayd and multiple pools. I'm using redirects with forward.

The problem I have is that all the real server as in the same VLAN.
In advance the servers in one pool need to access the servers in another pool, through the load balancer, thus having a problem with replies not passing through the LB (ie IMAP server accessing LDAP servers)

I've thought of different solutions for this and I've come up to the following. I need a second opinion:

1) Use different VLAN per pool of servers
2) 1 VLAN, with 1 bridge and multiple subnets on vether devices
3) Source NAT to hide client IP
4) Use a relay as a proxy (instead of redirect on the $int_if)
5) Use DSR (route-to) with sloppy states

Solution 1 seems the best to me but it has overhead of adding/managing the vlans everywhere.
Solution 2 seems to work but I'm not quite sure about it
3 and 4 hide the client IP so I want to avoid it
5 also want to avoid, has problems with failover, don't like the half states

So 2 seems ok, I have basic separation of pools and I guess since I control all the servers the jumping from one subnet to another is not a serious security problem.

appreciate any opinions on this

Giannis
ps. whole setup with carp-pfsync

Reply | Threaded
Open this post in threaded view
|

Re: relayd clients on same network with servers

Mischa
Hi Giannis,

From my experience dealing with a lot of load balancers in my time, and also working for different vendors, the easiest is to use source-nat.
This is just configuration on the relayd itself without making "major" changes in the rest of the network or servers. Which you would need to do to when choosing different VLANs or DSR.

Your concern about source-net and hiding the client IP is valid, but easily fixed with Client-IP header in http, if http is the protocol, otherwise you will loose the client IP. ;)
One more thing to remember with source-nat is the maximum amount of concurrent connections you can handle in a single IP, if that is below 64k you are fine, otherwise you will have to create a pool of IPs to source-nat from.

In my opinion DSR is only relevant for services like FTP and NNTP, where you have a lot more traffic going out than coming in, so you don't have to put that burden through the single load balancer interface.

If you have the ability to change the VLANs that of course the cleanest of all the option and source-nat the dirtiest, but it's also the simplest. :)

Good luck!

Mischa


> On 19 Mar 2018, at 11:20, Kapetanakis Giannis <[hidden email]> wrote:
>
> Hi,
>
> I'm designing a new setup with relayd and multiple pools. I'm using redirects with forward.
>
> The problem I have is that all the real server as in the same VLAN.
> In advance the servers in one pool need to access the servers in another pool, through the load balancer, thus having a problem with replies not passing through the LB (ie IMAP server accessing LDAP servers)
>
> I've thought of different solutions for this and I've come up to the following. I need a second opinion:
>
> 1) Use different VLAN per pool of servers
> 2) 1 VLAN, with 1 bridge and multiple subnets on vether devices
> 3) Source NAT to hide client IP
> 4) Use a relay as a proxy (instead of redirect on the $int_if)
> 5) Use DSR (route-to) with sloppy states
>
> Solution 1 seems the best to me but it has overhead of adding/managing the vlans everywhere.
> Solution 2 seems to work but I'm not quite sure about it
> 3 and 4 hide the client IP so I want to avoid it
> 5 also want to avoid, has problems with failover, don't like the half states
>
> So 2 seems ok, I have basic separation of pools and I guess since I control all the servers the jumping from one subnet to another is not a serious security problem.
>
> appreciate any opinions on this
>
> Giannis
> ps. whole setup with carp-pfsync
>

Reply | Threaded
Open this post in threaded view
|

Re: relayd clients on same network with servers

Kapetanakis Giannis
On 19/03/18 13:51, Mischa wrote:

> Hi Giannis,
>
> From my experience dealing with a lot of load balancers in my time, and also working for different vendors, the easiest is to use source-nat.
> This is just configuration on the relayd itself without making "major" changes in the rest of the network or servers. Which you would need to do to when choosing different VLANs or DSR.
>
> Your concern about source-net and hiding the client IP is valid, but easily fixed with Client-IP header in http, if http is the protocol, otherwise you will loose the client IP. ;)
> One more thing to remember with source-nat is the maximum amount of concurrent connections you can handle in a single IP, if that is below 64k you are fine, otherwise you will have to create a pool of IPs to source-nat from.
>
> In my opinion DSR is only relevant for services like FTP and NNTP, where you have a lot more traffic going out than coming in, so you don't have to put that burden through the single load balancer interface.
>
> If you have the ability to change the VLANs that of course the cleanest of all the option and source-nat the dirtiest, but it's also the simplest. :)
>
> Good luck!
>
> Mischa


Thanks for the reply Mischa,

Well since most of traffic is not http based I cannot use the headers for client IP :-/
This will also be a problem with firewalling on the real servers as well.
So that probably leaves out SNAT and relay proxy. I also agree that DSR is not needed.

Yes, multiple VLANs is the cleanest solution.

My concern is mainly with 1 VLAN and multiple subnets which does the trick of returning the traffic through the LB as well as keeping the setup simple.

Another solution would also be some kind of private vlans with openvswitch

thanks,

Giannis