Web traffic routing

qbakies11 · ‎10-14-2008

I have a single internet T1 purchased for use by a single website that we run so it's traffic is never impeded. That website is running on our main web server with about seven other websites. Each website on the server has it's own IP address assigned to it. There is an external IP static mapped through the firewall directly to that website's assigned IP.

I have a second 3Mb internet pipe that is used for all the other website traffic and the general office surfing. When I look at the traffic on those pipes the single T1 is only getting about 2% usage and the 3Mb pipe is around 80% usage. What is surprising is that the single T1 is getting so little usage because it is a highly used customer site that they push a lot of traffic across. Then I got to thinking that there may be a deeper problem and that's where I need help.

The websever has a single NIC with a static IP (192.168.1.5) and then there are additional IPs assigned to it for use by different websites (192.168.1.100-120). On the firewall a static mapping is created that ties a website IP to an external IP. That's fine for incoming traffic but doesn't all outbound traffic use the IP of the server NIC? I think that's where my problem lies.

Inbound traffic is coming in on the single T1 pipe because the isolated website's IP (192.168.1.105) is static mapped to an external in the range assigned to that single T1, but when the outbound traffic for that site is exiting the network it is using the server IP (instead of the website IP) and therefore the outbound traffic is going out over the 3Mb pipe. Does that sound right? I know it's a bit confusing and I'll clarify if needed.

Jon Marshall · ‎10-14-2008

It sounds logical but to be sure you need to either

1) run tcpdump/snoop/network monitor on the web server to see what the source IP address is when packets are sent back out

OR

2) Use acl's on the WAN interface of the T1

access-list 101 permit tcp any any eq 80

access-list 101 permit ip any any

access-list 102 permit tcp any eq 80 any

access-list 102 permit ip any any

Note you may not need the "permit ip any any" if you are absolutely sure all you get is http traffic on the link but it can't hurt.

Apply acl 101 inbound

apply acl 102 outbound

If you want replace the any with the IP address assigned to this webserver.

You should see hits both ways. If your suspicions are correct you should only see hits on acl 101.

Jon

Giuseppe Larosa · ‎10-14-2008

Hello Quinton,

how could the users' TCP sessions be setup if the the outbound traffic was using an ip address different from the destination ip address in the other direction ?

TCP setup a socket:

user_ip TCP port xxxx ---> public_ip_T1 TCP 80

to be able to surf the website:

outbound traffic must come from the same ip address. no other possibilities or the three-way TCP handshake ack - syn ack- ack cannot complete.

The question is that outbound traffic is routed based on destination not source.

You need a PBR rule that sends back the T1 traffic that has a specific source or better a NAT configuration that uses route-maps and makes this choice

Hope to help

Giuseppe

Jon Marshall · ‎10-14-2008

Guiseppe

"Hello Quinton,

how could the users' TCP sessions be setup if the the outbound traffic was using an ip address different from the destination ip address in the other direction ?"

Very good point - missed that one. Deserves a rating :)

Jon