Port Forwarding in Load sharing.

newborn1281 · ‎09-15-2006

I have a 1811 series router now its set with dual internet connections two different ISP's I have 2 default routes basically It should load balance between two now my concern IS I need a port forwarding as we use privite space addressing. I am including current config addresses have been changed to examples.

ip sla 1

icmp-echo 24.168.1.6

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 72.15.49.4

ip sla schedule 2 life forever start-time now

!

track 123 rtr 1 reachability

!

track 456 rtr 2 reachability

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 24.168.1.5 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet1

ip address 72.15.49.3 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.195 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local policy route-map MY_LOCAL_POLICY-2

ip route 0.0.0.0 0.0.0.0 71.249.216.1 track 123

ip route 0.0.0.0 0.0.0.0 64.8.212.209 track 456

ip route 64.8.212.209 255.255.255.255 FastEthernet0 permanent

!

ip nat inside source static tcp 192.168.1.3 20 interface FastEthernet2 20

ip nat inside source route-map FAST-0 interface FastEthernet0 overload

ip nat inside source route-map FAST-1 interface FastEthernet1 overload

ip nat inside source static tcp 192.168.1.1 21 24.168.1.5 21 extendable

ip nat inside source static tcp 192.168.1.1 25 24.168.1.5 25 extendable

ip nat inside source static tcp 192.168.1.1 80 24.168.1.5 80 extendable

ip nat inside source static tcp 192.168.1.68 1528 24.168.1.5 1528 extendable

ip nat inside source static tcp 192.168.1.50 1529 24.168.1.5 1529 extendable

ip nat inside source static tcp 192.168.1.48 3388 24.168.1.5 3388 extendable

ip nat inside source static tcp 192.168.1.1 21 72.15.49.3 21 extendable

ip nat inside source static tcp 192.168.1.1 25 72.15.49.3 25 extendable

ip nat inside source static tcp 192.168.1.1 80 72.15.49.3 80 extendable

ip nat inside source static tcp 192.168.1.68 1528 72.15.49.3 1528 extendable

ip nat inside source static tcp 192.168.1.50 1529 72.15.49.3 1529 extendable

ip nat inside source static tcp 192.168.1.48 3388 72.15.49.3 3388 extendable

logging trap debugging

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

access-list 189 permit icmp any host 72.15.49.4 echo

access-list 199 permit icmp any host 24.168.1.6 echo

!

route-map FAST-1 permit 10

match ip address 1

match interface FastEthernet1

!

route-map FAST-0 permit 10

match ip address 1

match interface FastEthernet0

!

route-map MY_LOCAL_POLICY-2 permit 10

match ip address 189

set interface FastEthernet1

What do you think guys will this config support load sharing?

tdrais · ‎09-16-2006

Looks goods in general but you have the same problem that I have not found a good solution to. Your configuration has a additional problem inbound.

The outbound problem is releated to relationships between multiple outbound tcp sessions. It is direcly related to applications assuming that your IP address does not change.

If for example you open a session with server a via ISP1. It authenticates you and tells you to go talk to server 2. It then in the background passes your ip address to server 2 and tells it to wait for your seesion. When your machine connects to server 2 and uses ISP2 thereby getting a different ip address server2 does not know about this ip and will not work.

The only solution I have found for this is to force say even address out one ISP and odd addresses out the the other. Sorta load balance by source address but with the additional issue of using the track option on the policy routing.

Now your inbound issue is that when traffic attempts to return to the outside user it does not know which path it came in on

If for example a users at 1.2.3.4 talks to server 72.15.49.3 it will of course translate the address to 192.168.1.1 The return traffic from 192.168.1.1 will arrive at the router and the router will load balance the traffic. Since inside to outside translation of nat happens after the routing desision you really have no way to assure that the traffic will return the way it came in. Even then I'm not sure which nat entry it will pick. If we assume it selected the outbound path with a source address of 24.168.1.5 if it uses that address to nat the session will not work. If it is smart enought to use 72.15.49.3 but sends it to the isp that expect 24.168.1.5 the isp will more than likely drop the session.

This second one I do not see a easy solution for. Maybe the new nat options where you don't specify the inside and outside interfaces will allow policy routing after the nat selection is made. You could then send the traffic out the interface it came in on. I have not had time to play with the new nat feaures much.

pliszka1949 · ‎04-07-2007

Hello Tim,

I have the same problem: I installed a 1811, having 2 different ISP's and a LAN with local addresses. I need to balance the traffic to the 2 WAN, and routing the all traffic to one of the WAN when the other is not reachable.

Do you have any new idea?

Many thanks,

Pavel

pliszka1949 · ‎04-07-2007

Hello Dimitri,

I have the same problem: I installed a 1811, having 2 different ISP's and a LAN with local addresses. I need to balance the traffic to the 2 WAN, and routing the all traffic to one of the WAN when the other is not reachable.

Do you have any new idea?

Many thanks,

Pavel