Escolar Documentos
Profissional Documentos
Cultura Documentos
Application
Description
Firewall in front of LAN
Different Servers located
behind Firewall
Firewall to be accessible
from Internet
Load Balancer to be
installed in a TRANSPARENT
MODE between Firewall and
Internet routers
Traffic to the Firewall to
be received thru both
Internet routers
Internet
DSL ROUTER : 200.1.1.254
T1 ROUTER : 100.1.1.254
WAN 2 IP : 200.1.1.1/24
WAN 1 IP : 100.1.1.1/24
Gateway IP : 100.1.1.254
WAN1
WAN2
Peer IP : 209.73.186.238
LAN
LAN IP : 100.1.1.2/24
WAN IP :
100.1.1.10
100.1.1.20
100.1.1.30
100.1.1.40
Gateway IP : 200.1.1.254
Peer IP : 209.73.186.238
Firewall
10.0.0.254
Web Server
Email Server
Citrix Server
FTP Server
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
1 / 13
Network
Diagram
Internet
T1 ROUTER : 100.1.1.254
WAN 1 IP : 100.1.1.1/24
WAN 2 IP : 200.1.1.1/24
Gateway IP : 100.1.1.254
Peer IP : 209.73.186.238
Gateway IP : 200.1.1.254
WAN2
WAN1
Peer IP : 209.73.186.238
LAN
LAN IP : 100.1.1.2/24
Firewall
10.0.0.254
Web Server
Email Server
Citrix Server
FTP Server
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
Peer IP = Public IP entered to do constant pings to and determine that live is alive beyond the Internet router
2 / 13
IP
Table
Web Server
Email Server
Citrix Server
FTP Server
Private
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
WAN 1
100.1.1.10
100.1.1.20
100.1.1.30
100.1.1.40
WAN 2
200.1.1.10
200.1.1.20
200.1.1.30
200.1.1.40
3 / 13
Mapping Table
Citrix Server
Internet
Internet
100.1.1.1
WAN1
WAN2
200.1.1.1
Secondary IP : 200.1.1.30
Transparent
LAN
100.1.1.2
Citrix: 100.1.1.30
Firewall
DNAT
NAT
Web Server
Email Server
Citrix Server
FTP Server
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
4 / 13
5 / 13
We enable Proxy-ARP to keep for Transparent Mode (need to be done both in WAN and LAN)
We enter and define the parameters for the WAN interface. IP Address is the load balancer IP
address with its network mask (/24 = 255.255.255.0). The Gateway IP is the IP of the router in front
of the load balancer. The Peer IP is a PUBLIC IP that the load balancer uses to do pings to so that we
can determine the line is alive.
7 / 13
8 / 13
Under Configuration Interface LAN: we would enter the LAN IP address in the same segment as the WAN IPs and
we need to enable the Proxy ARP as well.
9 / 13
Under Configuration Router We will enter the hosts/IP addresses that are present in the LAN or WAN. The hosts
(IP addresses resident in the firewall) need to be entered with a network mask /32.
10 / 13
Finally we need to include Destination NAT Rules under Configuration NAT. These rules will redirect the traffic
that arrives to the secondary IP addresses on the WAN ports to the IPs terminating in the Firewall. In the slide we
can see that ALL TRAFFIC ARRIVING TO THE WAN INTERFACE WITH DESTINATION IP 200.1.1.10 (web server
traffic) NEEDS TO BE DELIVERED TO 100.1.1.10 (IP in the firewall to further route to the web server).
11 / 13
The different NAT / DNAT rules entered to route traffic from the secondary WAN 2 Ips to the public Firewall
public Ips
12 / 13
Information
& Support
Contact:
www.alvaco.com
Toll Free: 1-877-641-2109
Phone: 1-407-574-2017
Fax:1-407-574-2016
support@alvaco.com
info@alvaco.com
13 / 13