Layer 4 (LVS)

Load balance FTP (active mode) using the LB Layer4 tab

On this page

In active mode FTP, the FTP server responds to client requests by initiating a connection back to the client.

Important

Active FTP is not recommended because it fails when the FTP client is protected by a NAT router or firewall, which prevents the FTP server from establishing the connection with the client. To ensure that FTP service can be provided for clients in such networks, use passive FTP instead. The passive FTP solution also provides superior logging than the one described on this page.

To load balance active FTP services, use a Linux Virtual Server (LVS) load balancer in NAT mode to perform the load balancing at layer 4. In this scenario, responses from servers flow through HAProxy ALOHA (that is, not Direct Server Return).

This configuration supports high availability.

Example network architecture Jump to heading

The procedures in this section are based on an example network architecture where clients access the FTP services at the load balancer IP address 192.168.0.100. The load balancer then directs traffic to FTP servers at 192.168.1.10 and 192.168.1.11.

Active FTP Architecture diagram

Configure source NAT Jump to heading

Create a NAT rule to translate the client’s source IP to the HAProxy ALOHA appliance’s IP.

  1. In the NAT tab, click Insert to add a new NAT rule.

  2. The values you enter in the New Rule area depend on the number of network interfaces attached to HAProxy ALOHA.

    • One network interface

      text
         --------+-------- 192.168.1.0/24, VIPs, backend servers
                 |
                 | eth0
            +---------+
            |         |
            |  ALOHA  |
            |         |
            +---------+
      text
         --------+-------- 192.168.1.0/24, VIPs, backend servers
                 |
                 | eth0
            +---------+
            |         |
            |  ALOHA  |
            |         |
            +---------+

      In a deployment with one network interface, select the following values in the New Rule area.

      Field Description
      IN Inbound network interface
      OUT Outbound network interface, the same as the inbound interface
      Protocol TCP

    • Two network interfaces

      text
         --------+-------- 192.168.1.0/24, VIPs
                 |
                 | eth0
            +---------+
            |         |
            |  ALOHA  |
            |         |
            +---------+
                 | eth1
                 |
         --------+-------- 192.168.2.0/24, backend servers
      text
         --------+-------- 192.168.1.0/24, VIPs
                 |
                 | eth0
            +---------+
            |         |
            |  ALOHA  |
            |         |
            +---------+
                 | eth1
                 |
         --------+-------- 192.168.2.0/24, backend servers

      Info

      In configurations having two network interfaces, if you have failover configured on one VIP, configure a VIP with failover on the other interface as well.

      In a deployment with two network interfaces, select the following values in the New Rule area.

      Field Description
      IN Inbound network interface
      OUT Outbound network interface, different from the inbound interface
      Protocol TCP

  3. Enter the following values in the Before area.

    Field Value Example
    Source Blank
    Source port Blank
    Destination VIP address 192.168.0.100
    Destination port FTP port or range 20-21

  4. Enter the following values in the After area.

    Field Value Example
    Source VIP address (Note: If you enter a local IP address, it cannot be shared between the members of a cluster.) 192.168.0.100
    Source port Blank
    Destination Blank
    Destination port Blank

  5. Check your configuration.

    Example:

    Rule for one network interface.

    Active FTP NAT Configuration for Single Network

  6. Click Add and Apply.

  7. To make the changes persistent after a reboot, go to the Setup tab and click Save within the Configuration section.

Configure LVS load balancer and destination NAT Jump to heading

Define the LVS director d_ftp, which load balances the FTP traffic between the real FTP servers. LVS performs destination NAT.

  1. Click the LB Layer4 tab.

  2. Add this configuration:

    haproxy
    director d_ftp
     mode nat
     balance source
     option icmpcheck interval 10
     server ftp1 <FTP real server 1 IP> weight 10 check
     server ftp2 <FTP real server 2 IP> weight 10 check
    haproxy
    director d_ftp
     mode nat
     balance source
     option icmpcheck interval 10
     server ftp1 <FTP real server 1 IP> weight 10 check
     server ftp2 <FTP real server 2 IP> weight 10 check

    Example:

    In the example, the FTP real servers are located at 192.168.1.10 and 192.168.1.11.

    haproxy
    director d_ftp
      mode nat
      balance source
      option icmpcheck interval 10
      server ftp1 192.168.1.10 weight 10 check
      server ftp2 192.168.1.11 weight 10 check
    haproxy
    director d_ftp
      mode nat
      balance source
      option icmpcheck interval 10
      server ftp1 192.168.1.10 weight 10 check
      server ftp2 192.168.1.11 weight 10 check

  3. Click OK and then Apply.

  4. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Configure a flow Jump to heading

Configure a flow that captures traffic sent to the VIP and sends it to the LVS director d_ftp:

  1. Click the Flows tab.

  2. Add this flow definition:

    haproxy
    flow f_ftp director d_ftp
      match proto tcp dst <VIP> dstport 20:21
    haproxy
    flow f_ftp director d_ftp
      match proto tcp dst <VIP> dstport 20:21

    Example:

    The example IP address for FTP access is 192.168.0.100.

    haproxy
    flow f_ftp director d_ftp
      match proto tcp dst 192.168.0.100 dstport 20:21
    haproxy
    flow f_ftp director d_ftp
      match proto tcp dst 192.168.0.100 dstport 20:21

    Info

    Make sure these ports are open on the FTP servers.

  3. Click OK and then Apply.

  4. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Configure the flow manager service Jump to heading

Configure the flow manager service for automatic startup:

  1. On the Services tab, locate the flowmgr service and click Setup.

  2. If the configuration contains the line no autostart, delete the line.

  3. Click OK and then Close.

  4. Locate the flowmgr service and click Restart.

  5. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Configure the LVS service Jump to heading

Configure the LVS service for automatic startup and connection tracking. NAT relies on the connection tracking information so that it can translate all of the packets in a session in the same way.

  1. On the Services tab, locate the lvs service and click Setup.

  2. If the configuration contains the line no autostart, delete the line.

  3. Enable connection tracking by adding the conntrack keyword.

    text
    service lvs
      ############ Linux Virtual Server, layer 3/4 load balancing
      conntrack
    text
    service lvs
      ############ Linux Virtual Server, layer 3/4 load balancing
      conntrack

  4. Click OK and then Close.

  5. Locate the lvs service and click Restart.

  6. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Do you have any suggestions on how we can improve the content of this page?

Previous page Health checks Next page Load balance UDP
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences