Load balancing

Network Address Translation (NAT)

On this page

With Network Address Translation (NAT) enabled, the HAProxy ALOHA appliance can replace the source and destination IP addresses of incoming packets.

  • Source NAT: The source IP of the incoming packet is replaced with the IP address of the HAProxy ALOHA appliance. Source NAT can be configured using the NAT tab, which translates the NAT rules into iptables rules.
  • Destination NAT: The destination IP address is replaced with the private IP address of the backend server. Destination NAT can be configured using the NAT tab or, in applications using the LVS (Layer 4) load balancer, by specifying nat mode in the LVS director configuration.

After the HAProxy ALOHA appliance translates the packet addresses, the changed packet is then sent to the backend server. When the HAProxy ALOHA appliance receives the server response, the original IP addresses are restored and the packet is sent back to the client.

Destination NAT allows a simpler configuration on the backend servers, which receive traffic on their private addresses, and simply return traffic to the source IP, which is that of the HAProxy ALOHA appliance.

NAT mode is supported by both Linux and Windows backend servers. Backend servers can keep the network’s external gateway as their default gateway. Disadvantages include that it reduces the number of connections that HAProxy ALOHA can support, due to needing to use more ports.

Optionally, instead of configuring source NAT (HAProxy ALOHA NAT tab), you can set HAProxy ALOHA to be the default gateway on the backend server. That accomplishes the same thing and would use fewer ports on HAProxy ALOHA, at the cost of a slightly more complex setup on the backend server (i.e. needing to change the default gateway).

NAT traffic flow Jump to heading

NAT load balancing

  1. The client connects to your application at the configured public IP address (VIP). HAProxy ALOHA listens at that address and receives the packets.

  2. The packet’s destination IP address is translated from the HAProxy ALOHA public IP to the private IP of one of the backend servers. Simultaneously, the packet’s source IP addresses are translated from the client’s IP to the HAProxy ALOHA IP address.

  3. The backend server accepts the request to its IP.

  4. The backend server sends its response to HAProxy ALOHA because its address is set as the source IP in the packet.

  5. HAProxy ALOHA performs the reverse NAT before relaying the response to the client.

Important

NAT load balancing introduces:

  • a limit on the number of simultaneous connections to a backend server. Only 65534 source ports are available for HAProxy ALOHA addresses.

  • a heavy load on HAProxy ALOHA (connection tracking must be enabled).

NAT use case Jump to heading

NAT represents traditional Layer 4 load balancing, but it isn’t the only way to load balance Layer 4 protocols. From the LB Layer7 tab, you can load balance services over TCP via a reverse proxy configuration. This is the approach we recommend for TCP because it provides more detailed logging and is simpler to set up and troubleshoot. However, NAT enables you to load balance UDP services and to load balance services that utilize dynamic TCP ports, such as FTP.

For pure TCP service, use the LB Layer7 load balancer in tcp mode instead.

Configuring NAT Jump to heading

Configuring NAT involves these tasks:

  • Enable destination NAT in the LVS director configuration.
  • Enable source NAT using a NAT rule.
  • Enable connection tracking in the LVS service.

Enable Destination NAT Jump to heading

Configure LVS so that it translates the destination IP from the public IP on which HAProxy ALOHA listens to the backend server’s private IP.

  1. In the web UI’s LB Layer4 tab, add the mode nat directive to your existing configuration.

    In the example below, we load balance the UDP protocol.

    haproxy
    director web 10.0.0.3:8000 UDP
      balance leastconn
      mode nat
      server web1 10.0.0.20:8000 weight 10 check
    haproxy
    director web 10.0.0.3:8000 UDP
      balance leastconn
      mode nat
      server web1 10.0.0.20:8000 weight 10 check

  2. Click OK and Apply.

  3. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Enable Source NAT Jump to heading

Create iptables NAT rules to translate the client’s source IP to the HAProxy ALOHA appliance’s IP.

  1. In the NAT tab, click Insert to add a new NAT rule.

    Add NAT Rule

  2. Select the following values in the New Rule area, depending on how many network interfaces are attached to HAProxy ALOHA.

    • One network interface

      text
      --------+-------- 192.168.1.0/24, VIPs, backend servers
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+
      text
      --------+-------- 192.168.1.0/24, VIPs, backend servers
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+
      Field Description
      IN Inbound network interface.
      OUT Outbound network interface, the same as the inbound interface.
      Protocol UDP

      Example:

      Source NAT for One Interface

    • Two network interfaces

      text
      --------+-------- 192.168.1.0/24, VIPs
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+
              | eth1
              |
      --------+-------- 192.168.2.0/24, backend servers
      text
      --------+-------- 192.168.1.0/24, VIPs
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+
              | eth1
              |
      --------+-------- 192.168.2.0/24, backend servers

      Info

      In configurations having two network interfaces, if you have failover configured on one VIP, configure a VIP with failover on the other interface as well.

      Field Description
      IN Inbound network interface.
      OUT Outbound network interface, different from the inbound interface.
      Protocol UDP.

      Example:

      Source NAT for Two Interfaces

  3. Enter the following values in the Before area.

    Field Value Example
    Source Blank
    Source port Blank
    Destination VIP address 10.0.0.3
    Destination port UDP port or range 8000, or 50000-51000

    Example:

    Source NAT Before Fields

  4. Enter the following values in the After area.

    Field Value Example
    Source VIP address (Note: If you enter a local IP address, it can not be shared between the members of a cluster.) 10.0.0.3
    Source port Blank
    Destination Blank
    Destination port Blank

    Example:

    Source NAT Before Fields

  5. Check your configuration.

    Example:

    One network interface.

    Source NAT for UDP One Interface

    Example:

    Two network interfaces.

    Source NAT for UDP Two Interfaces

  6. Click Add and Apply.

  7. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Enable LVS connection tracking Jump to heading

NAT relies on the connection tracking information so that it can translate all of the packets in a session in the same way.

  1. Click the Services tab.

  2. Locate the lvs service and click Setup.

  3. Enable connection tracking through the conntrack keyword.

    text
    service lvs
      ############ Linux Virtual Server, layer 3/4 load balancing
      conntrack
    text
    service lvs
      ############ Linux Virtual Server, layer 3/4 load balancing
      conntrack

  4. Click OK and then Close.

  5. Locate the lvs service and click Restart.

  6. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Display NAT rules results Jump to heading

NAT rules are stored in the /etc/natrules/natrules.cfg file.

In the natrules.cfg entry below, TCP packets targeted for 172.30.100.0:3389 have their source IP address changed to 10.11.100.20 and are sent to device eth1.

natrules.cfg
text
# <in> <out> <proto> <src> <sport> <dst> <dport> <msrc> <msport> <mdst> <mdport> <related>
any eth1 tcp any any 172.30.100.0/24 3389 10.11.100.20 same same same -
natrules.cfg
text
# <in> <out> <proto> <src> <sport> <dst> <dport> <msrc> <msport> <mdst> <mdport> <related>
any eth1 tcp any any 172.30.100.0/24 3389 10.11.100.20 same same same -

To display the results of NAT rules, use this command:

nix
iptables -t nat -L -v
nix
iptables -t nat -L -v

Example output from preceding example natrules.cfg entry:

output
text
Chain PREROUTING (policy ACCEPT 220 packets, 11424 bytes)
 pkts bytes target     prot opt in     out     source               destination
  220 11424 pre_appli  all  --  any    any     anywhere             anywhere
Chain INPUT (policy ACCEPT 220 packets, 11424 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 63371 packets, 3811K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 63371 packets, 3811K bytes)
 pkts bytes target     prot opt in     out     source               destination
63371 3811K post_appli  all  --  any    any     anywhere             anywhere
Chain post_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  any    eth1    anywhere             anywhere             ctorigdst 172.30.100.0/24 tcp dpt:3389 to:10.11.100.20
Chain pre_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination
output
text
Chain PREROUTING (policy ACCEPT 220 packets, 11424 bytes)
 pkts bytes target     prot opt in     out     source               destination
  220 11424 pre_appli  all  --  any    any     anywhere             anywhere
Chain INPUT (policy ACCEPT 220 packets, 11424 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 63371 packets, 3811K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 63371 packets, 3811K bytes)
 pkts bytes target     prot opt in     out     source               destination
63371 3811K post_appli  all  --  any    any     anywhere             anywhere
Chain post_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  any    eth1    anywhere             anywhere             ctorigdst 172.30.100.0/24 tcp dpt:3389 to:10.11.100.20
Chain pre_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination

Do you have any suggestions on how we can improve the content of this page?

Previous page IP ACLs Next page Single sign-on
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences