Network Solution for Windows – Windows system, Linux system, Ubuntu server configuration tip

If load balancing (Load Balancing) is the soul of the central processing large data currently on the network address (Network Address Translation – NAT) is the heart of the “load balancing”. NAT technique is used quite popular, but when applied to the Load Balancing we see the diversity of situations and how.

NAT technology is changing the network address (Network Address) in a packet (packet) to influence the process in the direction of the packet for a particular purpose. Website here want to speak to the IP address (Internet Protocol) in layer 3, also can change the port number in the 4 layer model of OSI layers. Besides, the website also distinguish the source address (source) and destination address (destination). Depending on the purpose that we use NAT to change some or all the addresses on the same packet.

We will review the techniques used in the NAT load balancing how.

Destination NAT

This type of NAT is the most common, or we are called through NAT “or” NAT on “. NAT is designed to change the destination IP address of packets without touching the other components. This is the type used in the default load balancing in the following way:

- When the client request packet sent to the R load balancing (load balancer), R will have the DEST IP load balancer’s VIP (141.149.65.3), the source IP of the client IP (188.1.1.10). By load balancer to represent all the server behind the load balancer’s IP address is also the representative, client will contact the load balancer without knowing the actual address of the server is nothing. IP address’s load balancer is also known as virtual IP (Virtual IP – VIP)

- Load balancer will send R to the server 2 to process it should implement changes in R DEST IP to IP server 2 (10.10.10.20), source IP remains the same (188.1.1.10). This is called Destination NAT.

- Thanks to the IP DEST IP server R 2 should be routing to server process 2.

- When server 2 answer, reply packet will go through the load balancer. Here packet is un-NAT, that is, change the IP address of the server 2 (now become the source IP) with VIP’s balaner load.

Reverse NAT

In load balancing mechanism, the server is actually only the IP address private (for many reasons, including the limited number of IP and public security), that is unable to go Internet. Load balancer is usually the public Internet to receive the request for the server so it usually has a public IP address for client connections from outside, and this is also a VIP. When clients want to use the services of the server, load balancer performs the conversion DEST IP address from public to private to the server, which is the type of NAT you consider the above. In the case of vice versa, when the server want to create connections with the outside Internet, load balancer must make the source address of IP packet going from private to public to be able to circulate on the Internet. How do such activities should be NAT type are also called SourceNAT, “NAT opposed” or “the NAT.”

Port-Address Translation (PAT)

The two cases we consider two types change IP address, the third is called “NAT port, the port is TCP / UDP in a packet will be changed (here we consider to the protocol may also use other port). PAT is actually a part of load balancing. How it works it’s very simple: When you link (bind) port 80 of VIP on load balancer to port 1000 on the actual server, load balancer performs the conversion and this whole request port 80 (port DEST ) to the server on port 1000.

The benefits of our implementation of PAT:

- Security is the first benefits that we see now. By not opening the ports on the default server, you can be more difficult for malicious attacks. For example, you can run a Web server on port 4000, and link port 80 of VIP on load balancer to port 4000 of the real server. At that time, his attacks can not be exploited directly to port 80 of the server is actually, because it is not open.
- Ability to springy (scalability) PAT lets you run the same application on multiple port. Depending on how design applications, can run on multiple copies of it will increase performance on serve. For example you can run IIS web server on port 80, 81, 82 of each real server. Then just link the port 80 VIP with each port of the server running IIS real. Load balancer will allocate traffic not only for servers but also between the port on each server.
- The ability to administrative (manageability), such as host multiple websites on a set of real servers, you can just use a VIP to represent all the domain of the website. At this load balancer will accept all request to port 80 in the same VIP. Our Web server can run each domain on a different port, such www.abc.com on port 81, port 82 on www.xyz.com. load balancer can send traffic to the appropriate port based on the domain of each URL in the HTTP request.

Full NAT

Thus we consider technical change NAT turn destination address, source address, then change the port load balancing. Each change is a type of NAT have applied in each individual case. Combine the style changes again, we have a different type of NAT is more complex Full NAT. NAT type is called such because it includes the following changes on the request packets:
- Source IP address (source IP)
- IP destination address (DEST IP)
- Port source (source port)

Note source port is port of the client, and DEST port is the port on request server, such as port 80 in the above example.

Model load balancing this with other models in the model with the NAT, packet reply from the server can skip to the load balancer to the client directly in the Internet. Problems with the IP address of the server is private IP, so of course reply packet carrying “sea provinces will never to the client.

So, how to force the server to answer through the load balancer to NAT IP address to the Internet? The simplest way is you can tell the load balancer is a default gateway of the server. But this request must load balancer in the same subnet with the server (same Layer 2 broadcast domain). If you can not grasp why the same subnet? This is for Full

NAT is used.

When set to perform Full NAT, load balancer will source IP of all request packet with an address to report on the load balancer, as source IP, then change the IP DEST (now is VIP) the server IP (10.10.10.20), before sending to the server 2. Source IP can seed or other VIP, depending on the load balancer products. So similar proxy, then the server will actually see the load balancer as their client request, and not interested in the client really needed. So the server will reply back to the load balancer and the load balancer will return the IP DEST IP client actually (188.1.1.100) to send.

Such source port is changed in that time? Each change a source IP of the client source IP load balancer, called a session, then the load balancer does save the information in the client’s session by the source port in the packet (this is the source port of the client).

Source port at this time that a session ID no more no less. When you reply to the server load balancer, source port also be sent by return reply packet. Based on this source port, load balancer to identify the client’s session in the table instead save the source IP, source port of the same client.

The advantage of this type of NAT allows you to make the address change through the load balancer on the Topology network. Nhược points is not obtained information about the IP, port from the client. Applications such as Web use information from the source IP of the client should not use this model. Some products also provide load balancing functions, log and report the source IP of the request.

Enhanced NAT

The NAT technique just described above are around changing IP address, port, as well as in packet header. However, the special protocol contains address information or port embedded Payload in packet, should be changed with the packet header.

This requires load balancer must know at each specific protocol. The concept of enhanced NAT NAT type to the complex BLer is done with the understanding by the protocol specific to the protocol that works with load balancing.

Among the special protocol that is commonly used protocol for streaming media (eg RTSP – Real Time Streaming Protocol). This protocol is the use of load balancing the most popular, because they are very kì language resources and calculate when to serve simultaneously for hundreds to thousands of users.

The streaming protocol generally includes two connections, a connection control on construction and a TCP data connection based on UDP. To start, create a client channel to control a well-known port on the server. Client and server will negotiate the terms for channel control. The agreement includes the server’s IP and port of the server that client will send data to the data connection.

If the server has private IP address, load balancer will perform Destination NAT to connect driver. But at the same time load balancer must also view the information and agreed to change any information about IP address or port that client and server exchange client that will send data to the VIP public not private IP of the server (the information is in a packet’s Payload).

Moreover, DEST port selected in the agreement do not know should be BLer request must be processed even if the port is not linked to any server yet.

However, many businesses have the privacy policy on the firewall as the data connection based on UDP can not succeed. So many streaming media system enables stream-based HTTP, meaning that the entire line of data will be sent with the connection is established by the HTTP communication. This makes NAT become more gentle.

Direct Server Return (DSR)

The model should consider in the second. With this model we have two processors along with the advantages of Nhược are assigned as a default gateway BLer or Full NAT technology to force the server’s reply must go through the load balancer.

But the server we want to answer directly to the client without BLer through it? This is not a ridiculous question, as in the case of energy processes BLer limited to, the line separating the traffic to reply directly but not through BLer load balancer will focus on handling the traffic request more effectively, avoid congestion, improving performance.

But with private IP address, the server how to respond directly via the Internet to the client? With only a little line allowed around the IP address the problem will be solved: when is set to perform DSR, load balancer does not move to IP DEST IP server and still keep the VIP (public IP). only the load balancer to DEST MAC MAC packet to the server can reach the server. Such limitations of the DSR load balancer and the server must be the same subnet.

Issue is how to receive the request packet server load balancer from the move will not refuse, because DEST IP is not a server’s IP, which is a VIP! Simply, one configuration to a VIP address of the loopback interface on each server. Load balancing using this as their use of the interesting nature of the following loopback interface:

- Can assign any IP address yet, do not have to start with 127.

- The loopback interface is not a real device, it does not have the MAC address, the system will not respond to the ARP request. Therefore will not have the system know the IP address of the loop back interface. However, the system has received request to loop back IP interface and respond as other interface.

You can set up a public IP address for the loop back interface on Linux as follows:

ifconfig lo 141.149.65.3 netmask 255.255.255.0 up

So, with a little procedure to address, the server does not really need public IP addresses can still request and receive answers directly to the client.

DSR is useful for applications such as bandwidth costs FTP, streaming media, as the reply packet size is large compared with the size of packet request. This technique is also applied to the protocol requires a complex implementation of the NAT or load balancer is not supported.

For example, the streaming media protocols such as the Enhanced NAT mentioned, then you can use NAT instead of DSR. We also need to consider when implementing DSR load balancing on the network model as model 2, where traffic reply from the server does not guarantee this will go through the load balancer.