Balance two transparent web filters


#1

Hi, I’m currently looking at implementing a new web filtering solution and looking to go in a transparent deployment to remove the need to set proxy details on each client. I have found a possible vendor but their biggest box won’t support all my users. I’m therefore looking at purchasing two of them and try to split the load over them. I’m thinking of placing a pep link load balancer in front of the two devices then having the two web filters plugging into two LAN ports on my firewall.

Client > core switch > pep link link balancer > two transparent (inline) web filters > single firewall

Would the above configuration work or have I mis-interperated the product?

Any advice would be greatly appreciated.

Thanks

Scott


#2

Anyone able to offer any advice?


#3

Hi Scott,

I am having a hard time visualizing what you are trying to deploy. Can you send us a network diagram?

Thanks,
Tim


#4

Hi Scott,

In order to perform transparent deployment to remove the need to set proxy details on each client, you might want to:

  1. Utilize your core switch to perform PBR (Policy Based Routing) to redirect traffic with destination TCP port 80 to WAN interface of Peplink. In your PBR, you might want to include only source IP Addresses from your clients, excluding Peplink’s IP Address.

  2. In Peplink, you can then configure in a way that, when there is HTTP traffic hitting the connected WAN interface of Peplink, Peplink will perform incoming NAT to bring the traffic in to your two Web Filtering units. Your Web Filtering units should be connected to LAN side of Peplink.

Just to take note that, currently, there is no monitoring functionality in Peplink to monitor health status of your Web Filtering units. However, there is no issue to perform load balancing between your Web Filtering units.

Peplink is doing fantastic job in ISP WAN Links Load Balancing, VPN Bonding, and Auto-Failover to provide better speed and higher reliability in WAN links utilization.

Thanks and Regards,
Fortesys


#5

You would be better off with a load balancer rather than a link balancer.
You can use LVS (http://www.linuxvirtualserver.org/) in one arm direct routing mode with some IP rules to capture all of the traffic transparently.
You can even use Destination Hash based persistence so that the web filter cache is used efficiently… For health checking you can use Ldirectord or Keepalived.
Blatant plug for our product but… we have a guide here load balancing transparent web filters, We make use of LVS for this so its easy to implement your own version for free with open source software.