Firewall behind Peplink, How Load Balance Works?

Hi Guys,

I have a doubt and wanted to get help from you.

If I place a firewall behind a Peplink Balance Router, Placing all Users if office behind the firewall with NAT enabled.
How does the WAN link load balance works?

LAN ---------- Firewall ---------- Peplink ---------- Internet (3 ISPs)

LAN : 10.100.100.0 /24
Firewall WAN IP : 10.50.50.5 /24
Peplink LAN : 10.50.50.0 /24
Peplink WAN IP : Static Public IP

How the load balance works as all users traffic will get NATed to Firewalls WAN IP (Peplink LAN)

Hi @sianand,

welcome to the forum!

technically your scheme can work for most applications but it may be quite complex to manage it. All difficulty depends on your inbound/outbound balancing requirements.

If I were you, I would consider those topology alternatives:

  1. Use firewall of Peplink router without additional security appliance.

  2. If intermediate firewall is necessary, check option of:
    A. Firewall in L3 NAT mode + Peplink router with advanced feature Drop-in mode
    B. Firewall in L2 bridge mode if possible.

Best Regards

1 Like

So what will trip you up in this configuration is that the only IP the Balance sees is the WAN IP of the firewall. The default HTTPS persistence rule is set to ‘by source’ to keep all https traffic from the same LAN IP destined for the same internet service on the same WAN.

Instead - if you have to be in Layer 3 load balancing mode like this you want to use ‘by destination’

image

However it is still a considerable limitation - depending on the number of devices behind the firewall. And if you need to open ports for inbound services you have to open them on both the balance and the firewall.

Drop in mode doesn’t really help with load balancing in this scenario since you are still WAN side of the Firewall. It does make it easier to manage firewall rules and port forwarding though since you would continue to do that on the original firewall.

The best load balancing experience would likely be - as @Ricardas suggested, if you could change the topology to have the firewall as a transparent bridge or just get rid of it completely (depending on the customer requirement).

4 Likes

Hi @Ricardas and @MartinLangmaid, Thanks for your reply.

I guess the latter’s suggestion seems more relevant to me than Drop-in mode as I had thought the same.

Now, whether this will work flawless in the below scenario ?

Just disable the NAT for the firewall will do. Make sure firewall have default route to Balance LAN IP and Balance have the static route for the LAN : 10.100.100.0 /24 route via the Firewall WAN IP will do. This is the comman design whereby you have core switch/ firewall running behind Balance device.

5 Likes

Hi @sitloongs,

Thanks for your suggestion, This thing sounds great.
I’ll come back with results.

Thanks friends.

:heart_eyes::two_hearts:

Hi Guys,

I’ve configured things as suggested by @sitloongs and it worked. :ok_hand::clap::+1:

Thank You every one.
:two_hearts::heart_eyes:
Sakthi

4 Likes