Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 6697 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge mode Protected Application Server load balancing

SteveChung

Hi Guys,

 

Is it possible to configure protected application server load balancing in bridge mode?

I couldn't figure out how to make it work on Sophos XG.

It failed to connect from host in Wan VLAN to host in Lan VLAN.

 

I configured it as below.

Sophos XG (Bridge Mode)
br0 IP address: 192.168.1.21/255.255.255.0
Port1 - LAN VLAN102
Port2 - WAN VLAN7

Lan Host
IP address: 192.168.1.88/24
D.G.: 192.168.1.21
Connected to VLAN102

WAN Host
IP address: 192.168.1.71/24
Connected to VLAN7

Source
Host: Any
Hosted Server
Source Zone: Any
Hosted Address: VIP1 (192.168.1.66)
Protected Application Server
Protected Zone: LAN
Protected Application serverL: VIPList1 (192.168.1.77,192.168.1.88)
Load Balancing: Round Robin
Health Check: Off
Forward all ports: On
Routing
Rewrite source address: Off



This thread was automatically locked due to age.
  • 0

    Hi Steve, 

    could you please help me with the network diagram? I am also quite unclear as to what is your goal?

    I see that the BridgeIP is 192.168.1.21 and you are forcing the firewall to listen to 192.168.1.66 and forward to .77 and .88. Is that correct?

    I tried to make up the diagram from what you have said, please correct and help me further so that I can relate and help you on this.

    Regards,

  • 0 in reply to varunparikh

    Hi varunparikh,

    The objective is setup load balancing for servers in bridge mode.

    The 192.168.1.66 is the virtual IP. It is mapped to LAN IP addresses 192.168.1.77 and 192.168.1.88 with load balancing (round robin).

    So, traffic from 192.168.1.71 (WAN) to 192.168.1.66 (VIP) should be passing to 192.168.1.77 or 192.168.1.88.

    Thanks!

  • 0 in reply to SteveChung

    Hi Steve,

    Thanks for sharing the info. The firewall IP is .21 and you are trying to listen to .66 on the firewall which I think could be the problem here. 

    From routing prospective, the firewall thinks that .66 is located somewhere else than the firewall as its IP is .21

    Could you please try and forward .21 to .77 and .88

    Alternatively, if you still want to use .66 then you can use a Port except the bridge pair and give it IP 192.168.1.66 /32 (255.255.255.255) 

    You should then be able to load balance traffic to .77 and .88

    Hope that helps.