I'm trying to understand how the Load Balancing section works in UTM. As an example I'm trying to create a RADIUS load balancing group and use that for authentication purposes. Right now I have a host Availability Group with both RADIUS servers and I'm using that as an Authentication Server and this works. But this doesn't handle weight distribution, for example, so I wanted to try to use Load Balancing.
For my Load Balancing test I've picked the RADIUS service and then added the two RADIUS servers as Real Servers and finally I picked the UTMs internal address as the Virtual Server. Unfortunately attempting to then use this setup in the Authentication Servers section didn't work (I've added the UTMs IP as the target), so clearly something else missing. I think my assumption that just specifying the Virtual Server as the UTMs internal address and then hoping everything will work was too naïve of me but I don't know what else is required to make this work. What am I missing?
If I understand it correctly, the Weight Distribution acts similar to a dual link WAN, like setting up a failover. So, you assign how much 'weight' you want each server to have for balance and it's from 0-100 (100 being 100% of the load, 50 being 50%, etc.).
Once you create your Load Balance Rule, edit it and click the Scheduler button, then edit your Weight values.
UTM - 9.713-19 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SATA HDD | GB Ethernet x5
This much I figured out. However I fear I'm missing some key understanding of how Load Balancing works when it comes to routing and request handling. As stated, I tried to set LB for our two RADIUS servers and then use said LB as a Sophos' authentication server but that just didn't work (no reply).
Does UTM automatically create NAT rules when a LB entry is placed? Does it auto-route requests from the virtual IP? Can it handle stuff on the same network like a high availability host?
Please insert pictures of the Edits of the related configs. Also, copy here relevant lines from the FIrewall log - I think that's where load balancing is logged. Then again, it might y to check the other logs:
grep 'loadbalancing' /var/log/*.log
Cheers - BobPS Amodin, that sounds like you're talking about Uplink Balancing instead of Load Balancing.
Here are some basic network settings we're using.
We're using the 10.150.0.0/16 (pretty wide subnet, I know), with Sophos having an extra IP: 10.150.1.50 The two NPS / RADIUS servers are 10.150.1.52 and 10.150.1.53.
I've tried using one of those NPS servers explicitly under the authentication servers and it works perfectly there (enter shared secret -> test -> "Server test passed").
Here are the LB settings I was trying to use:
I didn't bother with automatic firewall rules because its all on the same subnet and other rules should already permit connectivity (I later tried it with the setting and I had the same results...)
And here are the authentication settings I've tried to use with the previously set Load Balancing which fails the connection test (note that the Radius NB is just a host entry for 10.150.1.50 because I can't input an interface IP in here):
However bear in mind I'm primarily trying to understand how LB in UTM works because it seems it's not working the way I'd expect it to work (this is fully on me, not trying to blame UTM... at least not yet :p ). The two RADIUS servers are currently in a Host Availability group which is also a form of load balancing (minus weights) and I'm using that as an authentication server.
I've also got two SSTP servers, currently exposed via DNAT + Host Availability group... and this too feels like a perfect fit for a Load Balancing entry, except as stated I've no idea if I need to add NAT entries after that or how exactly it works under the hood.
PS. I've also taken a look at the firewall log as well as the grep you suggested and there's nothing interesting in there. Or at least nothing that would suggest what I'm doing wrong / what I don't understand.
Are there any hints in the logs, Mateusz? I suspect that load balancing doesn't play well with authentication - hopefully, one of the Sophos guys can tell us if that's the case.
Cheers - Bob
Not really. The `grep 'loadbalancing'` log only contained fairly generic things like the LB mechanism checking if the LB targets are available (they are as the green indicators show). I checked the firewall logs, filtering by target IP (10.150.1.50) and there was nothing there when I attempted the test.
If this is something with the test itself - then I'm still drawing a blank on how / when the LB mechanism should be used. I mean, if it's only for HTTP/S then Web Protection has built-in load balancing, doesn't it? And if the mechanism cannot handle complex cases (current example RADIUS or the SSTP example I mentioned) then... well, what is it for?
Emmosophos responded to me via PM saying:
Load balancing is for forwarding, not system-generated traffic. So the customer is using it in a way that wasn’t designed. The Connection should be: Client >> UTM >> Real Server IP NOT System traffic >> UTM >> Server IP's