HAProxy ALOHA Documentation 12.5

NAT mode

With Network Address Translation (NAT) enabled, the HAProxy ALOHA appliance can replace the source and destination IP addresses of incoming packets.

  • Source NAT: The source IP of the incoming packet is replaced with the IP address of the HAProxy ALOHA appliance. Source NAT can be configured using the NAT tab, which translates the NAT rules into iptables rules.

  • Destination NAT: The destination IP address is replaced with the private IP address of the backend server. Destination NAT can be configured using the NAT tab or, in applications using the LVS (Layer 4) load balancer, by specifying nat mode in the LVS director configuration.

After the HAProxy ALOHA appliance translates the packet addresses, the changed packet is then sent to the backend server. When the HAProxy ALOHA appliance receives the server response, the original IP addresses are restored and the packet is sent back to the client.

Destination NAT allows a simpler configuration on the backend servers, which receive traffic on their private addresses, and simply return traffic to the source IP, which is that of the HAProxy ALOHA appliance.

NAT mode is supported by both Linux and Windows backend servers. Backend servers can keep the network's external gateway as their default gateway. Disadvantages include that it reduces the number of connections that HAProxy ALOHA can support, due to needing to use more ports.

Optionally, instead of configuring source NAT (HAProxy ALOHA NAT tab), you can set HAProxy ALOHA to be the default gateway on the backend server. That accomplishes the same thing and would use fewer ports on HAProxy ALOHA, at the cost of a slightly more complex setup on the backend server (i.e. needing to change the default gateway).

NAT traffic flow

NAT load balancing

  1. The client connects to your application at the configured public IP address (VIP). HAProxy ALOHA listens at that address and receives the packets.

  2. The packet's destination IP address is translated from HAProxy ALOHA's public IP to the private IP of one of the backend servers. Simultaneously, the packet's source IP addresses are translated from the client's IP to HAProxy ALOHA's IP address.

  3. The backend server accepts the request to its IP.

  4. The backend server sends its response to HAProxy ALOHA because its address is set as the source IP in the packet.

  5. HAProxy ALOHA performs the reverse NAT before relaying the response to the client.

NAT use case

NAT represents traditional Layer 4 load balancing, but it isn't the only way to load balance Layer 4 protocols. From the LB Layer7 tab, you can load balance services over TCP via a reverse proxy configuration. This is the approach we recommend for TCP because it provides more detailed logging and is simpler to set up and troubleshoot. However, NAT enables you to load balance UDP services and to load balance services that utilize dynamic TCP ports, such as FTP.

For pure TCP service, use the LB Layer7 load balancer in tcp mode instead.

Configuring NAT

Configuring NAT involves these tasks:

  • Enable destination NAT in the LVS director configuration.

  • Enable source NAT using a NAT rule.

  • Enable connection tracking in the LVS service.

Enable Destination NAT

Configure LVS so that it translates the destination IP from the public IP on which HAProxy ALOHA listens to the backend server's private IP.

  1. In the web UI's LB Layer4 tab, add the mode nat directive to your existing configuration.

    Load balance the UDP protocol.

    director web 10.0.0.3:8000 UDP
  balance leastconn
  mode nat
  server web1 10.0.0.20:8000 weight 10 check

  2. Click OK and Apply.

  3. Click on the Setup tab. In the Configuration section, click Save.

Enable Source NAT

Create iptables NAT rules to translate the client's source IP to the HAProxy ALOHA appliance's IP.

  1. In the NAT tab, click Insert insert_icon to add a new NAT rule.

    https://cdn.haproxy.com/documentation/aloha/12-5/assets/0_form_source_nat-f0c10cbefa387fee9e618da25b9ab092e120f115731ab2f8b2433f1f886b6e3f.png

  2. Select the following values in the New Rule area, depending on how many network interfaces are attached to HAProxy ALOHA.

    • One network interface

      --------+-------- 192.168.1.0/24, VIPs, backend servers
        |
        | eth0
   +---------+
   |         |
   |  ALOHA  |
   |         |
   +---------+

      Field

      Description

      IN

      Inbound network interface

      OUT

      Outbound network interface, the same as the inbound interface

      Protocol

      UDP
      https://cdn.haproxy.com/documentation/aloha/12-5/assets/one_nic_source_nat-d1d81efafb5eec6cbb2b481f2eb3cb9fb91b64c772681fad26b4b120302b3ffe.png

    • Two network interfaces

      --------+-------- 192.168.1.0/24, VIPs
        |
        | eth0
   +---------+
   |         |
   |  ALOHA  |
   |         |
   +---------+
        | eth1
        |
--------+-------- 192.168.2.0/24, backend servers

      Field

      Description

      IN

      Inbound network interface

      OUT

      Outbound network interface, different from the inbound interface

      Protocol

      UDP
      https://cdn.haproxy.com/documentation/aloha/12-5/assets/two_nic_source_nat-f8b2d0843a49575290ea7255d9246a67ae5a671f209414466ecd4b51765b8afa.png

  3. Enter the following values in the Before area.

    Field

    Value

    Example

    Source

    Blank

    Source port

    Blank

    Destination

    VIP address

    10.0.0.3

    Destination port

    UDP port or range

    8000, or 50000-51000
    https://cdn.haproxy.com/documentation/aloha/12-5/assets/before_area_nat-7a802e4b785ea4a80bcfd54ae0a11b72c374e1e812c7cd57a70fe8de8be54f46.png

  4. Enter the following values in the After area.

    Field

    Value

    Example

    Source

    VIP address

    10.0.0.3

    Source port

    Blank

    Destination

    Blank

    Destination port

    Blank
    https://cdn.haproxy.com/documentation/aloha/12-5/assets/after_area_nat-037972d212e7077d670969be199036e1e462309662e94bcd753dad3aa295a30c.png

  5. Check your configuration.

    Rules for one network interface.

    https://cdn.haproxy.com/documentation/aloha/12-5/assets/form_source_nat-d88874360f3bc9b5e679953159f2d9ab771bc04043c81819fa54aad22e6273a5.png

    Rules for two network interfaces.

    https://cdn.haproxy.com/documentation/aloha/12-5/assets/form_source_nat-2-af2ca8b55d28bd8585ac8a90816ca7697ecf18e22e8f0019874f4372cbd7dfc9.png

  6. Click Add apply_icon and Apply.

  7. Click on the Setup tab. In the Configuration section, click Save.

Enable LVS connection tracking

NAT relies on the connection tracking information so that it can translate all of the packets in a session in the same way.

  1. Click the Services tab.

  2. Locate the lvs service and click Setup setup_icon.

  3. Enable connection tracking through the conntrack keyword.

    service lvs
  ############ Linux Virtual Server, layer 3/4 load balancing
  conntrack

  4. Click OK and then Close.

  5. Locate the lvs service and click Restart restart_icon.

  6. Click on the Setup tab. In the Configuration section, click Save.

Display NAT rules results

NAT rules are stored in the /etc/natrules/natrules.cfg file.

In the natrules.cfg entry below, TCP packets targeted for 172.30.100.0:3389 have their source IP address changed to 10.11.100.20 and are sent to device eth1.

# <in> <out> <proto> <src> <sport> <dst> <dport> <msrc> <msport> <mdst> <mdport> <related>
any eth1 tcp any any 172.30.100.0/24 3389 10.11.100.20 same same same -

To display the results of NAT rules, use this command:

iptables -t nat -L -v

Example output from preceding example natrules.cfg entry.

Chain PREROUTING (policy ACCEPT 220 packets, 11424 bytes)
 pkts bytes target     prot opt in     out     source               destination
  220 11424 pre_appli  all  --  any    any     anywhere             anywhere

Chain INPUT (policy ACCEPT 220 packets, 11424 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 63371 packets, 3811K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 63371 packets, 3811K bytes)
 pkts bytes target     prot opt in     out     source               destination
63371 3811K post_appli  all  --  any    any     anywhere             anywhere

Chain post_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  any    eth1    anywhere             anywhere             ctorigdst 172.30.100.0/24 tcp dpt:3389 to:10.11.100.20

Chain pre_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination

Next up

Observability