HAProxy ALOHA Documentation 11.5

UDP

Use LVS in NAT mode to load balance UDP services at layer 4. In this scenario, responses from servers flow through HAProxy ALOHA (i.e. not Direct Server Return).

With Network Address Translation (NAT), HAProxy ALOHA changes the destination IP address and the client's source IP address in the packets before relaying them to the backend server. The destination IP is converted from the public IP on which HAProxy ALOHA listens to the backend server's private IP. The client's source IP is converted to be the HAProxy ALOHA appliance's IP. This leads to the least amount of configuration on the backend servers, which receive traffic on their private addresses, and simply return traffic to the source IP, which is that of the HAProxy ALOHA appliance. HAProxy ALOHA reverses these addresses on the return trip to the client.

This method is supported by both Linux and Windows backend servers. Backend servers can keep the network's external gateway as their default gateway. Disadvantages include that it reduces the number of connections that HAProxy ALOHA can support, due to needing to use more ports.

Optionally, you can enable NAT for the destination IP only and then set HAProxy ALOHA to be the default gateway on the backend server. That accomplishes the same thing and would use fewer ports on HAProxy ALOHA, at the cost of a slightly more complex setup on the backend server (i.e. needing to change the default gateway).

Traffic flow

UDP load balancing
  1. The client connects to your application at the configured public IP address. HAProxy ALOHA listens at that address and receives the packets.

  2. The packet's destination IP address is translated from HAProxy ALOHA's public IP to the private IP of one of the backend servers. Simultaneously, the packet's source IP addresses are translated from the client's IP to HAProxy ALOHA's IP address.

  3. The backend server accepts the request to its IP.

  4. The backend server sends its response to HAProxy ALOHA because its address is set as the source IP in the packet.

  5. HAProxy ALOHA performs the reverse NAT before relaying the response to the client.

Enable Destination NAT

We will configure LVS so that it translates the destination IP from the public IP on which HAProxy ALOHA listens to the backend server's private IP.

  1. In the web UI's LB Layer 4 tab, add the mode nat directive to your existing configuration, and apply your changes.

    director web 10.0.0.3:8000 UDP
      balance leastconn
      mode nat
      server web1 10.0.0.20:8000 weight 10 check

Enable Source NAT

We will create iptables NAT rules to translate the client's source IP to the HAProxy ALOHA appliance's IP.

  1. In the NAT tab, click + to add a new NAT rule.

    https://cdn.haproxy.com/documentation/aloha/11-5/assets/0_form_source_nat-f0c10cbefa387fee9e618da25b9ab092e120f115731ab2f8b2433f1f886b6e3f.png
  2. Select the following values in the New Rule area, depending on how many network interfaces are attached to HAProxy ALOHA.

    • One network interface

      --------+-------- 10.0.0.0/24, VIPs, backend servers
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+

      Field

      Description

      IN

      Inbound network interface

      OUT

      Outbound network interface, the same as the inbound interface

      Protocol

      UDP

      https://cdn.haproxy.com/documentation/aloha/11-5/assets/one_nic_source_nat-d1d81efafb5eec6cbb2b481f2eb3cb9fb91b64c772681fad26b4b120302b3ffe.png
    • Two network interfaces

      --------+-------- 10.0.0.0/24, VIPs
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+
              | eth1
              |
      --------+-------- 10.0.3.0/24, backend servers

      Field

      Description

      IN

      Inbound network interface

      OUT

      Outbound network interface, different from the inbound interface

      Protocol

      UDP

      https://cdn.haproxy.com/documentation/aloha/11-5/assets/two_nic_source_nat-f8b2d0843a49575290ea7255d9246a67ae5a671f209414466ecd4b51765b8afa.png
  3. Enter the following values in the Before area.

    Field

    Value

    Example

    Source

    Blank

    Source port

    Blank

    Destination

    VIP address

    10.0.0.3

    Destination port

    UDP port or range

    8000, or 50000-51000

    https://cdn.haproxy.com/documentation/aloha/11-5/assets/before_area_nat-7a802e4b785ea4a80bcfd54ae0a11b72c374e1e812c7cd57a70fe8de8be54f46.png
  4. Enter the following values in the After area.

    Field

    Value

    Example

    Source

    VIP address

    10.0.0.3

    Source port

    Blank

    Destination

    Blank

    Destination port

    Blank

    https://cdn.haproxy.com/documentation/aloha/11-5/assets/after_area_nat-037972d212e7077d670969be199036e1e462309662e94bcd753dad3aa295a30c.png
  5. Check your configuration, then apply it.

    https://cdn.haproxy.com/documentation/aloha/11-5/assets/form_source_nat-e93d85bf15e51e880d3757b36930bc0f75da851292099edb83e6869cc1171a9d.png

Enable LVS's connection tracking

NAT relies on the connection tracking information so that it can translate all of the packets in a session in the same way.

  1. In the Services tab, click LVS setup.

    https://cdn.haproxy.com/documentation/aloha/11-5/assets/lvs-setup-936d408a281ea1aa190edcd6d3da07227d12dccdb2dfcfaf3fa4728a66f5d822.png
  2. Enable connection tracking through the conntrack keyword.

    service lvs
      ############ Linux Virtual Server, layer 3/4 load balancing
      conntrack
  3. Apply and reload the LVS service.


Next up

TCP