Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to allow a client or server to route via the LoadMaster from an isolated network

 

Information

 

Summary:

Allowing devices to route via the LoadMaster with the Packet Routing Filter feature enabled or disabled.

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

How to allow a client located in an isolated network to route via the LoadMaster?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

The Packet Routing Filter feature is available for all license subscription models and it is enabled by default. For Enterprise Plus subscriptions customers which have the Global Balancing "GEO" feature enabled, the Packet Routing Filter is mandatory and cannot be disabled. 

When this feature is enabled the LoadMaster avoids unknown devices to route traffic via its interfaces. However, sometimes administrators need to use the LoadMaster as a default gateway for some specific client(s) or server(s) in order to route traffic outside of the network.

Resolution:

Although the LoadMaster is not a router, if necessary, it is possible to forward traffic through.

For Standard and Enterprise subscriptions customers, the Packet Routing Filter can be easily disabled under System Configuration -> Network Setup -> Packet Routing Filter. For Enterprise Plus customers disabling the Packet Routing Filter is only possible if the Global Balancing "GEO" is disabled first.

Disabling this feature will allow any device from any configured LoadMaster interface to route traffic via the LoadMaster. Nevertheless, as the LoadMaster can potentially be used as a gateway between two subnets or more, disabling this feature can be considered in many network environments as a security vulnerability.

Workaround:

Even though disabling the Packet Routing Filter would be the quickest and simplest resolution for this type of request. It is possible to allow a device(s) to route traffic via the LoadMaster without the need to completely disable the Packet Routing Filter feature. 

By design, any known device to the LoadMaster is allowed to route traffic via the LoadMaster, which means, real servers assigned to the virtual service(s) are allowed to route traffic via the LoadMaster even when the Packet Routing Filter is enabled.

Therefore, if the administrator needs to allow a client to route traffic via the LoadMaster without disabling the Packet Routing Filter. Then as a workaround, a "dummy" virtual service must be created, and the client(s) that the administrator needs to allow routing via the LoadMaster must be assigned as a real server. Note that the reason the virtual service is called "dummy" is that the virtual service can be created with any IP from any configured network interface, using any port and can be actually deactivated.

Notes:

https://support.kemptechnologies.com/hc/en-us/articles/115003512103-How-to-Disable-IP-Forwarding

https://support.kemptechnologies.com/hc/en-us/articles/200541289-Securing-the-LoadMaster-Access 


Comments