Gateway Mode - Arpspoof

About

In load balancer technology, Gateway Mode is a mode where the TR7 Load Balancer acts as a gateway that forwards both incoming and outgoing traffic. In this mode, all client requests pass through the TR7 before being forwarded to the Backend Services, and the responses are sent back to the client through the TR7. This ensures that the Client IP address is preserved and forwarded to the Backend Service, even in TCP-level applications where the X-Forwarded-For header information cannot be used.

However, for Gateway Mode to function, the default gateway addresses of the Backend Services must be manually changed. To avoid this manual configuration process, Arpspoof is activated on the TR7, eliminating the need for changes and speeding up the process, offering easier management.

Example Topology

LOGO

In the example Gateway Mode Arpspoof Topology, the 10G network interface used by the TR7 is seen on the VLAN 102 route table. The 172.16.102.113 IP address, which is the VIP address, is defined as the vService IP address on the 10G network interface. The default gateway address of the Backend Service is changed without manual modification and is instead managed through Arpspoof. This enables Gateway Mode Arpspoof to be active for the service, ensuring that the Client IP address is preserved.

Interface

Step > 1

By navigating to "Network > Route Tables," a new route table was added.

Step > 2

By following the "Network > Interfaces" steps, the 10G network interface was included in the added Route Table, and IP addresses were added. The 172.16.102.111 and 172.16.102.112 IP addresses were defined as "Interface IP," and the 172.16.102.113 IP address was defined as the "VIP" address.

Step > 3

By following the "Traffic Manager > Backend Services" steps, the relevant server's Route Table was selected as VLAN 102. When Details are activated, "Use Client IP" was selected via SNAT. Then, Spoofing was activated, and the relevant configurations were made.

Warning

At this point, if an update is required on the Backend Service or if it needs to access a different network, it will not be able to do so because the gateway address is TR7. To enable communication with different networks, follow the "Network > Firewall" steps and create a Forwarding rule on VLAN 102 to allow communication with other networks.

Step > 4

Finally, a vService was created with the 172.16.102.113 VIP address on the vServices screen, and the relevant Backend Service was selected as the default.