Using NAT forwarding to forward traffic

Using Network Address Translation (NAT) Dispatcher capability removes the limitation for the backend servers to be on a locally attached network. With the NAT forwarding method, Dispatcher load balances the incoming request to the server. The server returns the response to Dispatcher. The Dispatcher machine then returns the response to the client.

Before you begin

The following limitations apply to NAT forwarding:
  • Dispatcher's implementation of NAT is a simple implementation of this feature. It analyzes and operates only the contents of TCP/IP packet headers. It does not analyze the contents of the data portion of the packets. For Dispatcher, NAT does not work with application protocols, such as FTP, which embed the addresses or port numbers in the data portion of the messages. This is a known limitation of header-based NAT.
  • Dispatcher's NAT cannot work with the affinity selection algorithm. It works with connection and connection + affinity selection algorithms only.
  • Dispatcher does not support Network Address Port Translation (NAPT) intrinsically as part of its implementation. Hence, mapport is obsolete and it is recommended to use the OS implementations of NAPT techniques directly on the backend servers.

About this task

You need three IP addresses for the Dispatcher machine – NFA, cluster, and return address. The return address is a unique address or host name that you configure on the Dispatcher machine. Dispatcher uses the return address as its source address when load balancing the client's request to the server. Using the return address ensures that the server returns the packet to the Dispatcher machine, rather than sending the packet directly to the client (Dispatcher then forwards the IP packet to the client).

You must specify the return address value when you add the server. You cannot modify the return address unless you remove the server and then add it again. The return address cannot be the same as the cluster, server, or NFA address. When you use the NAT forwarding method, you must define a return address for communication between Load Balancer and the backend servers. The number of connections that Load Balancer can keep active with the backend server is limited by the return addresses and the server combination.

In addition, you must configure a client-gateway, which is the router to send the response back to the client. Specify the router address to reach the backend server. If the backend server is in same subnet as the dispatcher machine, then the router IP address must be same as the backend server.

Important: All addresses must belong to same IP family.
A NAT configuration

Procedure

  1. Set the client gateway parameter on the dscontrol executor set command for the Load Balancer Server.
    Client gateway is an IP address that is used as the router address through which traffic in the return direction is forwarded from Load Balancer to clients. This value must be set to a non-zero IP address before you can use NAT. For example, dscontrol executor set clientgateway 1.2.3.5
  2. Add a NAT enabled server on the Load Balancer Server.
    For example, dscontrol server addclusterip@clusterport@servername address server_ip_address nat yes returnaddress return_ip_address router router_ip_address. Use the dscontrol server command:
    dscontrol server add 1.2.3.44@22@lboptr1 address 192.10.10.10 nat yes returnaddress 10.10.10.99 router 10.10.10.6
    Attention: No configuration is required on the managed server, unless it is for port translation.
    Attention: With only Dispatcher, NAPT is used when the backend application must receive the data on a port that is different from the port on which data is sent by the client. The mapport parameter is available only when you use the cbrcontrol command. As an alternate to mapport, use port translation techniques that are available in the operating system on which the application is deployed, for example: iptables on Linux®, netsh (portproxy) on Windows and ipfilter on AIX®.