CLI: Example of Configuring DNS Transparent Proxy and Global Route Selection Policy for Internet Traffic Load Balancing

This section provides an example for configuring DNS transparent proxy and global route selection policy for internet traffic load balancing.

Networking Requirements

As shown in Figure 1, an enterprise rents links from both ISP1 and ISP2. The bandwidth of ISP1 link is 100M, and that of ISP2 link is 50M. The DNS server addresses of ISP1 are 8.8.8.8 and 8.8.8.9, and the DNS server addresses of ISP2 are 9.9.9.8 and 9.9.9.9. In normal cases, the clients of intranet users are configured with the same DNS server address. In normal cases, the clients of intranet users are configured with the same DNS server address. In normal cases, the clients of intranet users are configured with the same DNS server address. This case assumes that the DNS server address is 10.2.0.70.

The enterprise requires that the Internet access traffic of intranet users residing on network segment 10.3.0.0/24 can be distributed to ISP1 and ISP2 links in the ratio of 2:1 to ensure that the links are made full use of but not congested to improve users' Internet access experience.
When intranet users access domain name www.example.com, FW does not perform DNS transparent proxying, but the Web server address of the domain name must be resolved by the specified DNS server (8.8.8.10).
When one link is overloaded (the threshold is 90%), follow-up traffic will be forwarded on the other link.

Figure 1 Intranet users accessing DNS servers

Configuration Roadmap

Configure the transparent proxy function on the FW to distribute DNS query messages from intranet users in the ratio of 2:1 to the DNS servers on ISP1 and ISP2 networks. When processing DNS query messages, the DNS transparent proxy function replaces the destination addresses of the messages with the DNS server address bound to the outbound interface. The selection of the outbound interface depends on the intelligent uplink selection function. Because the enterprise requires that the Internet access traffic can be distributed in the ratio of 2:1 to both links, you need to set the intelligent uplink selection mode to load balancing by link bandwidth. In the example, global route selection policies are configured. To ensure that the Internet access traffic is directly forwarded to the Web server on the ISP network of the destination address without taking a detour on other ISP networks, you need to configure ISP address database link selection.

Optional: Configure the health check function. Configure a health check respectively for ISP1 and ISP2.
Set the interface IP address, security zone, gateway, bandwidth, and overload protection threshold, and apply the health check respectively on the interfaces.
Configure ISP link selection function. Make two ISP address files, isp1.csv and isp2.csv, and upload the two ISP address files to the FW.
Configure DNS transparent proxy. Bind the DNS server address on the outbound interface, specify the DNS server addresses requiring DNS transparent proxy, and specify the domain names to be excluded.
Configuring a global route selection policy. Set the intelligent uplink selection mode to load balancing by link bandwidth and configure the outbound interfaces on the FW connecting to ISP1 and ISP2 as intelligent uplink selection member interfaces.
Configure a basic security policy to allow intranet users to access the Internet.

This example focuses on the configuration related to intelligent uplink selection. Configure other data such as NAT based on the actual networking.

In this scenario, whether the traffic can be switched over due to overload depends on the DNS resolution result of the DNS transparent proxy.

Procedure

Optional: Enable the health check function and create a health check for ISP1 and ISP2 link respectively.
```
<FW> system-view
[FW] healthcheck enable
[FW] healthcheck name isp1_health
[FW-healthcheck-isp1_health] destination 8.8.8.8 interface GigabitEthernet 0/0/1 protocol dns
[FW-healthcheck-isp1_health] destination 8.8.8.9 interface GigabitEthernet 0/0/1 protocol dns
[FW-healthcheck-isp1_health] quit
[FW] healthcheck name isp2_health
[FW-healthcheck-isp2_health] destination 9.9.9.8 interface GigabitEthernet 0/0/5 protocol dns
[FW-healthcheck-isp2_health] destination 9.9.9.9 interface GigabitEthernet 0/0/5 protocol dns
[FW-healthcheck-isp2_health] quit
```
When the DNS transparent proxy function and the intelligent uplink selection function are used together and also when the health check of the DNS transparent proxy and the health check on the intelligent uplink selection interface both need to be enabled, the destination address for health check on the intelligent uplink selection interface must be set to the DNS server address bound to the interface and the detection protocol must be set to DNS. This is to ensure that the two health check results are the same and the interface link can always support the DNS proxy when the interface link is normal, preventing service access failures caused by DNS request failures.

If the state remains down after the health check configuration is complete, check the health check configuration.

Configure IP addresses, gateway addresses, bandwidth, overload protection thresholds for interfaces and apply health check on the interfaces.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet0/0/1] gateway 1.1.1.254
[FW-GigabitEthernet0/0/1] bandwidth ingress 100000 threshold 90
[FW-GigabitEthernet0/0/1] bandwidth egress 100000 threshold 90
[FW-GigabitEthernet0/0/1] healthcheck isp1_health
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet 0/0/5
[FW-GigabitEthernet0/0/5] ip address 2.2.2.2 255.255.255.0
[FW-GigabitEthernet0/0/5] gateway 2.2.2.254
[FW-GigabitEthernet0/0/5] bandwidth ingress 50000 threshold 90
[FW-GigabitEthernet0/0/5] bandwidth egress 50000 threshold 90
[FW-GigabitEthernet0/0/5] healthcheck isp2_health
[FW-GigabitEthernet0/0/5] quit

Upload ISP address files to the FW using SFTP. The imported ISP address files are stored in the isp folder in the root directory.Details are omitted.
Create ISP name isp1_ifgrp for ISP1 and ISP name isp2_ifgrp for ISP2 and associate them with the corresponding ISP address files.
```
[FW] isp name isp1_ifgrp set filename isp1.csv
[FW] isp name isp2_ifgrp set filename isp2.csv
```

Create an ISP interface group for ISP1 and ISP2 respectively and add interfaces to corresponding ISP interface groups. Then ISP routes will be delivered by default.

[FW] interface-group 1 isp isp1_ifgrp
[FW-interface-isp-group-1] add interface GigabitEthernet 0/0/1
[FW-interface-isp-group-1] quit
[FW] interface-group 2 isp isp2_ifgrp
[FW-interface-isp-group-2] add interface GigabitEthernet 0/0/5
[FW-interface-isp-group-2] quit

Configure DNS transparent proxy. Bind the DNS server address to the outbound interface and enable health check, implement DNS transparent proxy for traffic whose source address belongs to network segment 10.3.0.0/24, and configure excluded domain names.

[FW] dns-transparent-policy
[FW-policy-dns] dns transparent-proxy enable
[FW-policy-dns] dns server bind interface GigabitEthernet 0/0/1 preferred 8.8.8.8 alternate 8.8.8.9 health-check enable
[FW-policy-dns] dns server bind interface GigabitEthernet 0/0/5 preferred 9.9.9.8 alternate 9.9.9.9 health-check enable
[FW-policy-dns] dns transparent-proxy exclude domain www.example.com server preferred 8.8.8.10
[FW-policy-dns] rule name abc
[FW-policy-dns-rule-abc] action tpdns
[FW-policy-dns-rule-abc] source-address 10.3.0.0 24
[FW-policy-dns-rule-abc] quit
[FW-policy-dns] quit

Configure a global route selection policy to load balance traffic by link bandwidth.

[FW] multi-interface
[FW-multi-inter] add interface GigabitEthernet 0/0/1
[FW-multi-inter] add interface GigabitEthernet 0/0/5
[FW-multi-inter] mode proportion-of-bandwidth
[FW-multi-inter] quit

Assign the interfaces to security zones.

[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] add interface GigabitEthernet 0/0/5
[FW-zone-untrust] quit

Configure a Trust-to-Untrust interzone security policy to allow enterprise network users to access Internet resources. Assume that enterprise network users reside on 10.3.0.0/24.

[FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit

Configuration Scripts

#
 isp name isp1_ifgrp set filename isp1.csv
 isp name isp2_ifgrp set filename isp2.csv
#
healthcheck enable
healthcheck name isp1_health
 destination 8.8.8.8 interface GigabitEthernet 0/0/1 protocol dns
 destination 8.8.8.9 interface GigabitEthernet 0/0/1 protocol dns
healthcheck name isp2_health
 destination 9.9.9.8 interface GigabitEthernet 0/0/5 protocol dns
 destination 9.9.9.9 interface GigabitEthernet 0/0/5 protocol dns
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 255.255.255.0
 healthcheck isp1_health
 gateway 1.1.1.254
 bandwidth ingress 100000 threshold 90
 bandwidth egress 100000 threshold 90
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet 0/0/5
 ip address 2.2.2.2 255.255.255.0
 healthcheck isp2_health
 gateway 2.2.2.254
 bandwidth ingress 50000 threshold 90
 bandwidth egress 50000 threshold 90
#
firewall zone trust
  set priority 85
  add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
 add interface GigabitEthernet 0/0/5
#
interface-group 1 isp isp1_ifgrp
 add interface GigabitEthernet 0/0/1
#
interface-group 2 isp isp2_ifgrp
 add interface GigabitEthernet 0/0/5
#
 multi-interface
  mode proportion-of-bandwidth
  add interface GigabitEthernet 0/0/1
  add interface GigabitEthernet 0/0/5
#
security-policy
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
#
dns-transparent-policy
 rule name abc
  source-address 10.3.0.0 mask 255.255.255.255
  action tpdns
 dns transparent-proxy enable
 dns server bind interface GigabitEthernet 0/0/1 preferred 8.8.8.8 alternate 8.8.8.9 health-check enable
 dns server bind interface GigabitEthernet 0/0/5 preferred 9.9.9.8 alternate 9.9.9.9 health-check enable
 dns transparent-proxy exclude domain www.example.com server preferred 8.8.8.10
 mode based-on-multi-interface
#
return