The Barracuda Link Balancer can operate in two different modes:
- Deployment replacing your firewall.
- Deployment in front of your firewall, with the Barracuda Link Balancer between your firewall and the Internet.
The Barracuda Link Balancer firewall provides full firewall functionality. You need to decide whether you want to keep or replace your existing firewall. If you decide to keep your existing firewall, you can disable the Barracuda Link Balancer firewall while still making use of the Barracuda Link Balancer link balancing, failover, and bandwidth management capabilities.
The following table describes considerations when choosing a deployment method.
| Criterion | Barracuda Link Balancer In Front of Your Firewall | Barracuda Link Balancer Replacing Your Firewall |
|---|---|---|
| Network Location | The Barracuda Link Balancer is deployed between your existing firewall and the Internet. | The Barracuda Link Balancer acts as your firewall. |
| Barracuda Link Balancer LAN IP Address | Used only for management. Can be any internal or public address that can be reached through your existing firewall from the LAN. | The default gateway for your network. |
| Firewall Rules | No changes to your existing firewall. | You will need to recreate any existing firewall rules on the Barracuda Link Balancer. |
| WAN Link | If you are enabling inbound access to resources behind the Barracuda Link Balancer, such as a web server, at least one WAN link must have a static IP address. | The Barracuda Link Balancer may use the same IP address that had been used by your firewall. |
| Site to Site VPN | If you already have a site-to-site VPN, it should be terminated on your existing firewall. VPN traffic has one source IP address so it goes out on only one WAN link. It is recognized as VPN traffic so it will not be NAT’d by the Barracuda Link Balancer. No failover or failback is available. Alternatively, make the Barracuda Link Balancer a VPN endpoint to achieve failover and failback to and from a secondary link. | Failover and failback to and from a secondary link. |
Deployment In Front of Your Firewall
Figure 1: Example network that has both client and server traffic.
The next figure shows the same network with a Barracuda Link Balancer installed with no changes to the configuration of the existing firewall. A new WAN link has been added.
In this network:
- The Barracuda Link Balancer has a static IP address on WAN1 that is on the same network as the firewall and the externally visible servers.
- The clients are on a different subnet from all WAN links.
- The external IP address and gateway of the firewall remain the same.
- The gateway IP addresses of the Barracuda Link Balancer and the firewall are provided by the ISPs. The firewall provides the gateway for the LAN devices.
- The Barracuda Link Balancer LAN IP address can be any internal or public address that can be reached through your existing firewall from the LAN. You may allocate an external IP address for it, or choose a non-routable IP address. If the latter, it should be on a different subnet than the LAN devices already on the network. Remember that if the firewall does not recognize an address as local, it will pass it to the Barracuda Link Balancer.
Figure 2: Barracuda Link Balancer installed with no changes to the configuration of the existing firewall.
For detailed instructions on how to setup your Barracuda Link Balancer in front of your firewall, see: Installation in Front of Your Firewall.
Deployment Replacing Your Firewall
Figure 3: Another example of a network that has both client and server traffic.
The next figure shows a sample network with a Barracuda Link Balancer installed and replacing the customer firewall. A new WAN link has been added.
In this network:
- The Barracuda Link Balancer uses the same IP address for WAN1 that the firewall had used.
- The LAN devices and the LAN interface of the Barracuda Link Balancer must be on a different subnet than all WAN links.
- The Barracuda Link Balancer gateway IP addresses are provided by the ISPs.
- The gateway of the LAN devices is the LAN IP address of the Barracuda Link Balancer.
- Traffic to the servers is passed using port forwarding rules on the Barracuda Link Balancer.
If your servers are externally accessible, reconfigure those servers with private IP addresses. Then create 1:1 NAT rules to map the external IP addresses to the respective private IP addresses of the servers.
Figure 4: Example network with a Barracuda Link Balancer installed and acting as a firewall, replacing the existing firewall.
For detailed instructions on how to setup your Barracuda Link Balancer to replace your firewall, see: Installation Replacing Your Firewall.
Overview of the Installation Steps
The following table provides an overview of the steps required to deploy the Barracuda Link Balancer in your network.
| In Front of Your Firewall | Replacing Your Firewall |
|---|---|
Prepare to install, including getting a WAN link with a static IP address. | Prepare to install. |
Activate the Barracuda Link Balancer with Temporary Network Settings. | Activate the Barracuda Link Balancer with Temporary Network Settings. |
| Get Latest Firmware Version. | Get Latest Firmware Version. |
| Disable the Barracuda Link Balancer Firewall. | Configure Permanent WAN Settings. |
| Configure WAN and LAN Permanent Settings. | Configure the Barracuda Link Balancer Firewall. |
| Permanently Install the Barracuda Link Balancer. | Configure Permanent LAN IP Address. |
| Test Connectivity. | Permanently Install the Barracuda Link Balancer. |
| Continue with: Installation in Front of Your Firewall. | Continue with Installation Replacing Your Firewall |