It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Link Balancer

Attention

As of 1st March 2019, all new sales for the Barracuda Link Balancer product will cease. Only renewals of software and hardware subscriptions for a maximum of one year is available for a limited time. 1st March 2020: All Barracuda Link Balancer sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires.

Deployment Options

  • Last updated on

The Barracuda Link Balancer can operate in two different modes:

  • Deployment replacing your firewall.
  • Deployment in front of your firewall, with the Barracuda Link Balancer between your firewall and the Internet

The Barracuda Link Balancer firewall provides full firewall functionality. You need to decide whether you want to keep or replace your existing firewall. If you decide to keep your existing firewall, you can disable the Barracuda Link Balancer firewall while still making use of the Barracuda Link Balancer link balancing, failover, and bandwidth management capabilities.

The following table describes considerations when choosing a deployment method.

CriterionBarracuda Link Balancer In Front of Your FirewallBarracuda Link Balancer Replacing Your Firewall
Network LocationThe Barracuda Link Balancer is deployed between your existing firewall and the Internet.The Barracuda Link Balancer acts as your firewall.
Barracuda Link Balancer LAN IP Address

Used only for management. Can be any internal or public address that can be reached through your existing firewall from the LAN.

The default gateway for your network.
Firewall RulesNo changes to your existing firewall.

You will need to recreate any existing firewall rules on the Barracuda Link Balancer.

WAN Link

If you are enabling inbound access to resources behind the Barracuda Link Balancer, such as a web server, at least one WAN link must have a static IP address.

The Barracuda Link Balancer may use the same IP address that had been used by your firewall.

Site to Site VPN

If you already have a site-to-site VPN, it should be terminated on your existing firewall. VPN traffic has one source IP address so it goes out on only one WAN link. It is recognized as VPN traffic so it will not be NAT’d by the Barracuda Link Balancer. No failover or failback is available. Alternatively, make the Barracuda Link Balancer a VPN endpoint to achieve failover and failback to and from a secondary link.

Failover and failback to and from a secondary link.

Deployment In Front of Your Firewall

Figure 1: Example network that has both client and server traffic.

deploy-before-another.png

The next figure shows the same network with a Barracuda Link Balancer installed with no changes to the configuration of the existing firewall. A new WAN link has been added.

In this network:

  • The Barracuda Link Balancer has a static IP address on WAN1 that is on the same network as the firewall and the externally visible servers.
  • The clients are on a different subnet from all WAN links.
  • The external IP address and gateway of the firewall remain the same.
  • The gateway IP addresses of the Barracuda Link Balancer and the firewall are provided by the ISPs. The firewall provides the gateway for the LAN devices.
  • The Barracuda Link Balancer LAN IP address can be any internal or public address that can be reached through your existing firewall from the LAN. You may allocate an external IP address for it, or  choose a non-routable IP address. If the latter, it should be on a different subnet than the LAN devices already on the network. Remember that if the firewall does not recognize an address as local, it will pass it to the Barracuda Link Balancer.

Figure 2: Barracuda Link Balancer installed with no changes to the configuration of the existing firewall.

deploy-in-front-of-fw.png

For detailed instructions on how to setup your Barracuda Link Balancer in front of your firewall, see: Installation in Front of Your Firewall.

Deployment Replacing Your Firewall

Figure 3: Another example of a network that has both client and server traffic.

deploy-before-another.png

The next figure shows a sample network with a Barracuda Link Balancer installed and replacing the customer firewall. A new WAN link has been added.

In this network:

  • The Barracuda Link Balancer uses the same IP address for WAN1 that the firewall had used.
  • The LAN devices and the LAN interface of the Barracuda Link Balancer must be on a different subnet than all WAN links.
  • The Barracuda Link Balancer gateway IP addresses are provided by the ISPs.
  • The gateway of the LAN devices is the LAN IP address of the Barracuda Link Balancer.
  • Traffic to the servers is passed using port forwarding rules on the Barracuda Link Balancer.

If your servers are externally accessible, reconfigure those servers with private IP addresses. Then create 1:1 NAT rules to map the external IP addresses to the respective private IP addresses of the servers.

Figure 4: Example network with a Barracuda Link Balancer installed and acting as a firewall, replacing the existing firewall.

lb-replacing-firewall.png

For detailed instructions on how to setup your Barracuda Link Balancer to replace your firewall, see: Installation Replacing Your Firewall.

Overview of the Installation Steps

The following table provides an overview of the steps required to deploy the Barracuda Link Balancer in your network.

In Front of Your FirewallReplacing Your Firewall

Prepare to install, including getting a WAN link with a static IP address.

Prepare to install.

Activate the Barracuda Link Balancer with Temporary Network Settings.

Activate the Barracuda Link Balancer with Temporary Network Settings.

Get Latest Firmware Version.Get Latest Firmware Version.
Disable the Barracuda Link Balancer Firewall.Configure Permanent WAN Settings.
Configure WAN and LAN Permanent Settings.Configure the Barracuda Link Balancer Firewall.
Permanently Install the Barracuda Link Balancer.Configure Permanent LAN IP Address.
Test Connectivity.Permanently Install the Barracuda Link Balancer.
Continue with: Installation in Front of Your Firewall.Continue with Installation Replacing Your Firewall

In transparent mode (Firewall disabled mode, "In Front of your Firewall"), the IP addresses of LAN (Ethernet) and WAN1 ports must NOT reside within the same subnet in order to allow transparent mode to work as intended.