From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 07:13:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8F8116A41F for ; Mon, 23 Jan 2006 07:13:19 +0000 (GMT) (envelope-from conrad.burger@swistgroup.com) Received: from timon.swistgroup.com (timon.swistgroup.com [196.44.35.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA6D643D49 for ; Mon, 23 Jan 2006 07:13:16 +0000 (GMT) (envelope-from conrad.burger@swistgroup.com) Received: from mailnull by timon.swistgroup.com with local (Exim 4.52 (FreeBSD)) id 1F0vt2-000B7K-C8 for freebsd-pf@freebsd.org; Mon, 23 Jan 2006 09:13:12 +0200 Received: from hermes.swistgroup.com ([172.16.6.65]) by timon.swistgroup.com with esmtp (Exim 4.52 (FreeBSD)) id 1F0vt2-000B78-AM for freebsd-pf@freebsd.org; Mon, 23 Jan 2006 09:13:12 +0200 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Date: Mon, 23 Jan 2006 09:13:11 +0200 Message-ID: <88B5DDE8C1A06741B754B910DE2DEFBB49AE7C@HERMES.swistgroup.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Nat load balancing with weights? Thread-Index: AcYf7HhJqleTS8LLT1WD/iznzbPw3w== From: "Conrad Burger" To: X-Scan-Signature: 1ec8b78586476fa344315154a9fa3bbe X-disclaimer: Legalsentry Subject: Nat load balancing with weights? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 07:13:19 -0000 ************************************************************ Click here to view our e-mail legal notice: http://www.swistgroup.com/email.htm or call: +27 21 888 7920 ************************************************************ Hi=20 I am currently using the pf nat round robin functionality to load = balance tcp connections to 3 servers. This works great! Currently load balancing about 32000 connections = concurrently. The 3 systems have different hardware specs and currently 2 of the = systems are running at 100%.=20 We will be adding more servers, but doing symmetrical load balancing to non-symmetrical CPU hardware platforms is becoming a major problem. Is it possible to configure pf to do non-symmetrical load balancing = where a per system connection ratio can be defined? Are there any other technologies running on FreeBSD that will perform = this task? Regards=20 Conrad Burger=20 From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 11:02:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C62FA16A41F for ; Mon, 23 Jan 2006 11:02:48 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C87643D55 for ; Mon, 23 Jan 2006 11:02:37 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0NB2ZoV086337 for ; Mon, 23 Jan 2006 11:02:35 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0NB2YAY086331 for freebsd-pf@freebsd.org; Mon, 23 Jan 2006 11:02:34 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 23 Jan 2006 11:02:34 GMT Message-Id: <200601231102.k0NB2YAY086331@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 11:02:48 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2005/12/09] kern/90148 pf [pf] pf_enable="YES" -> Fatal trap 12: pa 2 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 13:30:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C87EE16A43D for ; Mon, 23 Jan 2006 13:30:35 +0000 (GMT) (envelope-from conrad.burger@swistgroup.com) Received: from timon.swistgroup.com (timon.swistgroup.com [196.44.35.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 430DC43E14 for ; Mon, 23 Jan 2006 11:57:13 +0000 (GMT) (envelope-from conrad.burger@swistgroup.com) Received: from mailnull by timon.swistgroup.com with local (Exim 4.52 (FreeBSD)) id 1F10Jq-000DEC-Kd for freebsd-pf@freebsd.org; Mon, 23 Jan 2006 13:57:10 +0200 Received: from hermes.swistgroup.com ([172.16.6.65]) by timon.swistgroup.com with esmtp (Exim 4.52 (FreeBSD)) id 1F10Jq-000DDm-HO; Mon, 23 Jan 2006 13:57:10 +0200 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Date: Mon, 23 Jan 2006 13:57:10 +0200 Message-ID: <88B5DDE8C1A06741B754B910DE2DEFBB49AE84@HERMES.swistgroup.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Nat load balancing with weights? Thread-Index: AcYf7HhJqleTS8LLT1WD/iznzbPw3wAGcSXgAAM07EA= From: "Conrad Burger" To: "Lawrence Farr" X-Scan-Signature: 9d4a257295eccead498eb6c70e40e339 X-disclaimer: Legalsentry Cc: freebsd-pf@freebsd.org Subject: RE: Nat load balancing with weights? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 13:30:36 -0000 ************************************************************ Click here to view our e-mail legal notice: http://www.swistgroup.com/email.htm or call: +27 21 888 7920 ************************************************************ Cool it works! Now I just have to work out the multiples to get the correct ratios.=20 Thanks dude -----Original Message----- From: Lawrence Farr [mailto:freebsd-isp@epcdirect.co.uk]=20 Sent: 23 January 2006 12:27 PM To: Conrad Burger Subject: RE: Nat load balancing with weights? Could you add the same address twice into the list for round robin? ie=20 1.2.3.4 1.2.3.4 5.6.7.8 So it sends 2 to machine A and one to B?=20 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org=20 > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Conrad Burger > Sent: 23 January 2006 07:13 > To: freebsd-pf@freebsd.org > Subject: Nat load balancing with weights? >=20 > ************************************************************ > Click here to view our e-mail legal notice:=20 > http://www.swistgroup.com/email.htm or call: +27 21 888 7920 > ************************************************************ > Hi=20 >=20 > I am currently using the pf nat round robin functionality to=20 > load balance tcp > connections to 3 servers. >=20 > This works great! Currently load balancing about 32000=20 > connections concurrently. >=20 > The 3 systems have different hardware specs and currently 2=20 > of the systems are > running at 100%.=20 > We will be adding more servers, but doing symmetrical load=20 > balancing to > non-symmetrical CPU hardware platforms is becoming a major problem. >=20 > Is it possible to configure pf to do non-symmetrical load=20 > balancing where a per > system connection ratio can be defined? >=20 > Are there any other technologies running on FreeBSD that will=20 > perform this task? >=20 > Regards=20 > Conrad Burger=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 17:24:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F6D316A420 for ; Mon, 23 Jan 2006 17:24:04 +0000 (GMT) (envelope-from dyma_p@mail.ru) Received: from mx3.mail.ru (mx3.mail.ru [194.67.23.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C1A943FF3 for ; Mon, 23 Jan 2006 17:01:32 +0000 (GMT) (envelope-from dyma_p@mail.ru) Received: from [87.248.167.219] (port=25919 helo=neon) by mx3.mail.ru with esmtp id 1F154M-0007gH-00; Mon, 23 Jan 2006 20:01:31 +0300 From: "neon" To: "'Gobbledegeek'" , Date: Mon, 23 Jan 2006 19:01:33 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <463aea570601230015i1bb94caah165f09e6ef3ae44b@mail.gmail.com> Thread-Index: AcYf+UWAvTyMvB+oR+mySr8CXI0QCQARKF3Q X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: Cc: Subject: RE: Multiple DSL lines, load sharing / shaping (neon) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 17:24:04 -0000 Thanks man! I've already read everything about PF. But the problem is still there, the questions is how to fragment a big file that is being downloading(for example) and copy it through 2 real IP's simultaneously (I mean this way one can improve the downloading speed, bind the both DSL bandwidth together). Is there any software that is making it unde *nix? PF is making this only per connection, that means that if I have 2 64kbit DSL lines I can copy a file only with 64kbits(the request is forwarded only through 1 real IP, as usually) but I want to have 64kbits x 2 = 128kbits using 2 real IP's simultaneously. Best regards, Dyma Popovich -----Original Message----- From: Gobbledegeek [mailto:gobbledegeek@gmail.com] Sent: Monday, January 23, 2006 10:16 AM To: neon Subject: Re: Multiple DSL lines, load sharing / shaping (neon) Hi Search here please.. http://www.benzedrine.cx/pf.htmls Rgrds On 1/22/06, neon wrote: > Hey! > I've looked it up, but found nothing. > Maybe you know any details on BPF that can help me find the right solution? > > Sincerely, > Dyma Popovich > > -----Original Message----- > From: Gobbledegeek [mailto:gobbledegeek@gmail.com] > Sent: Friday, January 20, 2006 3:05 PM > To: freebsd-pf@freebsd.org > Subject: Re: Multiple DSL lines, load sharing / shaping (neon) > > BPF should help you share multiple dsl lines from multiple isp's without > bgp. > Check out the bpf docs on the net... > > Rgrds > > > > > > > > ---------------------------------------------------------------------- > > > > > Hey Josh! > > > > Your question is a really good one. > > > > I am trying to find an answer to the same question (the limitation that > > comes over a single DSL line). > > > > I've read that you need to fire up the BGP protocol on both sides. Maybe > > zebra under freeBSD. but that's too complicated, and not every > > > > ISP will provide you the BGP protocol.. > > > > You know what, though I'm still in a great need for that, if you find > > anything interesting on the matter how to solve this, just drop a few > lines > > in the conference. > > > > > > > > Thanks a lot! > > > > Best regards, Dyma Popovich > > > > > > > > ------------------------------ > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > End of freebsd-pf Digest, Vol 70, Issue 4 > > ***************************************** > > > > > -- > Nonchalantly yours > GobbledeGeek > [Everything but Gobbledegook.. !!] > > > -- Nonchalantly yours GobbledeGeek [Everything but Gobbledegook.. !!] From owner-freebsd-pf@FreeBSD.ORG Tue Jan 24 07:04:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B15516A41F for ; Tue, 24 Jan 2006 07:04:53 +0000 (GMT) (envelope-from gobbledegeek@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0F9E43D48 for ; Tue, 24 Jan 2006 07:04:52 +0000 (GMT) (envelope-from gobbledegeek@gmail.com) Received: by zproxy.gmail.com with SMTP id o37so1177937nzf for ; Mon, 23 Jan 2006 23:04:52 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=e1HrfBpsKsaDMirJZyZtlEyPxSafbnayfZydKgSpC/Tc5r9zi59ftXrdBn0MCFDfC74gfsDuED9W07pBMep3XdXL2UQiBqkw3bCSAG/80aUNJuthcUI8ymwrFb/xuFB0Ouu2pxfwEJu2Qa12E3eGIS3pEvmnZUV+ptqCMTMahZA= Received: by 10.65.230.13 with SMTP id h13mr4182025qbr; Mon, 23 Jan 2006 23:04:52 -0800 (PST) Received: by 10.64.251.12 with HTTP; Mon, 23 Jan 2006 23:04:51 -0800 (PST) Message-ID: <463aea570601232304t7db34cbate642df511d00b2d5@mail.gmail.com> Date: Tue, 24 Jan 2006 12:34:51 +0530 From: Gobbledegeek To: neon In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <463aea570601230015i1bb94caah165f09e6ef3ae44b@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Multiple DSL lines, load sharing / shaping (neon) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2006 07:04:53 -0000 Only linux will do it with EQL per packet load balancer. No BSD's will do it. Commercial product includes Alteon load balancer. Don't bother trying this with multiple isp' btw for reasons already well documented on the internet... it impacts tcp performance negatively. Rgrds On 1/23/06, neon wrote: > Thanks man! > I've already read everything about PF. > But the problem is still there, the questions is how to fragment a big fi= le > that is being downloading(for example) and copy it through 2 real IP's > simultaneously (I mean this way one can improve the downloading speed, bi= nd > the both DSL bandwidth together). > Is there any software that is making it unde *nix? > PF is making this only per connection, that means that if I have 2 64kbit > DSL lines I can copy a file only with 64kbits(the request is forwarded on= ly > through 1 real IP, as usually) but I want to have 64kbits x 2 =3D 128kbit= s > using 2 real IP's simultaneously. > > Best regards, > Dyma Popovich > > -----Original Message----- > From: Gobbledegeek [mailto:gobbledegeek@gmail.com] > Sent: Monday, January 23, 2006 10:16 AM > To: neon > Subject: Re: Multiple DSL lines, load sharing / shaping (neon) > > Hi > Search here please.. > http://www.benzedrine.cx/pf.htmls > > Rgrds > > On 1/22/06, neon wrote: > > Hey! > > I've looked it up, but found nothing. > > Maybe you know any details on BPF that can help me find the right > solution? > > > > Sincerely, > > Dyma Popovich > > > > -----Original Message----- > > From: Gobbledegeek [mailto:gobbledegeek@gmail.com] > > Sent: Friday, January 20, 2006 3:05 PM > > To: freebsd-pf@freebsd.org > > Subject: Re: Multiple DSL lines, load sharing / shaping (neon) > > > > BPF should help you share multiple dsl lines from multiple isp's withou= t > > bgp. > > Check out the bpf docs on the net... > > > > Rgrds > > > > > > > > > > > > > ---------------------------------------------------------------------= - > > > > > > > > Hey Josh! > > > > > > Your question is a really good one. > > > > > > I am trying to find an answer to the same question (the limitation th= at > > > comes over a single DSL line). > > > > > > I've read that you need to fire up the BGP protocol on both sides. Ma= ybe > > > zebra under freeBSD. but that's too complicated, and not every > > > > > > ISP will provide you the BGP protocol.. > > > > > > You know what, though I'm still in a great need for that, if you find > > > anything interesting on the matter how to solve this, just drop a few > > lines > > > in the conference. > > > > > > > > > > > > Thanks a lot! > > > > > > Best regards, Dyma Popovich > > > > > > > > > > > > ------------------------------ > > > > > > _______________________________________________ > > > freebsd-pf@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > > > > End of freebsd-pf Digest, Vol 70, Issue 4 > > > ***************************************** > > > > > > > > > -- > > Nonchalantly yours > > GobbledeGeek > > [Everything but Gobbledegook.. !!] > > > > > > > > > -- > Nonchalantly yours > GobbledeGeek > [Everything but Gobbledegook.. !!] > > -- Nonchalantly yours GobbledeGeek [Everything but Gobbledegook.. !!] From owner-freebsd-pf@FreeBSD.ORG Tue Jan 24 10:55:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCF6116A41F for ; Tue, 24 Jan 2006 10:55:54 +0000 (GMT) (envelope-from nejko@skoberne.net) Received: from svarun.infrax.si (svarun.infrax.si [193.77.158.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D6A743D72 for ; Tue, 24 Jan 2006 10:55:46 +0000 (GMT) (envelope-from nejko@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by svarun.infrax.si (Postfix) with ESMTP id 90249DA8A4 for ; Tue, 24 Jan 2006 11:55:44 +0100 (CET) Received: from svarun.infrax.si ([127.0.0.1]) by localhost (Svarun.infrax.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91793-10 for ; Tue, 24 Jan 2006 11:55:44 +0100 (CET) Received: by svarun.infrax.si (Postfix, from userid 80) id 4CAC5DA89B; Tue, 24 Jan 2006 11:55:44 +0100 (CET) Received: from 172.16.12.221 (172.16.12.221 [172.16.12.221]) by mail.infrax.si (Horde MIME library) with HTTP for ; Tue, 24 Jan 2006 11:55:44 +0100 Message-ID: <20060124115544.q3zmunj9m0og4g0g@mail.infrax.si> Date: Tue, 24 Jan 2006 11:55:44 +0100 From: nejko@skoberne.net To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) / FreeBSD-5.3 Subject: Updating pf on FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2006 10:55:55 -0000 Hi, I am running FreeBSD 5.3 and pf, and I have a problem because there's a Windows FTP server machine running behind NAT, on the local network. Of course, I want it to be accessible from the outside too. I have discovered pftpx, which is a proxy which does exactly what I want and is also ported to FreeBSD. Unfortunately, it doesn't work for me and I have learned that that's because it uses recursive (nested) anchors feature in the newer pf versions (from FreeBSD 5.4 on I think). So, I would need to upgrade the pf on my FreeBSD 5.3 to the at least 5.4's version. What would be the easiest and the most secure way to accomplish this? I guess I have to update pf's kernel part source and userland programs (pfctl)? How? Thank you in advance, Nejc Skoberne ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From owner-freebsd-pf@FreeBSD.ORG Tue Jan 24 11:09:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D1C616A41F for ; Tue, 24 Jan 2006 11:09:20 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id A284643D48 for ; Tue, 24 Jan 2006 11:09:15 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.60 #0 (FreeBSD 4.11-STABLE)) id 1F1M2l-000G5G-SM by authid for ; Tue, 24 Jan 2006 14:08:59 +0300 Date: Tue, 24 Jan 2006 14:08:59 +0300 From: Odhiambo Washington To: freebsd-pf@freebsd.org Message-ID: <20060124110859.GA58817@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-pf@freebsd.org References: <20060124115544.q3zmunj9m0og4g0g@mail.infrax.si> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060124115544.q3zmunj9m0og4g0g@mail.infrax.si> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.11 (2005-09-15) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.11 Subject: Re: Updating pf on FreeBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2006 11:09:20 -0000 * On 24/01/06 11:55 +0100, nejko@skoberne.net wrote: > Hi, > > I am running FreeBSD 5.3 and pf, and I have a problem because there's a Windows > FTP server machine running behind NAT, on the local network. Of course, I want > it to be accessible from the outside too. I have discovered pftpx, which is a > proxy which does exactly what I want and is also ported to FreeBSD. > Unfortunately, it doesn't work for me and I have learned that that's because it > uses recursive (nested) anchors feature in the newer pf versions (from FreeBSD > 5.4 on I think). > > So, I would need to upgrade the pf on my FreeBSD 5.3 to the at least 5.4's > version. What would be the easiest and the most secure way to accomplish this? > I guess I have to update pf's kernel part source and userland programs (pfctl)? > How? Update the box to FreeBSD 6.0 using /usr/src/UPDATING as a guide. Of course you'll have to do more, like rebuilding all the installed ports if there are any. It's the surest way though. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ The debate rages on: Is PL/I Bachtrian or Dromedary? From owner-freebsd-pf@FreeBSD.ORG Tue Jan 24 19:42:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0080716A41F for ; Tue, 24 Jan 2006 19:42:09 +0000 (GMT) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.de [213.165.64.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 3B3DE43D46 for ; Tue, 24 Jan 2006 19:42:08 +0000 (GMT) (envelope-from ohauer@gmx.de) Received: (qmail 12282 invoked by uid 0); 24 Jan 2006 19:42:07 -0000 Received: from 213.61.170.3 by www069.gmx.net with HTTP; Tue, 24 Jan 2006 20:42:07 +0100 (MET) Date: Tue, 24 Jan 2006 20:42:07 +0100 (MET) From: "Olli Hauer" To: freebsd-pf@freebsd.org MIME-Version: 1.0 X-Priority: 3 (Normal) X-Authenticated: #1956535 Message-ID: <6135.1138131727@www069.gmx.net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: pf spamd and table size X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2006 19:42:10 -0000 hi, i have record a problem with pf and spamd without getting an error message in any logfiles. grep whitelist /var/log/spamd.log | cut -d\: -f 4 | sort | uniq -c | sort | tail -n 8 1 whitelisting 87.243.2.xxx in /var/db/spamd 2 whitelisting 194.208.66.xxx in /var/db/spamd 2 whitelisting 217.160.75.xxx in /var/db/spamd 11 whitelisting 62.65.128.xxx in /var/db/spamd 13 whitelisting 62.225.153.xxx in /var/db/spamd 15 whitelisting 194.183.128.xxx in /var/db/spamd 17 whitelisting 194.183.128.xxx in /var/db/spamd 82 whitelisting 208.28.114.xxx in /var/db/spamd spamdb | grep 208.28.114 WHITE|208.28.114.xxx|||1138122431|1138123332|1141233755|2|0 pfctl -tspamd-white -Ts | grep 208.28.114 208.28.114.xxx so the IP is whitelisted by spamd but pf did not handle this, a pfctl -tspamd -Tf and the server can pass spamd spamd in greylist mode sysctl -a kern.maxusers kern.maxusers: 128 pfctl -tspamd-pass -Ts | wc -l 250 pfctl -tspamd-white -Ts | wc -l 1625 wc -l blacklist 50422 I tried to load an table with 60000 IP's into the spamd table without problems, then a pfctl -tspamd -Ts | wc -l => 60000 -- Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko! Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 13:54:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9590216A420 for ; Fri, 27 Jan 2006 13:54:42 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from kale.cc.metu.edu.tr (kale.general.services.metu.edu.tr [144.122.144.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8CD643D45 for ; Fri, 27 Jan 2006 13:54:40 +0000 (GMT) (envelope-from hdemir@metu.edu.tr) Received: from simena.user.services.metu.edu.tr (simena.user.services.metu.edu.tr [144.122.144.15]) by kale.cc.metu.edu.tr (8.12.11/8.12.11) with ESMTP id k0RDsaAA030738 for ; Fri, 27 Jan 2006 15:54:36 +0200 Received: (from hdemir@localhost) by simena.user.services.metu.edu.tr (8.13.5/8.13.5/Submit) id k0RDsZ6k852128 for freebsd-pf@freebsd.org; Fri, 27 Jan 2006 15:54:35 +0200 Date: Fri, 27 Jan 2006 15:54:34 +0200 From: husnu demir To: freebsd-pf@freebsd.org Message-ID: <20060127135434.GA1073182@metu.edu.tr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Virus-Scanned: ClamAV 0.88/1253/Fri Jan 27 12:10:20 2006 on kale.cc.metu.edu.tr X-Virus-Status: Clean Subject: pf and VLAN support. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 13:54:42 -0000 Hi, Last week I tried to use PF+ALTQ+VLAN combination and found out that ALTQ doesnot support VLAN. Then after some searching found out that giving ALTQ support on the root device and queue'ing to the VLAN device is sufficient to use. But I could not find any reference for that info, either pf.conf or ALTQ manual. man altq says that " The tun(4) and ng_iface(4) pseudo drivers also do support ALTQ" but does not mention about the vlan. Is this solution correct? If it is, whay anybody did not reference to that INFO. Thanks. .... altq on bge0 cbq bandwidth 0.05Mb queue { icmp } # BGE0 is the main interface for VLAN1. queue icmp_internal cbq(default) .... pass in quick on vlan1 inet proto icmp from xxxxxxxx to any \ icmp-type $icmp_tips keep state (max 1000) queue icmp_internal # queue is used for the VLAN1 interface. .... From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 14:31:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C8E816A420 for ; Fri, 27 Jan 2006 14:31:44 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B76EF44111 for ; Fri, 27 Jan 2006 14:31:43 +0000 (GMT) (envelope-from dr.clau@gmail.com) Received: by wproxy.gmail.com with SMTP id 67so731153wri for ; Fri, 27 Jan 2006 06:31:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=l1TKaGnqAqxhLa54rzhGrCOCN9EWOyHgIKKNk9FBzjeQBSwJvAq0B/YIM1uYXdhB9TKK06AS8gfIVyRPJP9aFpOmJfSbVmEHDOje4VS2hCe+DWQQHw5mNTPI06GlwdLTYgG32WcRufpKJ1wS1l6JG+cPLhfdngiTAzLbOLZKSjE= Received: by 10.64.150.1 with SMTP id x1mr288549qbd; Fri, 27 Jan 2006 06:31:42 -0800 (PST) Received: by 10.64.209.16 with HTTP; Fri, 27 Jan 2006 06:31:42 -0800 (PST) Message-ID: Date: Fri, 27 Jan 2006 16:31:42 +0200 From: Claudiu Dragalina-Paraipan To: husnu demir In-Reply-To: <20060127135434.GA1073182@metu.edu.tr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060127135434.GA1073182@metu.edu.tr> Cc: freebsd-pf@freebsd.org Subject: Re: pf and VLAN support. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 14:31:44 -0000 Hi, I use the same method, and I have about 15 VLANs. I have ALTQ active on fxp1 interface (where all VLANs are sitting), and I assign traffic to altq depending on which vlan interface it arrives/goes. This way the bandwidth can be shared between VLANs easily. Regards, On 1/27/06, husnu demir wrote: > Hi, > > Last week I tried to use PF+ALTQ+VLAN combination and found out that ALTQ= doesnot support VLAN. Then after some searching found out that giving ALTQ= support on the root device and queue'ing to the VLAN device is sufficient = to use. But I could not find any reference for that info, either pf.conf or= ALTQ manual. man altq says that > > " The tun(4) and ng_iface(4) pseudo drivers also do support ALTQ" > > but does not mention about the vlan. Is this solution correct? If it is, = whay anybody did not reference to that INFO. > > > Thanks. > > > .... > altq on bge0 cbq bandwidth 0.05Mb queue { icmp } # BGE0 is the mai= n interface for VLAN1. > queue icmp_internal cbq(default) > .... > > pass in quick on vlan1 inet proto icmp from xxxxxxxx to any \ > icmp-type $icmp_tips keep state (max 1000) queue icmp_internal #= queue is used for the VLAN1 interface. > .... -- Claudiu Dragalina-Paraipan From owner-freebsd-pf@FreeBSD.ORG Fri Jan 27 22:34:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E2F016A422 for ; Fri, 27 Jan 2006 22:34:17 +0000 (GMT) (envelope-from schoch6@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D36643D48 for ; Fri, 27 Jan 2006 22:34:16 +0000 (GMT) (envelope-from schoch6@gmail.com) Received: by uproxy.gmail.com with SMTP id q2so36125uge for ; Fri, 27 Jan 2006 14:34:15 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=AOiXqG32zEKyww4U0WTdBc3aoI/RAkpyKfCbPHRuKuPGbuZ8GLjCpmWfixD9nyS4bV1Ij87hof8L7CSmXHFMoRUClnhzwyZ1ZCSXlc5L4aUCWRSxlMg/Ul8fo5M3ZQFQYHlfaUJM3UeW/7jfv8/h0/KnowU9kpO2ImkeH9Ok4Nw= Received: by 10.48.143.11 with SMTP id q11mr444550nfd; Fri, 27 Jan 2006 14:34:15 -0800 (PST) Received: by 10.48.164.10 with HTTP; Fri, 27 Jan 2006 14:34:15 -0800 (PST) Message-ID: <6650332b0601271434o665f8c15sa99e1e4217607f0f@mail.gmail.com> Date: Fri, 27 Jan 2006 14:34:15 -0800 From: Steven Schoch Sender: schoch6@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Multiple WAN links - our setup X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 22:34:17 -0000 I finally got our FreeBSD 5.4 system configured to route everything the way I want, so I thought I'd share my setup with this group. This may not match exactly your setup, but it still may help. Our background: We have a T-1 link to our main ISP through a Cisco router and a class C address. We've had this for a long time. Call the class C net X.Y.Z.0/24. We have a FreeBSD 5.4 system with three Ethernet cards, fxp0, fxp1, and fxp2. Last year, this became our NAT gateway (we had been using a NetGear box), as well as a web server for a sub-domain, an email (SMTP) gateway, a DHCP server, and a DNS server. To support all these services, the system is a rack-mount, in the closet, with a UPS and gmirrored SCSI drives. In hindsight, it would have probably been better to split the HTTP and SMTP services to a separate machine, but it works, so I'm not going to change it now. Recently, we desired to increase our download speed, so we got a SBC Yahoo!(r) DSL Expert Plus Package, which gives us 6Mb/s download speed, for a pretty low price ($49.95 for the first six months, then it goes to something like $65/month). Now we have two WAN connections and we needed to find the best way to integrate them. We have these factors: - The upload speed for the T-1 line is 1.54Mb/s, compared to the DSL, which is 0.6Mb/s. Therefore SSH and FTP connections should go over the T-1 line, because we use that for uploading. - Many ISP mail servers are suspicious of email (SMTP) originating from a SBC Yahoo DSL dynamic IP address (from which much spam originates), so outgoing SMTP should be over the T-1 line. - The FreeBSD system also does NTP, DNS, and other services, so the default route for packets from the box itself should be through the T-1 line. - We have a few systems to which we connect that authenticate based on our IP address (X.Y.Z.*), so HTTP connections to these should be routed through the T-1 line. - All other HTTP, HTTPS, IMAP, IMAPS should be routed through the new DSL l= ine. - I don't trust the new DSL line as well, so I want the route to automatically swith to the T-1 line when the DSL line goes down. To get this all working, I start with this /etc/pf.conf file: -------- # Macros: define common values, so they can be referenced and changed easil= y. # We have two external interfaces: fxp0 connects to the T1 router; # and tun0 connects to PPPoE, which connects to the DSL router. t1_if=3D"fxp0" # We know the address of the T1 interface, but the PPPoE gets a dynamic t1_addr=3D"X.Y.Z..5" t1_gw=3D"X.Y.Z.2" # These are my external NAT addresses, used for a variety of servers. # These are aliases on the fxp0 net nat1=3D"X.Y.Z.21" nat2=3D"X.Y.Z.22" nat3=3D"X.Y.Z.23" nat4=3D"X.Y.Z.24" int_if=3D"fxp1" internal_net=3D"192.168.1.0/24" table { $nat1, $nat2, $nat3, $nat4 } # The table is all the addresses local to this machine. This m= ust # be labeled 'persist' because it is not used when the DSL line goes down, = and # the kernel will drop it otherwise. You may wonder what 192.168.0.0/24 is doing # there. That's the address of fxp2, which is used to communicate with the # internals of the DSL modem. table persist { 192.168.0.0/24, 192.168.1.0/24, X.Y.Z.0/24 } # The ppp.linkup script will load the rules from /etc/pd.dsl.conf, so don't do it here. # load anchor DSL:a from "/etc/pf.dsl.conf" # Translation: specify how addresses are to be mapped or redirected. # NAT direct to DSL modem. This is only used to bring up the DSL modem pag= e, # to see what our current speed is. nat on fxp2 inet from $internal_net to 192.168.0.1 -> (fxp2) nat-anchor DSL # If the DSL is down, then this rule will apply. It will also apply to protocols other that # HTTP, HTTPS, IMAP, IMAPS, as specified in the pf.dsl.conf file. nat on $t1_if inet from $internal_net to any -> ($t1_if) rdr-anchor DSL # SSH to an inside machine rdr on $t1_if proto tcp from any to $nat1/32 port 22 -> 192.168.1.101 # RDP to another inside machine rdr on $t1_if proto tcp from any to $nat2/32 port 3389 -> 192.168.1.109 # TAPI to yet another inside machine rdr on $t1_if proto tcp from any to $nat1/32 port 5000 -> 192.168.1.7 # X11 forwarding on all NAT interfaces rdr on $t1_if proto tcp from any to ($t1_if) port 6104 -> 192.168.1.104 rdr on $t1_if proto tcp from any to ($t1_if) port 6105 -> 192.168.1.105 rdr on $t1_if proto tcp from any to ($t1_if) port 6106 -> 192.168.1.106 # rdr outgoing FTP requests to the ftp-proxy # I haven't tested this fully. It may still have bugs. rdr on $int_if proto tcp from $internal_net to any port 21 -> 127.0.0.1 port 8021 # Filtering: the implicit first two rules are #pass in all #pass out all anchor DSL # ftp proxy pass in on $t1_if inet proto tcp from any port 20 to ($t1_if) user proxy flags S/SA keep state -------- When the system comes up, this will route all NAT traffic through the T-1 interface. I should mention the stuff I have in /etc/rc.conf. Here are the pertinent lines: -------- # This is the reliable Cisco box that connects to the reliable T-1 line. defaultrouter=3D"X.Y.Z.2" gateway_enable=3D"YES" ifconfig_fxp0=3D"inet X.Y.Z.5 netmask 255.255.255.0" ifconfig_fxp1=3D"inet 192.168.1.5 netmask 255.255.255.0" ifconfig_fxp2=3D"inet 192.168.0.5 netmask 255.255.255.0" ifconfig_fxp0_alias0=3D"X.Y.Z.20 netmask 0xffffffff" ifconfig_fxp0_alias1=3D"X.Y.Z.21 netmask 0xffffffff" ifconfig_fxp0_alias2=3D"X.Y.Z.22 netmask 0xffffffff" ifconfig_fxp0_alias3=3D"X.Y.Z.23 netmask 0xffffffff" ifconfig_fxp0_alias4=3D"X.Y.Z.24 netmask 0xffffffff" ifconfig_fxp1_alias0=3D"192.168.1.20 netmask 0xffffffff" ppp_enable=3D"YES" ppp_mode=3D"ddial" ppp_profile=3D"SBCYahooDSL" ppp_nat=3D"NO" -------- Now here's the DSL stuff: In /etc/ppp/ppp.conf: -------- SBCYahooDSL: set device PPPoE:fxp2 set authname xxx@sbcglobal.net set authkey xxx set dial set login enable lqr enable echo # routing NAT is set in the ppp.linkup file # add! default HISADDR # the "enable lqr" and/or the "enable echo" lines are important, because that's how # we know when the link goes down. Note that we remove the "add!" route li= ne. -------- Here's /etc/ppp/ppp.linkup: -------- SBCYahooDSL: shell /sbin/pfctl -a DSL:a -f /etc/pf.dsl.conf -------- And here's /etc/ppp/ppp.linkdown: -------- SBCYahooDSL: shell /sbin/pfctl -a DSL -F all -------- Note that the DSL anchor rule is loaded when the link goes up, and cleared when the link goes down. This works amazingly well! Here's the /etc/pf.dsl.conf file: -------- # This file contains rules for the DSL modem. # These rules will be unloaded if the modem goes down. # These rulse are labeled with the anchor "DSL". t1_if=3D"fxp0" dsl_if=3D"tun0" # We know the address of the T1 interface, but the PPPoE gets a dynamic t1_addr=3D"X.Y.Z.5" t1_gw=3D"X.Y.Z.2" # Get the DSL gateway. It's the peer address of the PPP link. # By the time this file is loaded, the system will know this. dsl_gw=3Dtun0:peer int_if=3D"fxp1" internal_net=3D"192.168.1.0/24" special_host=3D"A.B.C" nat on $dsl_if inet from $internal_net to any -> ($dsl_if) # X11 forwarding on all NAT interfaces rdr on $dsl_if proto tcp from any to ($dsl_if) port 6104 -> 192.168.1.104 rdr on $dsl_if proto tcp from any to ($dsl_if) port 6105 -> 192.168.1.105 rdr on $dsl_if proto tcp from any to ($dsl_if) port 6106 -> 192.168.1.106 # Filtering: the implicit first two rules are #pass in all #pass out all # If the source address is from our outside net, then route it through # the T1 gateway (which we know). pass out on $dsl_if route-to ($t1_if $t1_gw) from ($t1_if) to any # Pass HTTP traffic coming from inside to the DSL line, because it's faster= . # But not if it's for us! pass in on $int_if route-to ($dsl_if $dsl_gw) proto tcp from $internal_net to ! port {http,https,imaps} # Don't pass HTTPS traffic to special_host through the DSL link, because # we authorize based on IP address pass in on $int_if proto tcp from $internal_net to $special_host port https # FTP proxy stuff block in on $dsl_if proto tcp from any to any port 8021 pass in on $dsl_if inet proto tcp from any port 20 to ($dsl_if) user proxy flags S/SA keep state -------- That's all! Our current testing shows that the route will switch rapidly when the link goes up or down. Now I may just be a bit biased and the DSL line may really be almost as reliable as our T-1 line, but it's natural to be a bit suspicious of new technology. Comments welcome. -- Steve