Date: Tue, 1 Jan 2008 21:32:01 +0000 From: Michael Zimmer <drakyri@hotmail.com> To: <freebsd-pf@freebsd.org> Subject: load-balancing, DNS Message-ID: <BLU109-W44C29F03969549674188CBB1510@phx.gbl>
next in thread | raw e-mail | index | archive | help
Hi everyone,
=20
I just installed pf on FreeBSD 6.2 for a firewall/NAT/load-balancer ... but=
I'm having some trouble. I'm pretty sure that it isn't actually splitting=
the outgoing traffic (trying to load-balance over two uplinks), and the us=
ers are experiencing intermittent trouble resolving DNS entries (and being =
silly users, instead of reloading the page, they yell 'the Internet isn't w=
orking!' and then use that as a reason for reeeeaaally long lunches).
=20
The workstations behind the FreeBSD box are mostly running some flavor of W=
indows; static private IPs, gateway set to the BSD box, primary DNS set to =
the DNS server of the ISP on uplink #1, secondary to the ISP on uplink #2. =
I can force it to use either connection successfully, but not both.
=20
=20
Thanks in advance for any help. Happy New Year!
=20
-mike
=20
=20
Here's my setup:
=20
dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass-through); bf=
e0 links to the internal network.
=20
resolv.conf:
=20
domain x.comnameserver 66.z.z.z # DNS provided by ISP #1
=20
-------------
rc.conf:
=20
defaultrouter=3D"66.x.x.x" #this is the upstream gateway on dc0gateway_en=
able=3D"YES"hostname=3D"x.x.com"ifconfig_dc0=3D"inet 68.y.y.y netmask 255.=
255.255.0"
ifconfig_dc1=3D"inet 66.y.y.y netmask 255.255.255.224"ifconfig_bfe0=3D"inet=
192.168.1.1 netmask 255.255.255.0"
=20
inetd_enable=3D"YES"linux_enable=3D"YES"sshd_enable=3D"YES"usbd_enable=3D"Y=
ES"
=20
ntpdate_enable=3D"YES"ntpdate_hosts=3D"0.us.pool.ntp.org"
=20
nfs_reserved_port_only=3D"NO"
pf_enable=3D"YES"pf_rules=3D"/etc/pf.conf"pf_flags=3D""pflog_enable=3D"YES"=
pflog_logfile=3D"/var/log/pflog"pflog_flags=3D""
---------------
pf.conf:
=20
ext_if1=3D"dc0"ext_if2=3D"dc1"int_if=3D"bfe0"ext_gw1=3D"68.x.x.x"ext_gw2=3D=
"66.x.x.x"
internal_net=3D"192.168.1.1/24"
tcp_services=3D"( 22 )"icmp_types=3D"( 8 )"
#tablestable <blocktable> persist file "/etc/blocktable"
=20
set block-policy drop
set limit { states 20000, frags 5000 }
=20
set skip on lo0
=20
scrub in all
=20
nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on $ext_if2 from=
$internal_net to any -> ($ext_if2)
block in from any to anyblock out from any to any
pass out on $int_if from any to $internal_net keep state
pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 flags S/SA=
keep state #ext_if1
=20
#allows ICMP outboundpass in quick on $int_if proto icmp all keep state
#allows incoming from client's serverpass in quick on {$ext_if1, $ext_if2} =
proto tcp from a.b.c.d/32pass in quick on {$ext_if1, $ext_if2} proto tcp fr=
om a.b.c.d/30
=20
#blocks to inside-to-outside here#spoofsblock in quick on $int_if from any =
to 172.16.0.0/12block in quick on $int_if from any to 10.0.0.0/8block in qu=
ick on $int_if from any to 169.254.0.0/16block in quick on $int_if from any=
to 192.168.0.0/16block in quick on $int_if from any to 204.152.64.0/23bloc=
k in quick on $int_if from any to 224.0.0.0/3
=20
# traffic from inside goes straight outpass in quick on $int_if from 192.16=
8.1.0/24 to $int_ifpass out on $ext_if1 from [address of $ext_if1] to any f=
lags S/SA keep statepass out on $ext_if2 from [address of $ext_if2] to any =
flags S/SA keep state
=20
#load balancing ...?
pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2=
) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to any flags S/S=
A modulate statepass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($=
ext_if2 $ext_gw2) } round-robin proto { tcp icmp udp } from any to any flag=
s S/SA modulate state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to anypass =
out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
=20
_________________________________________________________________
Get the power of Windows + Web with the new Windows Live.
http://www.windowslive.com?ocid=3DTXT_TAGHM_Wave2_powerofwindows_122007=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU109-W44C29F03969549674188CBB1510>