Date: Tue, 1 Jan 2008 21:56:34 -0800 (PST) From: Tommy Pham <tommyhp2@yahoo.com> To: freebsd-pf@freebsd.org Subject: Re: load-balancing, DNS Message-ID: <756423.79774.qm@web38204.mail.mud.yahoo.com> In-Reply-To: <DE830065-3345-41C7-84D0-9BB3EE1F4D42@adhost.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Michael,
Another method that you can try is:
pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \
from any to { $ns1a, $ns1b } keep state
pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \
from any to { $ns2a, $ns2b } keep state
the number corresponds to the provider's info
I also have load balancing from 2 different providers. The above rules
work great for me.
~Tommy
--- Michael Smith <mksmith@adhost.com> wrote:
> Hello Michael:
>
> I think you want to use "reply-to" instead of "route-to" on load
> balance rules since you need it to go out the same interface it came
>
> in on. This will work in conjunction with any connection that has
> state, so make sure your DNS pass rule has keep-state.
>
> Try
>
> pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to
>
> any flags S/SA keep-state
>
> pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin sticky-address proto { tcp icmp udp } from
> any
> to any flags S/SA keep-state
>
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to
> any
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to
> any
>
> Regards,
>
> Mike
>
> On Jan 1, 2008, at 1:32 PM, Michael Zimmer wrote:
>
> >
> > Hi everyone,
> >
> > I just installed pf on FreeBSD 6.2 for a firewall/NAT/load-
> > balancer ... but I'm having some trouble. I'm pretty sure that it
>
> > isn't actually splitting the outgoing traffic (trying to load-
> > balance over two uplinks), and the users are experiencing
> > intermittent trouble resolving DNS entries (and being silly users,
>
> > instead of reloading the page, they yell 'the Internet isn't
> > working!' and then use that as a reason for reeeeaaally long
> lunches).
> >
> > The workstations behind the FreeBSD box are mostly running some
> > flavor of Windows; static private IPs, gateway set to the BSD box,
>
> > primary DNS set to the DNS server of the ISP on uplink #1,
> secondary
> > to the ISP on uplink #2. I can force it to use either connection
> > successfully, but not both.
> >
> >
> > Thanks in advance for any help. Happy New Year!
> >
> > -mike
> >
> >
> > Here's my setup:
> >
> > dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass-
> > through); bfe0 links to the internal network.
> >
> > resolv.conf:
> >
> > domain x.comnameserver 66.z.z.z # DNS provided by ISP #1
> >
> > -------------
> > rc.conf:
> >
> > defaultrouter="66.x.x.x" #this is the upstream gateway on
> > dc0gateway_enable="YES"hostname="x.x.com"ifconfig_dc0="inet
> > 68.y.y.y netmask 255.255.255.0"
> > ifconfig_dc1="inet 66.y.y.y netmask
> > 255.255.255.224"ifconfig_bfe0="inet 192.168.1.1 netmask
> > 255.255.255.0"
> >
> >
>
inetd_enable="YES"linux_enable="YES"sshd_enable="YES"usbd_enable="YES"
> >
> > ntpdate_enable="YES"ntpdate_hosts="0.us.pool.ntp.org"
> >
> > nfs_reserved_port_only="NO"
> > pf_enable="YES"pf_rules="/etc/
> > pf.conf"pf_flags=""pflog_enable="YES"pflog_logfile="/var/log/
> > pflog"pflog_flags=""
> > ---------------
> > pf.conf:
> >
> > ext_if1
> >
> ="dc0"ext_if2="dc1"int_if="bfe0"ext_gw1="68.x.x.x"ext_gw2="66.x.x.x"
> > internal_net="192.168.1.1/24"
> > tcp_services="( 22 )"icmp_types="( 8 )"
> > #tablestable <blocktable> persist file "/etc/blocktable"
> >
> > set block-policy drop
> > set limit { states 20000, frags 5000 }
> >
> > set skip on lo0
> >
> > scrub in all
> >
> > nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on
> > $ext_if2 from $internal_net to any -> ($ext_if2)
> > block in from any to anyblock out from any to any
> > pass out on $int_if from any to $internal_net keep state
> > pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22
> > flags S/SA keep state #ext_if1
> >
> > #allows ICMP outboundpass in quick on $int_if proto icmp all keep
> > state
> > #allows incoming from client's serverpass in quick on {$ext_if1,
> > $ext_if2} proto tcp from a.b.c.d/32pass in quick on {$ext_if1,
> > $ext_if2} proto tcp from a.b.c.d/30
> >
> > #blocks to inside-to-outside here#spoofsblock in quick on $int_if
> > from any to 172.16.0.0/12block in quick on $int_if from any to
> > 10.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block
>
> > in quick on $int_if from any to 192.168.0.0/16block in quick on
> > $int_if from any to 204.152.64.0/23block in quick on $int_if from
> > any to 224.0.0.0/3
> >
> > # traffic from inside goes straight outpass in quick on $int_if
> from
> > 192.168.1.0/24 to $int_ifpass out on $ext_if1 from [address of
> > $ext_if1] to any flags S/SA keep statepass out on $ext_if2 from
> > [address of $ext_if2] to any flags S/SA keep state
> >
> > #load balancing ...?
> > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
>
> > $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24
>
> > to any flags S/SA modulate statepass in quick on $int_if route-to
> > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto {
> tcp
> > icmp udp } from any to any flags S/SA modulate state
> > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to
>
> > anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1
>
> > to any
> >
> > _________________________________________________________________
> > Get the power of Windows + Web with the new Windows Live.
> >
>
http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007_______________________________________________
> > freebsd-pf@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to
> "freebsd-pf-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?756423.79774.qm>