Date: Wed, 2 Jan 2008 09:45:38 +0000 From: Michael Zimmer <drakyri@hotmail.com> To: Tommy Pham <tommyhp2@yahoo.com>, <freebsd-pf@freebsd.org>, <mksmith@adhost.com> Subject: RE: load-balancing, DNS Message-ID: <BLU109-W5108BE38C7044E67CE0206B1520@phx.gbl> In-Reply-To: <756423.79774.qm@web38204.mail.mud.yahoo.com> References: <DE830065-3345-41C7-84D0-9BB3EE1F4D42@adhost.com> <756423.79774.qm@web38204.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks to both of you ... it looks okay remotely - I'll test it on-site tom=
orrow.
=20
-mike> Date: Tue, 1 Jan 2008 21:56:34 -0800> From: tommyhp2@yahoo.com> To: =
freebsd-pf@freebsd.org> Subject: Re: load-balancing, DNS> > Hi Michael,> > =
Another method that you can try is:> > pass in quick on $int_if route-to ($=
ext_if1 $ext_gw1) \> from any to { $ns1a, $ns1b } keep state> pass in quick=
on $int_if route-to ($ext_if2 $ext_gw2) \> from any to { $ns2a, $ns2b } ke=
ep state> > the number corresponds to the provider's info> > I also have lo=
ad balancing from 2 different providers. The above rules> work great for me=
.> > ~Tommy> > > --- Michael Smith <mksmith@adhost.com> wrote:> > > Hello M=
ichael:> > > > I think you want to use "reply-to" instead of "route-to" on =
load > > balance rules since you need it to go out the same interface it ca=
me > > > > in on. This will work in conjunction with any connection that ha=
s > > state, so make sure your DNS pass rule has keep-state.> > > > Try> > =
> > pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2 > > =
$ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to> > > =
> any flags S/SA keep-state> > > > pass in quick on $int_if route-to { ($ex=
t_if1 $ext_gw1), ($ext_if2 > > $ext_gw2) } round-robin sticky-address proto=
{ tcp icmp udp } from> > any > > to any flags S/SA keep-state> > > > pass =
out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to> > any> > pas=
s out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to> > any> > >=
> Regards,> > > > Mike> > > > On Jan 1, 2008, at 1:32 PM, Michael Zimmer w=
rote:> > > > >> > > Hi everyone,> > >> > > I just installed pf on FreeBSD 6=
.2 for a firewall/NAT/load- > > > balancer ... but I'm having some trouble.=
I'm pretty sure that it > > > > > isn't actually splitting the outgoing tr=
affic (trying to load- > > > balance over two uplinks), and the users are e=
xperiencing > > > intermittent trouble resolving DNS entries (and being sil=
ly users, > > > > > instead of reloading the page, they yell 'the Internet =
isn't > > > working!' and then use that as a reason for reeeeaaally long> >=
lunches).> > >> > > The workstations behind the FreeBSD box are mostly run=
ning some > > > flavor of Windows; static private IPs, gateway set to the B=
SD box, > > > > > primary DNS set to the DNS server of the ISP on uplink #1=
,> > secondary > > > to the ISP on uplink #2. I can force it to use either =
connection > > > successfully, but not both.> > >> > >> > > Thanks in advan=
ce for any help. Happy New Year!> > >> > > -mike> > >> > >> > > Here's my s=
etup:> > >> > > dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP p=
ass- > > > through); bfe0 links to the internal network.> > >> > > resolv.c=
onf:> > >> > > domain x.comnameserver 66.z.z.z # DNS provided by ISP #1> > =
>> > > -------------> > > rc.conf:> > >> > > defaultrouter=3D"66.x.x.x" #th=
is is the upstream gateway on > > > dc0gateway_enable=3D"YES"hostname=3D"x.=
x.com"ifconfig_dc0=3D"inet > > > 68.y.y.y netmask 255.255.255.0"> > > ifcon=
fig_dc1=3D"inet 66.y.y.y netmask > > > 255.255.255.224"ifconfig_bfe0=3D"ine=
t 192.168.1.1 netmask > > > 255.255.255.0"> > >> > >> >> inetd_enable=3D"YE=
S"linux_enable=3D"YES"sshd_enable=3D"YES"usbd_enable=3D"YES"> > >> > > ntpd=
ate_enable=3D"YES"ntpdate_hosts=3D"0.us.pool.ntp.org"> > >> > > nfs_reserve=
d_port_only=3D"NO"> > > pf_enable=3D"YES"pf_rules=3D"/etc/ > > > pf.conf"pf=
_flags=3D""pflog_enable=3D"YES"pflog_logfile=3D"/var/log/ > > > pflog"pflog=
_flags=3D""> > > ---------------> > > pf.conf:> > >> > > ext_if1 > > >> > =
=3D"dc0"ext_if2=3D"dc1"int_if=3D"bfe0"ext_gw1=3D"68.x.x.x"ext_gw2=3D"66.x.x=
.x"> > > internal_net=3D"192.168.1.1/24"> > > tcp_services=3D"( 22 )"icmp_t=
ypes=3D"( 8 )"> > > #tablestable <blocktable> persist file "/etc/blocktable=
"> > >> > > set block-policy drop> > > set limit { states 20000, frags 5000=
}> > >> > > set skip on lo0> > >> > > scrub in all> > >> > > nat on $ext_i=
f1 from $internal_net to any -> ($ext_if1)nat on > > > $ext_if2 from $inter=
nal_net to any -> ($ext_if2)> > > block in from any to anyblock out from an=
y to any> > > pass out on $int_if from any to $internal_net keep state> > >=
pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 > > > fla=
gs S/SA keep state #ext_if1> > >> > > #allows ICMP outboundpass in quick on=
$int_if proto icmp all keep > > > state> > > #allows incoming from client'=
s serverpass in quick on {$ext_if1, > > > $ext_if2} proto tcp from a.b.c.d/=
32pass in quick on {$ext_if1, > > > $ext_if2} proto tcp from a.b.c.d/30> > =
>> > > #blocks to inside-to-outside here#spoofsblock in quick on $int_if > =
> > from any to 172.16.0.0/12block in quick on $int_if from any to > > > 10=
.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block> > > > > =
in quick on $int_if from any to 192.168.0.0/16block in quick on > > > $int_=
if from any to 204.152.64.0/23block in quick on $int_if from > > > any to 2=
24.0.0.0/3> > >> > > # traffic from inside goes straight outpass in quick o=
n $int_if> > from > > > 192.168.1.0/24 to $int_ifpass out on $ext_if1 from =
[address of > > > $ext_if1] to any flags S/SA keep statepass out on $ext_if=
2 from > > > [address of $ext_if2] to any flags S/SA keep state> > >> > > #=
load balancing ...?> > > pass in quick on $int_if route-to { ($ext_if1 $ext=
_gw1), ($ext_if2 > > > > > $ext_gw2) } round-robin proto { tcp icmp udp } f=
rom 192.168.1.1/24 > > > > > to any flags S/SA modulate statepass in quick =
on $int_if route-to > > > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } roun=
d-robin proto {> > tcp > > > icmp udp } from any to any flags S/SA modulate=
state> > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2=
to > > > > > anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ex=
t_if1 > > > > > to any> > >> > > __________________________________________=
_______________________> > > Get the power of Windows + Web with the new Wi=
ndows Live.> > >> >> http://www.windowslive.com?ocid=3DTXT_TAGHM_Wave2_powe=
rofwindows_122007_______________________________________________> > > freeb=
sd-pf@freebsd.org mailing list> > > http://lists.freebsd.org/mailman/listin=
fo/freebsd-pf> > > To unsubscribe, send any mail to> > "freebsd-pf-unsubscr=
ibe@freebsd.org"> > > > _______________________________________________> > =
freebsd-pf@freebsd.org mailing list> > http://lists.freebsd.org/mailman/lis=
tinfo/freebsd-pf> > To unsubscribe, send any mail to "freebsd-pf-unsubscrib=
e@freebsd.org"> > > > > _______________________________________________> fr=
eebsd-pf@freebsd.org mailing list> http://lists.freebsd.org/mailman/listinf=
o/freebsd-pf> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@free=
bsd.org"
_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=3DTXT_TAGHM_Wave2_sharelife_1220=
07=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU109-W5108BE38C7044E67CE0206B1520>