From owner-freebsd-pf@FreeBSD.ORG Fri Apr 25 07:05:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08447106566C for ; Fri, 25 Apr 2008 07:05:54 +0000 (UTC) (envelope-from mortengb@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id AA3E08FC0C for ; Fri, 25 Apr 2008 07:05:53 +0000 (UTC) (envelope-from mortengb@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so5546480pyb.10 for ; Fri, 25 Apr 2008 00:05:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=tEsaUYQK5QtTmzxpNkNtuC2fnz0ShnEX9Zev8dujnAs=; b=OFNQqVlIFLHJGTksmg3UVDX1Y4ggYBRObThRi7pfZJq6KLiL8GoqzMou8o0/0/tu9bgsrbidCXpUoCjOzFldsaDtZhj7vz4gLiopXEuuBT3l0TgrF3vNIi1kch43gbltWtO51WLFGqkBfPPD1rYURf72lzTJ8Mm5Xdn/7zIyVw8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=jx2uAnLur/PzfKAfa4q5tBeb119c1aQupSneG/roau5xYokrjQ4eCxggyMiscqJhEDS6AgSLkNfRwBLc4dRn8aG2g0GAG6nGo2jfKbxrdOB4YSj1GKXwNEvJErqX7JDFlTORzwC6lh7e2VJGMCcwV+bNwsPs+zEJWjx4h5firB8= Received: by 10.35.44.16 with SMTP id w16mr6973527pyj.36.1209105508334; Thu, 24 Apr 2008 23:38:28 -0700 (PDT) Received: by 10.64.88.3 with HTTP; Thu, 24 Apr 2008 23:38:28 -0700 (PDT) Message-ID: <402f78990804242338v5c2d6e95yaf73382878f8c26@mail.gmail.com> Date: Fri, 25 Apr 2008 08:38:28 +0200 From: "Morten Grunnet Buhl" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pf (+ relayd?) as lvs replacement X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2008 07:05:54 -0000 Our setup: +--------------------+ | Client | +----------+---------+ | | | +------------------------------+-------------------------------+ | The World Wide Web (TM) | +------------+-----------------+------------------+------------+ | | Ext | | +------+------+ | | | Gentoo/LVS | | | +------+------+ | | Ext | | Ext | | | | +----------+-----------+ | | | Int | | +-+------+-+ +--+------+-+ | FBSD1 | | FBSD2 | +----------+ +-----------+ GentExtif XXX.XXX.XXX.10 GentIntif 10.0.0.10 FBSD1Extif XXX.XXX.XXX.11 FBSD1lo0alias XXX.XXX.XXX.10 FBSD1Intif 10.0.0.11 FBSD2Extif XXX.XXX.XXX.12 FBSD2lo0alias XXX.XXX.XXX.10 FBSD2Intif 10.0.0.12 Gentoo/LSV manipulates the package from a client and sends it to FBSD(1|2) FBSD(1|2) then returns data directly to the client As you can see, all of our machines have external ip's. This diagram is a scaled down version of our setup. The Gentoo/LVS machine handles more 'clusters' of (more than two) machines. These machines are sending a lot more traffic than they are receiving. Its therefor not feasible to route the traffic out through one single machine as it would quickly become the bottleneck. This setup is transparent to our users and is working quite well. Motivation: All our 'back-end' machines are now running *BSD. The company's only Linux guy/defender/admin has left us. We would therefor like to completely loose linux in our setup. We have seen that IPVS has been ported to FreeBSD but have not had any luck finding people that use it on a larger scale. Furthermore we would like to make this solution more clean (if possible) using pf. Question: Is this possible with pf (maybe with relayd)? Thanks in advance for any information (positive or negative) that might help us on our way. /mgb