From owner-freebsd-net@FreeBSD.ORG Mon Oct 31 02:28:15 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D540106564A for ; Mon, 31 Oct 2011 02:28:15 +0000 (UTC) (envelope-from remy.sanchez@hyperthese.net) Received: from slow3-v.mail.gandi.net (slow3-v.mail.gandi.net [217.70.178.89]) by mx1.freebsd.org (Postfix) with ESMTP id E6A4C8FC16 for ; Mon, 31 Oct 2011 02:28:14 +0000 (UTC) X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by slow3-v.mail.gandi.net (Postfix) with ESMTP id 3A7C338203 for ; Mon, 31 Oct 2011 03:02:20 +0100 (CET) Received: from magi.localnet (unknown [IPv6:2a01:e35:2e3d:8820:21f:16ff:feb6:9aac]) (Authenticated sender: remy.sanchez@hyperthese.net) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 24986A8281 for ; Mon, 31 Oct 2011 03:02:08 +0100 (CET) From: =?iso-8859-1?q?R=E9my_Sanchez?= To: freebsd-net@freebsd.org Date: Mon, 31 Oct 2011 03:01:53 +0100 User-Agent: KMail/1.13.7 (Linux/3.0.0-2-amd64; KDE/4.6.5; x86_64; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart11913474.car13WglQ2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201110310301.59604.remy.sanchez@hyperthese.net> Subject: Re: multiple ISP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2011 02:28:15 -0000 --nextPart11913474.car13WglQ2 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Friday 28 October 2011 16:22:25 nyoman.bogi@gmail.com wrote: > dear all, >=20 > I need to set up a router (using FreeBSD) > that connect to the Internet > to accomodate multiple ISP, > so users can be load balanced through > those several ISP lines. >=20 > how can I do that? >=20 > thanks in advance Well, let's suppose that your ISP interfaces have respectively $ispN_ip and= =20 $ispN_router as interface IP and ISP router IP. And that $natN is the diver= t=20 port corresponding to the NAT for the given ISP. Then you get something like # This treats incoming trafic ipfw add 1310 divert $nat1 ip from any to any in via $if1 ipfw add 1320 divert $nat2 ip from any to any in via $if2 =2E.. ipfw add 13N0 divert $natN ip from any to any in via $ifN # Check states ipfw add 3000 check-state # Load balance outgoing trafic # Note: change 1/N, 1/(N-1), etc by actual values for your N ipfw add 10100 prob 1/N skipto 20100 ip from $internal to any keep-state ipfw add 10200 prob 1/(N-1) skipto 20200 ip from $internal to any keep-state =2E.. ipfw add 10N00 skipto 20N00 ip from $internal to any keep-state # Do outgoing NAT ipfw add 20100 divert $nat1 from $internal to any out ipfw add 20110 fwd $isp1_router ip from $isp1_ip ipfw add 20200 divert $nat2 from $internal to any out ipfw add 20210 fwd $isp2_router ip from $isp2_ip =2E.. ipfw add 20N00 divert $natN from $internal to any out ipfw add 20N10 fwd $ispN_router ip from $ispN_ip And here is what the natd.conf would look like ### ISP 1 ### port 8868 dynamic yes interface re1 ### ISP 2 ### instance dsl2 port 8869 dynamic yes interface re2 ### ISP N ### instance dsl3 port 8870 dynamic yes interface re You'll notice that the load balancing rules are skipto to NAT rules instead= of=20 directly being NAT rules. This is because this way you can factorize your N= AT=20 rules with several sets of load-balancing rules (like having different=20 patterns for TCP and UDP, or depending on the users, etc). Also note that those lines are inspired by my actual configuration file, th= at=20 is much more complex than this, and I didn't test anything, so it might not= =20 work out-of-the-box, however this gives you a good preview of what it shoul= d=20 be. One last important thing : this kind of load-balancing can be relatively=20 complex to get correctly working if you do have different bitrates from you= r=20 ISPs. You might also want to try protocols like MLPPP (with mpd for example= ),=20 but this is more complex to setup and you need a server on "the other side"= to=20 get it working. Well, have fun :) =2D-=20 R=E9my Sanchez http://hyperthese.net/ --nextPart11913474.car13WglQ2 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABECAAYFAk6uAZIACgkQpMMQ4XyIN1bgSQCg2N0HZikMBLLxo4LRMbgMQmZz uYkAoK8BLMDUG4bzVu1GPWZbmFBtjHxU =9yWk -----END PGP SIGNATURE----- --nextPart11913474.car13WglQ2--