From owner-freebsd-net@FreeBSD.ORG Mon Oct 25 05:35:45 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E89816A4CE for ; Mon, 25 Oct 2004 05:35:45 +0000 (GMT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 375E643D67 for ; Mon, 25 Oct 2004 05:35:45 +0000 (GMT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 1F9EB5CA33; Sun, 24 Oct 2004 22:35:45 -0700 (PDT) Date: Sun, 24 Oct 2004 22:35:45 -0700 From: Bill Fumerola To: Julian Elischer Message-ID: <20041025053545.GJ67216@elvis.mu.org> References: <417C85FA.5050708@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <417C85FA.5050708@elischer.org> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 4.10-MUORG-20040525 i386 X-PGP-Key: 1024D/7F868268 X-PGP-Fingerprint: 5B2D 908E 4C2B F253 DAEB FC01 8436 B70B 7F86 8268 cc: Stephane Raimbault cc: net@freebsd.org Subject: Re: using natd to load balance port 80 to multiple servers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 05:35:45 -0000 On Sun, Oct 24, 2004 at 09:50:02PM -0700, Julian Elischer wrote: > Stephane Raimbault wrote: > >I'm currently using a freebsd box running natd to forward port 80 to > >several (5) web servers on private IP's. > > > >I have discovered that natd doesn't handle many requests/second all that > >well (seem to choke at about 200 req/second (educated guess)) > > use the "ipfw fwd" option to directly send the packets to the appropriate > machine. > Should be able to forwarrd at wire speed. doesn't work for any configuration involving more than one backend machine. through what magic does ipfw determine "the appropriate machine"? it has to be consistent throughout each tcp connection.. the only way to do this entirely in ipfw (that i can think of) would be to do something horrible like this: frontend# ifconfig fxp0 VIRTUAL netmask 255.255.255.255 -alias backends# ifconfig lo0 VIRTUAL netmask 255.255.255.255 -alias frontend# ipfw add 100 fwd backend1 tcp from 0.0.0.0/2 to VIRTUAL 80 frontend# ipfw add 200 fwd backend2 tcp from 64.0.0.0/2 to VIRTUAL 80 frontend# ipfw add 300 fwd backend3 tcp from 128.0.0.0/2 to VIRTUAL 80 frontend# ipfw add 400 fwd backend4 tcp from 192.0.0.0/2 to VIRTUAL 80 which is essentially one of the world's worst load balancing algorithms. i suppose basing it on src ports would be even worse. you could use non-contigous masks too for "better" distribution than cutting the space into 1/N chunks. anyways, it needs to be something that per-packet always maps a tcp connection to the same backend server. we could do something neat and marry ipfw dynamic rules with 'ipfw fwd' by adding a nexthop field to the ipfw_dyn_rule, rule op codes to feed and lookup from the table, add a least conns selection method, add a round robin method, add the ability to point to a table of machines (possibly allow marking a machine as 'no new connections') for picking nexthops. that would bring us up to the basic hardware vendor implementations available circa 1999. -- - bill fumerola / billf@FreeBSD.org