From owner-freebsd-net@FreeBSD.ORG Mon Oct 25 05:43:30 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 300FB16A4CE; Mon, 25 Oct 2004 05:43:30 +0000 (GMT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CD3C43D1F; Mon, 25 Oct 2004 05:43:29 +0000 (GMT) (envelope-from julian@elischer.org) Received: from [192.168.1.102] (adsl-68-123-122-146.dsl.snfc21.pacbell.net [68.123.122.146])i9P5hQWC320160; Mon, 25 Oct 2004 01:43:27 -0400 Message-ID: <417C927B.8050304@elischer.org> Date: Sun, 24 Oct 2004 22:43:23 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8a3) Gecko/20041017 X-Accept-Language: en, hu MIME-Version: 1.0 To: Bill Fumerola References: <417C85FA.5050708@elischer.org> <20041025053545.GJ67216@elvis.mu.org> In-Reply-To: <20041025053545.GJ67216@elvis.mu.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: Stephane Raimbault cc: net@FreeBSD.org Subject: Re: using natd to load balance port 80 to multiple servers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 05:43:30 -0000 Bill Fumerola wrote: > On Sun, Oct 24, 2004 at 09:50:02PM -0700, Julian Elischer wrote: > >>Stephane Raimbault wrote: >> >>>I'm currently using a freebsd box running natd to forward port 80 to >>>several (5) web servers on private IP's. >>> >>>I have discovered that natd doesn't handle many requests/second all that >>>well (seem to choke at about 200 req/second (educated guess)) >> >>use the "ipfw fwd" option to directly send the packets to the appropriate >>machine. >>Should be able to forwarrd at wire speed. > > > doesn't work for any configuration involving more than one backend > machine. through what magic does ipfw determine "the appropriate machine"? > it has to be consistent throughout each tcp connection.. > > the only way to do this entirely in ipfw (that i can think of) would be > to do something horrible like this: > > frontend# ifconfig fxp0 VIRTUAL netmask 255.255.255.255 -alias > backends# ifconfig lo0 VIRTUAL netmask 255.255.255.255 -alias > frontend# ipfw add 100 fwd backend1 tcp from 0.0.0.0/2 to VIRTUAL 80 > frontend# ipfw add 200 fwd backend2 tcp from 64.0.0.0/2 to VIRTUAL 80 > frontend# ipfw add 300 fwd backend3 tcp from 128.0.0.0/2 to VIRTUAL 80 > frontend# ipfw add 400 fwd backend4 tcp from 192.0.0.0/2 to VIRTUAL 80 I have used noncontiguous masks and based if on purely the lowest 2 bits of the 3rd octet. worked quite well as a "quick and nasty" load balancer. certainly equal to using natd for the same thing with less work. > > which is essentially one of the world's worst load balancing algorithms. > i suppose basing it on src ports would be even worse. you could use > non-contigous masks too for "better" distribution than cutting the space > into 1/N chunks. anyways, it needs to be something that per-packet always > maps a tcp connection to the same backend server. as I said above... > > we could do something neat and marry ipfw dynamic rules with 'ipfw fwd' > by adding a nexthop field to the ipfw_dyn_rule, rule op codes to feed > and lookup from the table, add a least conns selection method, add a > round robin method, add the ability to point to a table of machines > (possibly allow marking a machine as 'no new connections') for picking > nexthops. that would bring us up to the basic hardware vendor > implementations available circa 1999. yep.. >