Date: Tue, 1 Jan 2008 15:18:45 -0800 From: Michael Smith <mksmith@adhost.com> To: Michael Zimmer <drakyri@hotmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: load-balancing, DNS Message-ID: <DE830065-3345-41C7-84D0-9BB3EE1F4D42@adhost.com> In-Reply-To: <BLU109-W44C29F03969549674188CBB1510@phx.gbl> References: <BLU109-W44C29F03969549674188CBB1510@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Michael:
I think you want to use "reply-to" instead of "route-to" on load
balance rules since you need it to go out the same interface it came
in on. This will work in conjunction with any connection that has
state, so make sure your DNS pass rule has keep-state.
Try
pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2
$ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to
any flags S/SA keep-state
pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
$ext_gw2) } round-robin sticky-address proto { tcp icmp udp } from any
to any flags S/SA keep-state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
Regards,
Mike
On Jan 1, 2008, at 1:32 PM, Michael Zimmer wrote:
>
> Hi everyone,
>
> I just installed pf on FreeBSD 6.2 for a firewall/NAT/load-
> balancer ... but I'm having some trouble. I'm pretty sure that it
> isn't actually splitting the outgoing traffic (trying to load-
> balance over two uplinks), and the users are experiencing
> intermittent trouble resolving DNS entries (and being silly users,
> instead of reloading the page, they yell 'the Internet isn't
> working!' and then use that as a reason for reeeeaaally long lunches).
>
> The workstations behind the FreeBSD box are mostly running some
> flavor of Windows; static private IPs, gateway set to the BSD box,
> primary DNS set to the DNS server of the ISP on uplink #1, secondary
> to the ISP on uplink #2. I can force it to use either connection
> successfully, but not both.
>
>
> Thanks in advance for any help. Happy New Year!
>
> -mike
>
>
> Here's my setup:
>
> dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass-
> through); bfe0 links to the internal network.
>
> resolv.conf:
>
> domain x.comnameserver 66.z.z.z # DNS provided by ISP #1
>
> -------------
> rc.conf:
>
> defaultrouter="66.x.x.x" #this is the upstream gateway on
> dc0gateway_enable="YES"hostname="x.x.com"ifconfig_dc0="inet
> 68.y.y.y netmask 255.255.255.0"
> ifconfig_dc1="inet 66.y.y.y netmask
> 255.255.255.224"ifconfig_bfe0="inet 192.168.1.1 netmask
> 255.255.255.0"
>
> inetd_enable="YES"linux_enable="YES"sshd_enable="YES"usbd_enable="YES"
>
> ntpdate_enable="YES"ntpdate_hosts="0.us.pool.ntp.org"
>
> nfs_reserved_port_only="NO"
> pf_enable="YES"pf_rules="/etc/
> pf.conf"pf_flags=""pflog_enable="YES"pflog_logfile="/var/log/
> pflog"pflog_flags=""
> ---------------
> pf.conf:
>
> ext_if1
> ="dc0"ext_if2="dc1"int_if="bfe0"ext_gw1="68.x.x.x"ext_gw2="66.x.x.x"
> internal_net="192.168.1.1/24"
> tcp_services="( 22 )"icmp_types="( 8 )"
> #tablestable <blocktable> persist file "/etc/blocktable"
>
> set block-policy drop
> set limit { states 20000, frags 5000 }
>
> set skip on lo0
>
> scrub in all
>
> nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on
> $ext_if2 from $internal_net to any -> ($ext_if2)
> block in from any to anyblock out from any to any
> pass out on $int_if from any to $internal_net keep state
> pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22
> flags S/SA keep state #ext_if1
>
> #allows ICMP outboundpass in quick on $int_if proto icmp all keep
> state
> #allows incoming from client's serverpass in quick on {$ext_if1,
> $ext_if2} proto tcp from a.b.c.d/32pass in quick on {$ext_if1,
> $ext_if2} proto tcp from a.b.c.d/30
>
> #blocks to inside-to-outside here#spoofsblock in quick on $int_if
> from any to 172.16.0.0/12block in quick on $int_if from any to
> 10.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block
> in quick on $int_if from any to 192.168.0.0/16block in quick on
> $int_if from any to 204.152.64.0/23block in quick on $int_if from
> any to 224.0.0.0/3
>
> # traffic from inside goes straight outpass in quick on $int_if from
> 192.168.1.0/24 to $int_ifpass out on $ext_if1 from [address of
> $ext_if1] to any flags S/SA keep statepass out on $ext_if2 from
> [address of $ext_if2] to any flags S/SA keep state
>
> #load balancing ...?
> pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
> $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24
> to any flags S/SA modulate statepass in quick on $int_if route-to
> { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { tcp
> icmp udp } from any to any flags S/SA modulate state
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to
> anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1
> to any
>
> _________________________________________________________________
> Get the power of Windows + Web with the new Windows Live.
> http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007_______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DE830065-3345-41C7-84D0-9BB3EE1F4D42>