From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 21:40:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04FA716A4CE for ; Mon, 8 Nov 2004 21:40:01 +0000 (GMT) Received: from jay.exetel.com.au (jay.exetel.com.au [220.233.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FA2143D41 for ; Mon, 8 Nov 2004 21:40:00 +0000 (GMT) (envelope-from ldsift-applels@yahoo.com.au) Received: (qmail 26962 invoked by uid 507); 9 Nov 2004 08:39:58 +1100 Received: from 63.7.233.220.exetel.com.au (HELO ?192.168.1.2?) (220.233.7.63) by jay.exetel.com.au with SMTP; 9 Nov 2004 08:39:58 +1100 In-Reply-To: <20041108203616.GA21361@shellma.zin.lublin.pl> References: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> <20041108203616.GA21361@shellma.zin.lublin.pl> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=EUC-KR; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: LD Date: Tue, 9 Nov 2004 08:39:58 +1100 To: Pawel Malachowski X-Mailer: Apple Mail (2.619) cc: freebsd-ipfw@freebsd.org Subject: Re: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 21:40:01 -0000 Hi Pawe=A9=A9, Thanks for your explanations. If I can bother you some more... On 09/11/2004, at 7:36 AM, Pawel Malachowski wrote: > On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote: >> My Questions are: >> a) Do I need any specific kernel options? i.e., features that aren't >> available otherwise through dynamic loading. > > Using divert requires IPDIVERT option (loadable version of divert is > in very fresh sources only), which is not in GENERIC I guess. > Both ipfw and dummynet can be loaded from modules. > Warning: ipfw default policy is to block all traffic so be careful = when > loading it remotly. :) That won't be a problem as I'll be at the machine. >> b) I'd like to make the whole thing transparent to the internal >> network. i.e., internal computers nameserver references are to the >> gateway (rather than isp) which then translates such requests to the >> appropriate nameserver(s) of the relevant isp according to which pipe >> the request is sent through :-) > > That's obsolete. Set up your caching DNS server or allow to use > nameservers of both upstream ISPs. No worries. >> b) I'm assuming that for the most part 'prob 0.5' will balance the=20 >> load >> between two pipes to the external interfaces...but is there a better >> scheme? Also guaranteeing that a complete conversation, once = initiated >> via an interface would continue through that interface... > > What You want is called `fwd'. Still, prob 0.5 will match 50% of=20 > packets, > which are not TCP sessions, so it won't work this way. You want=20 > connection > (flow) balancing. This may be hard to achieve. I would experiment with > fwd rule with keep-state option. Is my understanding correct that the following (placed before the fwd=20 rules) achieves that? i.e., 'ipfw add check-state' placed prior to ' setup=20 keep-state' >> d) any other tricks of the trade? > > As said, this DNS stuff seems weird. > Also fwd is not used. Would you be able to show me a quick skeleton example of how you'd do=20 your script? > Also prob 0.5 is not used properly (forst 50% will match 50%, second > will match 50% of rest 50%, which gives 25%). Ah, so second one should not have a prob so as to match the=20 remainder...of course (was too early in the morning). > Try setting default route to one ISP and fwd 50% of flows from its > interface to second ISP gateway. Quick example? > Note, by default pipe will accept packet (it won't be check against > another rules). Same with fwd. Same with allow. > > I would suggest temporary resigning from blocking and dummynet stuff > and just trying to create pure load-balancing. It will be hard enough. The reason I went for the dummynet stuff (and hence got off track as=20 you've said) is that I'm wanting to test this out at home (where I=20 don't have 2 external connections or 3 network cards - but instead 2=20 network cards) prior to taking down the company network. So, how would=20= you simulate this? Or what would you suggest? > Always do `ipfw -d show' and look at rule counters to make sure that > packets go as expected. Okay, thanks. > I would also look at ipf and pf firewalls, they have strong session > handling, You may find one of them to be more easy to setup or even > find some ready-to-use examples with google. I will certainly have another look should this avenue fail...I just=20 liked the syntax/concept/integration of ipfw/dummynet. I've spent a fair amount of time trying to get familiar with ipfw - so=20= it'd be good if these things can be done through it... Thanks for your assistance! with regards, -- LD=