Date: Tue, 9 Nov 2004 08:39:58 +1100 From: LD <ldsift-applels@yahoo.com.au> To: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> Cc: freebsd-ipfw@freebsd.org Subject: Re: Help: Load Balancing 2 external connections Message-ID: <BC8EFF48-31CE-11D9-9B7E-0005025E2371@yahoo.com.au> In-Reply-To: <20041108203616.GA21361@shellma.zin.lublin.pl> References: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> <20041108203616.GA21361@shellma.zin.lublin.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Pawe=A9=A9, Thanks for your explanations. If I can bother you some more... On 09/11/2004, at 7:36 AM, Pawel Malachowski wrote: > On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote: >> My Questions are: >> a) Do I need any specific kernel options? i.e., features that aren't >> available otherwise through dynamic loading. > > Using divert requires IPDIVERT option (loadable version of divert is > in very fresh sources only), which is not in GENERIC I guess. > Both ipfw and dummynet can be loaded from modules. > Warning: ipfw default policy is to block all traffic so be careful = when > loading it remotly. :) That won't be a problem as I'll be at the machine. >> b) I'd like to make the whole thing transparent to the internal >> network. i.e., internal computers nameserver references are to the >> gateway (rather than isp) which then translates such requests to the >> appropriate nameserver(s) of the relevant isp according to which pipe >> the request is sent through :-) > > That's obsolete. Set up your caching DNS server or allow to use > nameservers of both upstream ISPs. No worries. >> b) I'm assuming that for the most part 'prob 0.5' will balance the=20 >> load >> between two pipes to the external interfaces...but is there a better >> scheme? Also guaranteeing that a complete conversation, once = initiated >> via an interface would continue through that interface... > > What You want is called `fwd'. Still, prob 0.5 will match 50% of=20 > packets, > which are not TCP sessions, so it won't work this way. You want=20 > connection > (flow) balancing. This may be hard to achieve. I would experiment with > fwd rule with keep-state option. Is my understanding correct that the following (placed before the fwd=20 rules) achieves that? i.e., 'ipfw add check-state' placed prior to '<some fwd rule> setup=20 keep-state' >> d) any other tricks of the trade? > > As said, this DNS stuff seems weird. > Also fwd is not used. Would you be able to show me a quick skeleton example of how you'd do=20 your script? > Also prob 0.5 is not used properly (forst 50% will match 50%, second > will match 50% of rest 50%, which gives 25%). Ah, so second one should not have a prob so as to match the=20 remainder...of course (was too early in the morning). > Try setting default route to one ISP and fwd 50% of flows from its > interface to second ISP gateway. Quick example? > Note, by default pipe will accept packet (it won't be check against > another rules). Same with fwd. Same with allow. > > I would suggest temporary resigning from blocking and dummynet stuff > and just trying to create pure load-balancing. It will be hard enough. The reason I went for the dummynet stuff (and hence got off track as=20 you've said) is that I'm wanting to test this out at home (where I=20 don't have 2 external connections or 3 network cards - but instead 2=20 network cards) prior to taking down the company network. So, how would=20= you simulate this? Or what would you suggest? > Always do `ipfw -d show' and look at rule counters to make sure that > packets go as expected. Okay, thanks. > I would also look at ipf and pf firewalls, they have strong session > handling, You may find one of them to be more easy to setup or even > find some ready-to-use examples with google. I will certainly have another look should this avenue fail...I just=20 liked the syntax/concept/integration of ipfw/dummynet. I've spent a fair amount of time trying to get familiar with ipfw - so=20= it'd be good if these things can be done through it... Thanks for your assistance! with regards, -- LD=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BC8EFF48-31CE-11D9-9B7E-0005025E2371>