On 5/4/06, Hisham Mardam Bey <[EMAIL PROTECTED]> wrote:
I was thinking about something of the sort. How would I be able to use
the bridge to redirect the packets though? The clients need to see a
single IP as their gateway, say 172.16.2.1, and when they send packets
towards that gateway, it needs to load balance their requests. If we
have a bridge, how would it act and what exactly would it do?
I managed to solve the problem. The main idea is to have a bridge that
sits between the clients and the backend servers. I have two backend
gateways:
172.16.2.1
172.16.2.2
The bridge has 172.16.2.3 on it for 2 reasons:
1- remote administration
2- makes it easier to keep track of all the ARPs (when I didn't give
it an IP at all, the setup didn't work for some reason, it never got
any ARPs).
The bridge has the following pf.conf:
# Server side nic
servers_if = "rl0"
# Client side nic
clients_if = "fxp0"
# Client internal network
clients_net = "{ ! 172.16.2.1, ! 172.16.2.2, ! 172.16.2.3,
172.16.2.0/24 }"
# Backend servers
be_servers = "{ 172.16.2.1, 172.16.2.2 }"
# Our servers
servers = "{ $be_servers, 172.16.2.3 }"
# Internet, everything else
internet = "{ ! 172.16.2.1, ! 172.16.2.2, ! 172.16.2.3 } "
pass out log on $servers_if route-to \
{ ($servers_if 172.16.2.1), ($servers_if 172.16.2.2) } round-robin
\
from $clients_net to any keep state
# Allowed incoming services
pass in log on $servers_if from any to any \
keep state
# Allowed outgoing services
pass out log on $clients_if all keep state
The result of this is that, all clients have their gateway set to
172.16.2.1 (one of the backend servers) and their packets have to pass
through the bridge to reach the gateway. As the packets pass through,
the bridge intercepts them and routes them to one of the two gateways
using round-robin while remembering state. My previous disconnect
problems with SSH and IRC, and even the mplayer streaming problem have
all disappeared. It seems like this setup is quite fast and stable,
and allows the network to grow (with more backend servers being added)
very easily. I'm going to test it some more for a couple of days and
let you guys know if I run into any problems. Maybe after its proven
to be stable, I'll write a small how-to about this scenario.
I just want to thank everyone that helped out both on the mailing list
and on irc (you guys know who you are, hehe).
OpenBSD / PF is my new firewall and router recommendation from now on.
Great docs, great community, great OS.
Best Regards,
hisham.
--
Hisham Mardam Bey
MSc (Computer Science)
http://hisham.cc/
+9613609386
Codito Ergo Sum (I Code Therefore I Am)
