Re: PF load balancing
There is documentation and a quick-and-dirty example in the PF User's Guide: http://openbsd.org/faq/pf/pools.html#outgoing On Tue, Aug 23, 2011 at 03:00:51AM -0700, elerdin wrote: Hallo, I have two internet connections and I want to use both with a round-robin load balancing, only for outgoing connections. I found on the web various solutions, but I did not manage to modify them for my scenario. One internet connections is a normal adsl, there is a modem that I connect to the OpenBSD router, the interface receives the dynamic IP using dhcp. The other connection has a static IP address and gateway. Now I'm reading the PF documentation, but while I study I need a fast and dirty solution that just works. Can someone help me?
Re: PF load balancing again...
Jose Mejia wrote: Hi all here we go again with that matter : We've a firewall with 4 interfaces (2 outside to two differents routers and ISPs,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we wanna make balancing on outgoing connections only for the web traffic, we have get to do that, and now the packets are going out on ext_if and ext_if2 but they're all coming back in ext_if, then wich are arising from traffic on ext_if2 are rejected, maybe a NAT problem or is related to stateful tables.any idea? This is the pf.conf : #Interfaces ext_if=em1 int_if=em0 ext_if2=em2 dmz_if=rl0 ext_gw=192.168.3.1 ext_gw2=192.168.0.1 loop=lo0 #networks ext_net=192.168.3.0/24 int_net=192.168.1.0/24 dmz_net=192.168.2.0/24 #some hosts dmz_host=192.168.2.2 #this is the mail server and fax (for internal net) server private = {127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8} capaos= {4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190, 6891:6900, 4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234} #options set block-policy drop set loginterface $ext_if set optimization normal #set skip on $loop #normalizations scrub in on $ext_if all scrub in on $ext_if2 all #nat / rd nat on $ext_if from !($ext_if) to any - ($ext_if) #changed to that rules to make the routing nat on $ext_if2 from !($ext_if2) to any - ($ext_if2) rdr on $int_if inet proto tcp from any to any port www - 192.168.1.1 port 8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port smtp - $dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port smtp - $dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port pop3 - $dmz_host port pop3 rdr on $int_if inet proto tcp from any to $dmz_host port ssh - $dmz_host port ssh rdr on $int_if inet proto tcp from any to $dmz_host port 4559 - $dmz_host port 4559 #hylafax #rules block in log all block in quick inet6 all block out quick inet6 all #flags anti so escaner block in log quick proto tcp all flags SF/SFRA block in log quick proto tcp all flags SFUP/SFRAU block in log quick proto tcp all flags FPU/SFRAUP block in log quick proto tcp all flags /SFRA block in log quick proto tcp all flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in log quick proto tcp all flags P #antispoof quick for {$int_if, $ext_if } #block return in log on $ext_if proto {udp, tcp}all #output load balancing tcp pass out on $ext_if from any to any modulate state #I put first that rule so the second match the web traffic pass out log on $ext_if route-to \ { ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from any to any port www keep state pass in on $int_if all keep state pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8 port 53 #NFS Memnoch (this is a NFS connection from DMZ to LAN I know is very insecure but is only for now) pass out log on $int_if inet proto {tcp udp}to 192.168.1.48 port 111 pass out log on $int_if inet proto {tcp udp}to 192.168.1.48 port 2049 pass in log on $dmz_if all keep state #still not refined pass out log on $dmz_if all keep state pass out log on $ext_if2 from any to any modulate state # ext_if2 outgoing rule #route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to $ext_gw2 ##that's referenced in the FAQ.necessary?neither works.. #pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if to any modulate state block in log quick on $ext_if inet from any to {255.255.255.255, 213.172.59.151} block return-rst in log quick on $ext_if proto tcp from any to any port \ {111, 1080, 6000, 6667, 139, 4662} block in log quick on $ext_if2 inet from any to {255.255.255.255, 213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp from any to any port \ {111, 1080, 6000, 6667, 139, 4662} #block return-rst in log quick on $int_if proto tcp from any to any port \ #{111,1080, 6000, 6667, 139, 4662} #Bloqueo puertos block out log quick on $ext_if proto tcp from any to any port $capaos block out log quick on $ext_if2 proto tcp from any to any port $capaos #some port-blocking #proxy pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080 keep state #ssh pass in log on $int_if inet proto tcp from any to 192.168.1.1 port ssh keep state pass in log on $int_if inet proto tcp from any to 192.168.2.2 port ssh keep state #pass in log on $dmz_if inet proto tcp from $int_net to $dmz_host port ssh keep state lo0 pass quick on lo0 all Remember we want to balance the web outgoing traffic, generated by the Squid proxy in the same machine Thks in advance and greetings Jose M; Thats because the route back is control on the other end unless
RE: PF load balancing again...
Hi Since all interfaces have 192.168.x.x ips then are you sure whats are ips and netmasks ot you routers.If you routers have different netmask than yours. Please use pfctl -vsr and see what rules are evaluationed.Use pftop from ports to debug connections. Cheers Tihomir --- Jose Mejia [EMAIL PROTECTED] wrote: Down rule will work if your default gateway is on $ext_if pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port www keep state probability 50% It doesn't work either, I didn't debug it, but it seems packets going out from ext_if2 are coming back to ext_if 1 too The default gw is on ext_if Can you give ifconfig output and /etc/mygate Also try using pfctl -vsr and look whats going on on $ext_if and $ext_if2.What is last mathed rule etc.. mygate points to the router's attached to ext_if IP ifconfig -a output : lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cd media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::2e0:81ff:fe61:bccd%em0 prefixlen 64 scopeid 0x1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cc media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.3.1 netmask 0xfff8 broadcast 192.168.3.255 inet6 fe80::2e0:81ff:fe61:bccc%em1 prefixlen 64 scopeid 0x2 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:42:fb:21 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::250:fcff:fe42:fb21%rl0 prefixlen 64 scopeid 0x3 em2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:0e:0c:76:d8:67 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::20e:cff:fe76:d867%em2 prefixlen 64 scopeid 0x4 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 Cheers Tihomir Koychev www.BetStrikes.com - Ôóòáîëíè ïðîãíîçè
RE: PF load balancing again...
Hi Tihomir...thks for the response I think SQUID is running fine, my default gw is ext_if, I was playing with multipath too without results.the conf file is really in disorder due to the try-out and continous changes, I'm sorry Now I'm not with the machine, but tomorrow I'll post the output of ifconfig -a and /etc/mygate, I'll try your rule and will control it with pfctl Greetings Jose M NAT is correct, but this is not important right now.We are care about squid. check this http://www.benzedrine.cx/transquid.html What is you default gateway? My suggestion is to reorder your pf.conf Order first $int_if then $int_if2 and etc... Then you and others can read pf.conf with easy. Down rule will work if your default gateway is on $ext_if pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port www keep state probability 50% Can you give ifconfig output and /etc/mygate Also try using pfctl -vsr and look whats going on on $ext_if and $ext_if2.What is last mathed rule etc.. Cheers Tihomir Koychev Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
Re: PF load balancing again...
--- Jose Mejia [EMAIL PROTECTED] wrote: Hi all here we go again with that matter : We've a firewall with 4 interfaces (2 outside to two differents routers and ISPs,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we wanna make balancing on outgoing connections only for the web traffic, we have get to do that, and now the packets are going out on ext_if and ext_if2 but they're all coming back in ext_if, then wich are arising from traffic on ext_if2 are rejected, maybe a NAT problem or is related to stateful tables.any idea? This is the pf.conf : #Interfaces ext_if=em1 int_if=em0 ext_if2=em2 dmz_if=rl0 ext_gw=192.168.3.1 ext_gw2=192.168.0.1 loop=lo0 #networks ext_net=192.168.3.0/24 int_net=192.168.1.0/24 dmz_net=192.168.2.0/24 #some hosts dmz_host=192.168.2.2 #this is the mail server and fax (for internal net) server private = {127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8} capaos= {4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190, 6891:6900, 4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234} #options set block-policy drop set loginterface $ext_if set optimization normal #set skip on $loop #normalizations scrub in on $ext_if all scrub in on $ext_if2 all #nat / rd nat on $ext_if from !($ext_if) to any - ($ext_if) #changed to that rules to make the routing nat on $ext_if2 from !($ext_if2) to any - ($ext_if2) NAT is correct, but this is not important right now.We are care about squid. check this http://www.benzedrine.cx/transquid.html What is you default gateway? rdr on $int_if inet proto tcp from any to any port www - 192.168.1.1 port 8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port smtp - $dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port smtp - $dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port pop3 - $dmz_host port pop3 rdr on $int_if inet proto tcp from any to $dmz_host port ssh - $dmz_host port ssh rdr on $int_if inet proto tcp from any to $dmz_host port 4559 - $dmz_host port 4559 #hylafax #rules block in log all block in quick inet6 all block out quick inet6 all #flags anti so escaner block in log quick proto tcp all flags SF/SFRA block in log quick proto tcp all flags SFUP/SFRAU block in log quick proto tcp all flags FPU/SFRAUP block in log quick proto tcp all flags /SFRA block in log quick proto tcp all flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in log quick proto tcp all flags P #antispoof quick for {$int_if, $ext_if } #block return in log on $ext_if proto {udp, tcp}all #output load balancing tcp pass out on $ext_if from any to any modulate state #I put first that rule so the second match the web traffic pass out log on $ext_if route-to \ { ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from any to any port www keep state My suggestion is to reorder your pf.conf Order first $int_if then $int_if2 and etc... Then you and others can read pf.conf with easy. Down rule will work if your default gateway is on $ext_if pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port www keep state probability 50% pass in on $int_if all keep state pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8 port 53 #NFS Memnoch (this is a NFS connection from DMZ to LAN I know is very insecure but is only for now) pass out log on $int_if inet proto {tcp udp}to 192.168.1.48 port 111 pass out log on $int_if inet proto {tcp udp}to 192.168.1.48 port 2049 pass in log on $dmz_if all keep state #still not refined pass out log on $dmz_if all keep state pass out log on $ext_if2 from any to any modulate state # ext_if2 outgoing rule #route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to $ext_gw2 ##that's referenced in the FAQ.necessary?neither works.. #pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if to any modulate state block in log quick on $ext_if inet from any to {255.255.255.255, 213.172.59.151} block return-rst in log quick on $ext_if proto tcp from any to any port \ {111, 1080, 6000, 6667, 139, 4662} block in log quick on $ext_if2 inet from any to {255.255.255.255, 213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp from any to any port \ {111, 1080, 6000, 6667, 139, 4662} #block return-rst in log quick on $int_if proto tcp from any to any port \ #{111,1080, 6000, 6667, 139, 4662} #Bloqueo puertos block out log quick on $ext_if proto tcp from any to any port $capaos block out log quick on $ext_if2 proto tcp from any to any port $capaos #some port-blocking #proxy pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080 keep state #ssh pass in log on $int_if inet proto tcp from
RE: PF load balancing again...
Down rule will work if your default gateway is on $ext_if pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port www keep state probability 50% It doesn't work either, I didn't debug it, but it seems packets going out from ext_if2 are coming back to ext_if 1 too The default gw is on ext_if Can you give ifconfig output and /etc/mygate Also try using pfctl -vsr and look whats going on on $ext_if and $ext_if2.What is last mathed rule etc.. mygate points to the router's attached to ext_if IP ifconfig -a output : lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cd media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::2e0:81ff:fe61:bccd%em0 prefixlen 64 scopeid 0x1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cc media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.3.1 netmask 0xfff8 broadcast 192.168.3.255 inet6 fe80::2e0:81ff:fe61:bccc%em1 prefixlen 64 scopeid 0x2 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:42:fb:21 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::250:fcff:fe42:fb21%rl0 prefixlen 64 scopeid 0x3 em2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:0e:0c:76:d8:67 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::20e:cff:fe76:d867%em2 prefixlen 64 scopeid 0x4 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 Cheers Tihomir Koychev
RE: PF load balancing
[EMAIL PROTECTED] wrote: Hi all : We've a firewall with 4 interfaces (2 outside to two differents routers and ISP,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we wanna make balancing on outgoing connections only for the web traffic, we have get to do that, and now the packets are going out on ext_if and ext_if2 but they're all coming back in ext_if, then wich are arising from traffic on ext_if2 are rejected, maybe a NAT problem or is related to stateful tables.any idea? Do outbound packets have the correct source address? Packets originating from the firewall are probably using whatever IP address Squid is bound to or whatever IP address is associated with the default gw. Sorry, I don't have a solution and I'd like to here if anyone has something simple in this case. -Steve S.
RE: PF load balancing
Hi Stevethat's the problem, maybe the NAT rules are not right, (i've tried with others without result) but i think the key is in the stateful inspection...or maybe all the idea is not well configured Greetings Jose M Hi all : We've a firewall with 4 interfaces (2 outside to two differents routers and ISP,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we wanna make balancing on outgoing connections only for the web traffic, we have get to do that, and now the packets are going out on ext_if and ext_if2 but they're all coming back in ext_if, then wich are arising from traffic on ext_if2 are rejected, maybe a NAT problem or is related to stateful tables.any idea? Do outbound packets have the correct source address? Packets originating from the firewall are probably using whatever IP address Squid is bound to or whatever IP address is associated with the default gw. Sorry, I don't have a solution and I'd like to here if anyone has something simple in this case. -Steve S.
Re: pf load balancing
Lucas wrote: i have done it this way, but still have some problems: 10.1.1.1 (M) |---gw1 - | LAN--| || - WAN |---gw2 - | (10.1.1.1) (B) gw2 just have a backup carp interface gw1 is carp master with 10.1.1.1 nat is running on both gw with ip address ending with 4 and 5. This will cause you problems. Assuming gw1 is the carp master, packets from 10.0.0.0/8 to the WAN will get NATed to 192.168.1.4. Now assume that gw2 becomes master. Packets coming back in from the WAN have a dest address of 192.168.1.4. gw2 knows nothing of this address. I'm not quite sure what would happen with outgoing packets that match states created when gw1 was master; they'd probably be passed through and continue to be NATed to 192.168.1.4. What eventually happens is that flow will time out and the LAN client will retry the connection and succeed. The solution is to create a separate carp group on the WAN side and nat all outbound connections to that VIP. It's not exactly clear what you're trying to do. Are you still trying to load balance between 3 gateways? In other words, you have 3 OpenBSD routers/firewalls and you want to load balance traffic across them? carp will handle that without issue as long as it's configured properly. arpbalance is what you're looking for.
Re: pf load balancing
i tried with it, but it works if i have a machine in the middle. like this: GW2 LAN - obsd (load balancer with route-to) -- GW1 WAN GW3 i want something to work in this scenario: GW2 LAN GW1 -- WAN GW3 can route-to do the work in this case? Lucas ed wrote: On Wed, 21 Sep 2005 17:05:23 -0300 Lucas [EMAIL PROTECTED] wrote: i'm working with 3 gateways and want to load balance between them. after a failure with layer 2 (carp arpbalance) balancing, i tried to do it with pf. the most logical way to do it is with a machine before the gateways distributing the load. there's a way to do it without adding a new machine (and a new point of failure) to the set? Look into the route-to keyword
Re: pf load balancing
Hi Can you post your pf.conf and output from ifconfig? --- Lucas [EMAIL PROTECTED] wrote: i tried with it, but it works if i have a machine in the middle. like this: GW2 LAN - obsd (load balancer with route-to) -- GW1 WAN GW3 i want something to work in this scenario: GW2 LAN GW1 -- WAN GW3 can route-to do the work in this case? Lucas ed wrote: On Wed, 21 Sep 2005 17:05:23 -0300 Lucas [EMAIL PROTECTED] wrote: i'm working with 3 gateways and want to load balance between them. after a failure with layer 2 (carp arpbalance) balancing, i tried to do it with pf. the most logical way to do it is with a machine before the gateways distributing the load. there's a way to do it without adding a new machine (and a new point of failure) to the set? Look into the route-to keyword Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Re: pf load balancing
On 09/22/2005 04:51:37 PM, Lucas wrote: i have done it this way, but still have some problems: I am sorry. I'm afraid I may not have understood your initial diagram. (I like to see the machines, with each interface and it's assigned IP, and the network number/netmask of the networks connecting the interfaces before I can make sense of what's going on.) Perhaps now that you've posted more info and your config somebody will be able to help. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: pf load balancing
i have done it this way, but still have some problems: 10.1.1.1 (M) |---gw1 - | LAN--| || - WAN |---gw2 - | (10.1.1.1) (B) gw2 just have a backup carp interface gw1 is carp master with 10.1.1.1 nat is running on both gw with ip address ending with 4 and 5. gw1 and gw2 are interconnected thru a 3 nic with an 192.168.0.0/24 IP range ($i_if) (ending with 1 and 2). my pf.conf is the following: - gw1 nat on $ext_if inet from 10.0.0.0/8 to any - xxx.xxx.xxx.4 pass in quick inet proto carp pass in on $int_if route-to { ($ext_if xxx.xxx.xxx.2) , ($i_if 192.168.0.2) } round-robin sticky-address inet from 10.0.0.0/8 to any keep state - gw2 nat on $ext_if inet from 10.0.0.0 to any - xxx.xxx.xxx.5 i've tested with route-to with each of the next hops sitting alone (ie. just with the first one and with the second one) and it worked well. when i run it with this config things start working well and after sometime the connection hangs. if i wait for some time it starts working again. any clue? Lucas Karl O. Pinc wrote: On 09/21/2005 10:19:42 PM, Lucas wrote: i tried with it, but it works if i have a machine in the middle. like this: GW2 LAN - obsd (load balancer with route-to) -- GW1 WAN GW3 i want something to work in this scenario: GW2 LAN GW1 -- WAN GW3 can route-to do the work in this case? I take it back, you could put two networks on the link between GW1 and WAN, and then use route-to. However, you would not truely be able to secure GW2 and GW3. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: pf load balancing
On Wed, 21 Sep 2005 17:05:23 -0300 Lucas [EMAIL PROTECTED] wrote: i'm working with 3 gateways and want to load balance between them. after a failure with layer 2 (carp arpbalance) balancing, i tried to do it with pf. the most logical way to do it is with a machine before the gateways distributing the load. there's a way to do it without adding a new machine (and a new point of failure) to the set? Look into the route-to keyword -- http://www.usenix.org.uk - http://irc.is-cool.net
Re: pf load balancing, macros, tables...
On Wed, Mar 23, 2005 at 10:47:34PM -0800, Kevin wrote: yet this does not: rdr on $ext proto tcp from any to web_servers_ext port 80 - \ web_servers_int round-robin sticky-address There was a bug fixed recently where pf would fail to select a translation when a rule did not have an explicit (or implicit) address family (IPv4/v6). This was backported to 3.6-stable, maybe you have an older kernel. To test the theory, add 'inet' to your rule, which makes the address family explicit. If this is not the problem, describe exactly how 'it is not working'. Daniel
Re: pf load balancing, macros, tables...
yet this does not: rdr on $ext proto tcp from any to web_servers_ext port 80 - \ web_servers_int round-robin sticky-address There was a bug fixed recently where pf would fail to select a translation when a rule did not have an explicit (or implicit) address family (IPv4/v6). This was backported to 3.6-stable, maybe you have an older kernel. To test the theory, add 'inet' to your rule, which makes the address family explicit. If this is not the problem, describe exactly how 'it is not working'. Mea culpa. I really should have given you more to go on. :-( That said, when looking at a tcpdump -netttvvvi pflog0 port 80, it was as you suspected: pf apparently wasn't selecting an appropriate translation rule so connections were getting blocked my the default block rule. As described, simply changing to rule to this: rdr on $ext inet proto tcp from any to web_servers_ext port 80- \ web_servers_int round-robin sticky-address makes everything pass through like a champ. Now to grab an updated 3.6-stable. :-) Thanks so much. Kevin
Re: PF Load balancing plans?
On Mon, Nov 15, 2004 at 05:22:36PM -0500, dormando wrote: I understand there's software like slbd which will add/remove servers from a round-robin mechanism, but I would like to know if there are any current plans for expanding on PF's internal load balancing systems? I won't put out a wishlist just yet, in case there are plans/patches in the process. I'm not aware of any specific plans or ongoing work in that area. Maybe start with evaluating the features pf has right now, and give us an idea of what is missing for your setup. I can't promise that anyone will commit to a list of features, but if cost is not an issue and you want to donate, there are always opportunities, like http://marc.theaimsgroup.com/?l=openbsd-miscm=110055360205220 Daniel
Re: pf load balancing problem
On Aug 7, 2004, at 03:05, Reza Muhammad wrote: binat on $ext_if1 from $server_int to any - server_ext Why do you need this line? I'm currently doing a simply RDR (like you do further in your pf.conf) and have a PASS rule. Here are the relevant lines from my pf.conf: [...] rdr on $ext_all proto tcp from any to $out_ip port { 22 80 } - \ $internal [...] pass in on $ext_all proto tcp from any to $internal port { 22 80 } \ flags S/SA keep state Both TCP ports 22 and 80 are redirected. I do not have a BINAT rule anywhere (the responses from $internal are taken care of by the NAT rule(s).)