Re: PF load balancing
There is documentation and a quick-and-dirty example in the PF User's Guide: http://openbsd.org/faq/pf/pools.html#outgoing On Tue, Aug 23, 2011 at 03:00:51AM -0700, elerdin wrote: Hallo, I have two internet connections and I want to use both with a round-robin load balancing, only for outgoing connections. I found on the web various solutions, but I did not manage to modify them for my scenario. One internet connections is a normal adsl, there is a modem that I connect to the OpenBSD router, the interface receives the dynamic IP using dhcp. The other connection has a static IP address and gateway. Now I'm reading the PF documentation, but while I study I need a fast and dirty solution that just works. Can someone help me?
Re: PF load balancing again...
Jose Mejia wrote:
Hi all here we go again with that matter :
We've a firewall with 4 interfaces (2 outside to two differents routers and
ISPs,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we
wanna make balancing on outgoing connections only for the web traffic, we
have get to do that, and now the packets are going out on ext_if and ext_if2
but they're all coming back in ext_if, then wich are arising from traffic on
ext_if2 are rejected, maybe a NAT problem or is related to stateful
tables.any idea?
This is the pf.conf :
#Interfaces
ext_if=em1
int_if=em0
ext_if2=em2
dmz_if=rl0
ext_gw=192.168.3.1
ext_gw2=192.168.0.1
loop=lo0
#networks
ext_net=192.168.3.0/24
int_net=192.168.1.0/24
dmz_net=192.168.2.0/24
#some hosts
dmz_host=192.168.2.2 #this is the mail server and fax (for internal
net) server
private = {127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8}
capaos= {4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190, 6891:6900,
4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234}
#options
set block-policy drop
set loginterface $ext_if
set optimization normal
#set skip on $loop
#normalizations
scrub in on $ext_if all
scrub in on $ext_if2 all
#nat / rd
nat on $ext_if from !($ext_if) to any - ($ext_if) #changed to that rules
to make the routing
nat on $ext_if2 from !($ext_if2) to any - ($ext_if2)
rdr on $int_if inet proto tcp from any to any port www - 192.168.1.1 port
8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port smtp -
$dmz_host port smtp rdr on $int_if inet proto tcp from any to $dmz_host port
smtp - $dmz_host port smtp rdr on $int_if inet proto tcp from any to
$dmz_host port pop3 - $dmz_host port pop3 rdr on $int_if inet proto tcp
from any to $dmz_host port ssh - $dmz_host port ssh rdr on $int_if inet
proto tcp from any to $dmz_host port 4559 - $dmz_host port 4559 #hylafax
#rules
block in log all
block in quick inet6 all
block out quick inet6 all
#flags anti so escaner
block in log quick proto tcp all flags SF/SFRA block in log quick proto tcp
all flags SFUP/SFRAU block in log quick proto tcp all flags FPU/SFRAUP block
in log quick proto tcp all flags /SFRA block in log quick proto tcp all
flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in log
quick proto tcp all flags P
#antispoof quick for {$int_if, $ext_if } #block return in log on $ext_if
proto {udp, tcp}all
#output load balancing tcp
pass out on $ext_if from any to any modulate state #I put first that rule so
the second match the web traffic
pass out log on $ext_if route-to \
{ ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from any to any port www keep state
pass in on $int_if all keep state
pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8 port 53
#NFS Memnoch (this is a NFS connection from DMZ to LAN I know is very
insecure but is only for now) pass out log on $int_if inet proto {tcp udp}to
192.168.1.48 port 111 pass out log on $int_if inet proto {tcp udp}to
192.168.1.48 port 2049
pass in log on $dmz_if all keep state #still not refined
pass out log on $dmz_if all keep state
pass out log on $ext_if2 from any to any modulate state # ext_if2 outgoing
rule
#route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to $ext_gw2
##that's referenced in the FAQ.necessary?neither works..
#pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if
to any modulate state
block in log quick on $ext_if inet from any to {255.255.255.255,
213.172.59.151} block return-rst in log quick on $ext_if proto tcp from any
to any port \ {111, 1080, 6000, 6667, 139, 4662}
block in log quick on $ext_if2 inet from any to {255.255.255.255,
213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp from any
to any port \ {111, 1080, 6000, 6667, 139, 4662}
#block return-rst in log quick on $int_if proto tcp from any to any port \
#{111,1080, 6000, 6667, 139, 4662}
#Bloqueo puertos
block out log quick on $ext_if proto tcp from any to any port $capaos block
out log quick on $ext_if2 proto tcp from any to any port $capaos #some
port-blocking
#proxy
pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080 keep
state
#ssh
pass in log on $int_if inet proto tcp from any to 192.168.1.1 port ssh keep
state pass in log on $int_if inet proto tcp from any to 192.168.2.2 port ssh
keep state #pass in log on $dmz_if inet proto tcp from $int_net to $dmz_host
port ssh keep state
lo0 pass quick on lo0 all
Remember we want to balance the web outgoing traffic, generated by the Squid
proxy in the same machine
Thks in advance and greetings
Jose M;
Thats because the route back is control on the other end unless
RE: PF load balancing again...
Hi Since all interfaces have 192.168.x.x ips then are you sure whats are ips and netmasks ot you routers.If you routers have different netmask than yours. Please use pfctl -vsr and see what rules are evaluationed.Use pftop from ports to debug connections. Cheers Tihomir --- Jose Mejia [EMAIL PROTECTED] wrote: Down rule will work if your default gateway is on $ext_if pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port www keep state probability 50% It doesn't work either, I didn't debug it, but it seems packets going out from ext_if2 are coming back to ext_if 1 too The default gw is on ext_if Can you give ifconfig output and /etc/mygate Also try using pfctl -vsr and look whats going on on $ext_if and $ext_if2.What is last mathed rule etc.. mygate points to the router's attached to ext_if IP ifconfig -a output : lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cd media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::2e0:81ff:fe61:bccd%em0 prefixlen 64 scopeid 0x1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cc media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.3.1 netmask 0xfff8 broadcast 192.168.3.255 inet6 fe80::2e0:81ff:fe61:bccc%em1 prefixlen 64 scopeid 0x2 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:42:fb:21 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::250:fcff:fe42:fb21%rl0 prefixlen 64 scopeid 0x3 em2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:0e:0c:76:d8:67 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::20e:cff:fe76:d867%em2 prefixlen 64 scopeid 0x4 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 Cheers Tihomir Koychev www.BetStrikes.com - Ôóòáîëíè ïðîãíîçè
RE: PF load balancing again...
Hi Tihomir...thks for the response I think SQUID is running fine, my default gw is ext_if, I was playing with multipath too without results.the conf file is really in disorder due to the try-out and continous changes, I'm sorry Now I'm not with the machine, but tomorrow I'll post the output of ifconfig -a and /etc/mygate, I'll try your rule and will control it with pfctl Greetings Jose M NAT is correct, but this is not important right now.We are care about squid. check this http://www.benzedrine.cx/transquid.html What is you default gateway? My suggestion is to reorder your pf.conf Order first $int_if then $int_if2 and etc... Then you and others can read pf.conf with easy. Down rule will work if your default gateway is on $ext_if pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port www keep state probability 50% Can you give ifconfig output and /etc/mygate Also try using pfctl -vsr and look whats going on on $ext_if and $ext_if2.What is last mathed rule etc.. Cheers Tihomir Koychev Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
Re: PF load balancing again...
--- Jose Mejia [EMAIL PROTECTED] wrote:
Hi all here we go again with that matter :
We've a firewall with 4 interfaces (2 outside to two differents
routers and
ISPs,1 inside and 1 DMZ),the machine is running a Squid web proxy
too, we
wanna make balancing on outgoing connections only for the web
traffic, we
have get to do that, and now the packets are going out on ext_if and
ext_if2
but they're all coming back in ext_if, then wich are arising from
traffic on
ext_if2 are rejected, maybe a NAT problem or is related to stateful
tables.any idea?
This is the pf.conf :
#Interfaces
ext_if=em1
int_if=em0
ext_if2=em2
dmz_if=rl0
ext_gw=192.168.3.1
ext_gw2=192.168.0.1
loop=lo0
#networks
ext_net=192.168.3.0/24
int_net=192.168.1.0/24
dmz_net=192.168.2.0/24
#some hosts
dmz_host=192.168.2.2 #this is the mail server and fax (for
internal
net) server
private = {127.0.0.0/8 192.168.1.0/24 172.16.0.0/12 10.0.0.0/8}
capaos= {4099, 5090, 4661, 4662, 4665, 4672, 1214, 1863, 5190,
6891:6900,
4500,\ 59, 1080, 6660:6669, 113, 6699, 6257, 5000, 5001, 2234}
#options
set block-policy drop
set loginterface $ext_if
set optimization normal
#set skip on $loop
#normalizations
scrub in on $ext_if all
scrub in on $ext_if2 all
#nat / rd
nat on $ext_if from !($ext_if) to any - ($ext_if) #changed to that
rules
to make the routing
nat on $ext_if2 from !($ext_if2) to any - ($ext_if2)
NAT is correct, but this is not important right now.We are care about
squid.
check this http://www.benzedrine.cx/transquid.html
What is you default gateway?
rdr on $int_if inet proto tcp from any to any port www - 192.168.1.1
port
8080 # squid rdr on $ext_if inet proto tcp from any to $ext_if port
smtp -
$dmz_host port smtp rdr on $int_if inet proto tcp from any to
$dmz_host port
smtp - $dmz_host port smtp rdr on $int_if inet proto tcp from any to
$dmz_host port pop3 - $dmz_host port pop3 rdr on $int_if inet proto
tcp
from any to $dmz_host port ssh - $dmz_host port ssh rdr on $int_if
inet
proto tcp from any to $dmz_host port 4559 - $dmz_host port 4559
#hylafax
#rules
block in log all
block in quick inet6 all
block out quick inet6 all
#flags anti so escaner
block in log quick proto tcp all flags SF/SFRA block in log quick
proto tcp
all flags SFUP/SFRAU block in log quick proto tcp all flags
FPU/SFRAUP block
in log quick proto tcp all flags /SFRA block in log quick proto tcp
all
flags F/SFRA block in log quick proto tcp all flags U/SFRAU block in
log
quick proto tcp all flags P
#antispoof quick for {$int_if, $ext_if } #block return in log on
$ext_if
proto {udp, tcp}all
#output load balancing tcp
pass out on $ext_if from any to any modulate state #I put first that
rule so
the second match the web traffic
pass out log on $ext_if route-to \
{ ($ext_if $ext_gw), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from any to any port www keep state
My suggestion is to reorder your pf.conf
Order first $int_if then $int_if2 and etc...
Then you and others can read pf.conf with easy.
Down rule will work if your default gateway is on $ext_if
pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any
port www keep state probability 50%
pass in on $int_if all keep state
pass out log on $int_if inet proto udp from $dmz_host to 192.168.1.8
port 53
#NFS Memnoch (this is a NFS connection from DMZ to LAN I know is very
insecure but is only for now) pass out log on $int_if inet proto {tcp
udp}to
192.168.1.48 port 111 pass out log on $int_if inet proto {tcp udp}to
192.168.1.48 port 2049
pass in log on $dmz_if all keep state #still not refined
pass out log on $dmz_if all keep state
pass out log on $ext_if2 from any to any modulate state # ext_if2
outgoing
rule
#route packets from any IPs on $ext_if to $ext_gw and $ext_if2 to
$ext_gw2
##that's referenced in the FAQ.necessary?neither works..
#pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to
any
modulate state #pass out on $ext_if2 route-to ($ext_if $ext_gw) from
$ext_if
to any modulate state
block in log quick on $ext_if inet from any to {255.255.255.255,
213.172.59.151} block return-rst in log quick on $ext_if proto tcp
from any
to any port \ {111, 1080, 6000, 6667, 139, 4662}
block in log quick on $ext_if2 inet from any to {255.255.255.255,
213.172.59.151} block return-rst in log quick on $ext_if2 proto tcp
from any
to any port \ {111, 1080, 6000, 6667, 139, 4662}
#block return-rst in log quick on $int_if proto tcp from any to any
port \
#{111,1080, 6000, 6667, 139, 4662}
#Bloqueo puertos
block out log quick on $ext_if proto tcp from any to any port $capaos
block
out log quick on $ext_if2 proto tcp from any to any port $capaos
#some
port-blocking
#proxy
pass in on $int_if inet proto tcp from any to 192.168.1.1 port 8080
keep
state
#ssh
pass in log on $int_if inet proto tcp from
RE: PF load balancing again...
Down rule will work if your default gateway is on $ext_if pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from any to any port www keep state probability 50% It doesn't work either, I didn't debug it, but it seems packets going out from ext_if2 are coming back to ext_if 1 too The default gw is on ext_if Can you give ifconfig output and /etc/mygate Also try using pfctl -vsr and look whats going on on $ext_if and $ext_if2.What is last mathed rule etc.. mygate points to the router's attached to ext_if IP ifconfig -a output : lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cd media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::2e0:81ff:fe61:bccd%em0 prefixlen 64 scopeid 0x1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:e0:81:61:bc:cc media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.3.1 netmask 0xfff8 broadcast 192.168.3.255 inet6 fe80::2e0:81ff:fe61:bccc%em1 prefixlen 64 scopeid 0x2 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:50:fc:42:fb:21 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::250:fcff:fe42:fb21%rl0 prefixlen 64 scopeid 0x3 em2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:0e:0c:76:d8:67 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::20e:cff:fe76:d867%em2 prefixlen 64 scopeid 0x4 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 Cheers Tihomir Koychev
RE: PF load balancing
[EMAIL PROTECTED] wrote: Hi all : We've a firewall with 4 interfaces (2 outside to two differents routers and ISP,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we wanna make balancing on outgoing connections only for the web traffic, we have get to do that, and now the packets are going out on ext_if and ext_if2 but they're all coming back in ext_if, then wich are arising from traffic on ext_if2 are rejected, maybe a NAT problem or is related to stateful tables.any idea? Do outbound packets have the correct source address? Packets originating from the firewall are probably using whatever IP address Squid is bound to or whatever IP address is associated with the default gw. Sorry, I don't have a solution and I'd like to here if anyone has something simple in this case. -Steve S.
RE: PF load balancing
Hi Stevethat's the problem, maybe the NAT rules are not right, (i've tried with others without result) but i think the key is in the stateful inspection...or maybe all the idea is not well configured Greetings Jose M Hi all : We've a firewall with 4 interfaces (2 outside to two differents routers and ISP,1 inside and 1 DMZ),the machine is running a Squid web proxy too, we wanna make balancing on outgoing connections only for the web traffic, we have get to do that, and now the packets are going out on ext_if and ext_if2 but they're all coming back in ext_if, then wich are arising from traffic on ext_if2 are rejected, maybe a NAT problem or is related to stateful tables.any idea? Do outbound packets have the correct source address? Packets originating from the firewall are probably using whatever IP address Squid is bound to or whatever IP address is associated with the default gw. Sorry, I don't have a solution and I'd like to here if anyone has something simple in this case. -Steve S.
Re: pf load balancing
Lucas wrote: i have done it this way, but still have some problems: 10.1.1.1 (M) |---gw1 - | LAN--| || - WAN |---gw2 - | (10.1.1.1) (B) gw2 just have a backup carp interface gw1 is carp master with 10.1.1.1 nat is running on both gw with ip address ending with 4 and 5. This will cause you problems. Assuming gw1 is the carp master, packets from 10.0.0.0/8 to the WAN will get NATed to 192.168.1.4. Now assume that gw2 becomes master. Packets coming back in from the WAN have a dest address of 192.168.1.4. gw2 knows nothing of this address. I'm not quite sure what would happen with outgoing packets that match states created when gw1 was master; they'd probably be passed through and continue to be NATed to 192.168.1.4. What eventually happens is that flow will time out and the LAN client will retry the connection and succeed. The solution is to create a separate carp group on the WAN side and nat all outbound connections to that VIP. It's not exactly clear what you're trying to do. Are you still trying to load balance between 3 gateways? In other words, you have 3 OpenBSD routers/firewalls and you want to load balance traffic across them? carp will handle that without issue as long as it's configured properly. arpbalance is what you're looking for.
Re: pf load balancing
i tried with it, but it works if i have a machine in the middle. like this: GW2 LAN - obsd (load balancer with route-to) -- GW1 WAN GW3 i want something to work in this scenario: GW2 LAN GW1 -- WAN GW3 can route-to do the work in this case? Lucas ed wrote: On Wed, 21 Sep 2005 17:05:23 -0300 Lucas [EMAIL PROTECTED] wrote: i'm working with 3 gateways and want to load balance between them. after a failure with layer 2 (carp arpbalance) balancing, i tried to do it with pf. the most logical way to do it is with a machine before the gateways distributing the load. there's a way to do it without adding a new machine (and a new point of failure) to the set? Look into the route-to keyword
Re: pf load balancing
Hi Can you post your pf.conf and output from ifconfig? --- Lucas [EMAIL PROTECTED] wrote: i tried with it, but it works if i have a machine in the middle. like this: GW2 LAN - obsd (load balancer with route-to) -- GW1 WAN GW3 i want something to work in this scenario: GW2 LAN GW1 -- WAN GW3 can route-to do the work in this case? Lucas ed wrote: On Wed, 21 Sep 2005 17:05:23 -0300 Lucas [EMAIL PROTECTED] wrote: i'm working with 3 gateways and want to load balance between them. after a failure with layer 2 (carp arpbalance) balancing, i tried to do it with pf. the most logical way to do it is with a machine before the gateways distributing the load. there's a way to do it without adding a new machine (and a new point of failure) to the set? Look into the route-to keyword Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Re: pf load balancing
On 09/22/2005 04:51:37 PM, Lucas wrote: i have done it this way, but still have some problems: I am sorry. I'm afraid I may not have understood your initial diagram. (I like to see the machines, with each interface and it's assigned IP, and the network number/netmask of the networks connecting the interfaces before I can make sense of what's going on.) Perhaps now that you've posted more info and your config somebody will be able to help. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: pf load balancing
i have done it this way, but still have some problems:
10.1.1.1 (M)
|---gw1 - |
LAN--| || - WAN
|---gw2 - |
(10.1.1.1) (B)
gw2 just have a backup carp interface
gw1 is carp master with 10.1.1.1
nat is running on both gw with ip address ending with 4 and 5.
gw1 and gw2 are interconnected thru a 3 nic with an 192.168.0.0/24 IP
range ($i_if) (ending with 1 and 2).
my pf.conf is the following:
- gw1
nat on $ext_if inet from 10.0.0.0/8 to any - xxx.xxx.xxx.4
pass in quick inet proto carp
pass in on $int_if route-to { ($ext_if xxx.xxx.xxx.2) , ($i_if
192.168.0.2) } round-robin sticky-address inet from 10.0.0.0/8 to any
keep state
- gw2
nat on $ext_if inet from 10.0.0.0 to any - xxx.xxx.xxx.5
i've tested with route-to with each of the next hops sitting alone (ie.
just with the first one and with the second one) and it worked well.
when i run it with this config things start working well and after
sometime the connection hangs. if i wait for some time it starts working
again.
any clue?
Lucas
Karl O. Pinc wrote:
On 09/21/2005 10:19:42 PM, Lucas wrote:
i tried with it, but it works if i have a machine in the middle.
like this:
GW2
LAN - obsd (load balancer with route-to) -- GW1 WAN
GW3
i want something to work in this scenario:
GW2
LAN GW1 -- WAN
GW3
can route-to do the work in this case?
I take it back, you could put two networks on the link
between GW1 and WAN, and then use route-to. However,
you would not truely be able to secure GW2 and GW3.
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A. Heinlein
Re: pf load balancing
On Wed, 21 Sep 2005 17:05:23 -0300 Lucas [EMAIL PROTECTED] wrote: i'm working with 3 gateways and want to load balance between them. after a failure with layer 2 (carp arpbalance) balancing, i tried to do it with pf. the most logical way to do it is with a machine before the gateways distributing the load. there's a way to do it without adding a new machine (and a new point of failure) to the set? Look into the route-to keyword -- http://www.usenix.org.uk - http://irc.is-cool.net
Re: pf load balancing, macros, tables...
On Wed, Mar 23, 2005 at 10:47:34PM -0800, Kevin wrote: yet this does not: rdr on $ext proto tcp from any to web_servers_ext port 80 - \ web_servers_int round-robin sticky-address There was a bug fixed recently where pf would fail to select a translation when a rule did not have an explicit (or implicit) address family (IPv4/v6). This was backported to 3.6-stable, maybe you have an older kernel. To test the theory, add 'inet' to your rule, which makes the address family explicit. If this is not the problem, describe exactly how 'it is not working'. Daniel
Re: pf load balancing, macros, tables...
yet this does not: rdr on $ext proto tcp from any to web_servers_ext port 80 - \ web_servers_int round-robin sticky-address There was a bug fixed recently where pf would fail to select a translation when a rule did not have an explicit (or implicit) address family (IPv4/v6). This was backported to 3.6-stable, maybe you have an older kernel. To test the theory, add 'inet' to your rule, which makes the address family explicit. If this is not the problem, describe exactly how 'it is not working'. Mea culpa. I really should have given you more to go on. :-( That said, when looking at a tcpdump -netttvvvi pflog0 port 80, it was as you suspected: pf apparently wasn't selecting an appropriate translation rule so connections were getting blocked my the default block rule. As described, simply changing to rule to this: rdr on $ext inet proto tcp from any to web_servers_ext port 80- \ web_servers_int round-robin sticky-address makes everything pass through like a champ. Now to grab an updated 3.6-stable. :-) Thanks so much. Kevin
Re: PF Load balancing plans?
On Mon, Nov 15, 2004 at 05:22:36PM -0500, dormando wrote: I understand there's software like slbd which will add/remove servers from a round-robin mechanism, but I would like to know if there are any current plans for expanding on PF's internal load balancing systems? I won't put out a wishlist just yet, in case there are plans/patches in the process. I'm not aware of any specific plans or ongoing work in that area. Maybe start with evaluating the features pf has right now, and give us an idea of what is missing for your setup. I can't promise that anyone will commit to a list of features, but if cost is not an issue and you want to donate, there are always opportunities, like http://marc.theaimsgroup.com/?l=openbsd-miscm=110055360205220 Daniel
Re: pf load balancing problem
On Aug 7, 2004, at 03:05, Reza Muhammad wrote:
binat on $ext_if1 from $server_int to any - server_ext
Why do you need this line? I'm currently doing a simply RDR (like you
do further in your pf.conf) and have a PASS rule. Here are the relevant
lines from my pf.conf:
[...]
rdr on $ext_all proto tcp from any to $out_ip port { 22 80 } - \
$internal
[...]
pass in on $ext_all proto tcp from any to $internal port { 22 80 } \
flags S/SA keep state
Both TCP ports 22 and 80 are redirected. I do not have a BINAT rule
anywhere (the responses from $internal are taken care of by the NAT
rule(s).)
