On Nov 21, 2007 5:33 PM, Rajkumar S <[EMAIL PROTECTED]> wrote:
> On Nov 21, 2007 4:08 PM, Siju George <[EMAIL PROTECTED]> wrote:
>
> > I just can't figure out how I can get the traffic that goes through
> > squid to alternately use both connections :-)
>
> pf does not support that, yet! your load balancing rules are applied
> in the in the "in" direction. this works normally because the traffic
> of clients come in the in of your lan_if
>
> pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
> } round-robin \
> from $int_if:network to any keep state
>
> When you use squid, the traffic is originated from the box, and does
> not flow though the in rules. See
> http://homepage.mac.com/quension/pf/flow.png And thus the load
> balancing will not work.
>
yes that is why I used tags.
http://www.openbsd.org/faq/pf/tagging.html
says tags are sticky.
===================================================================================================
1) Tags are "sticky". Once a tag is applied to a packet by a matching
rule it is never removed. It can, however, be replaced with a
different tag.
2) Because of a tag's "stickiness", a packet can have a tag even if
the last matching rule doesn't use the tag keyword.
===================================================================================================
So a packet that comes to squid running on port 8080 of the internal
interface will never see the rule
==========================================================================
pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
from $int_if:network to any keep state
=========================================================================
and get routed because there is a quick rule
=======================================================================
pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state
========================================================================
above it. and the tag rule
==================================================================
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
keep state tag squid probability 50% label squid
===================================================================
above the quick rule makes sure that 50% of traffic that come to squid
( i.e port 8080 ) gets tagged.
So this tagged packet is got by squid from port 8080 and squid sents
it out to the $ext_if.
> Now this will not work in the out direction also because you cannot
> nat after filter rules.
>
continuing the flow.
when this tagged packet from squid reaches $ext_if it is NATed by the
first matching rule
==================================================================
nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2)
==================================================================
with the src IP as the IP of $ext_if2
and the routing rule
=======================================================================
pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
all modulate state flags S/SA tagged squid
========================================================================
routes it out through the interface $ext_if2.
So the filtering is applied only after NATing.
Just wondering why it is not working.
Can't find the flaw in logic either :-(
thanks a lot for your thoughts on this :-)))))))))00
Kind regards
Siju
_______________________________________________
bsd-india mailing list
[email protected]
http://www.bsd-india.org/mailman/listinfo/bsd-india
