Re: lug-bg: ICQ + load balancing на изходя щия трафик (дълго)

Danail Petrov Fri, 13 Oct 2006 00:17:30 -0700

Хм , тук ме хвана напълно неподготвен. PF съм ползвал последно преди около 4-5 години на OpenBSD 2.8 :-) Честно казано нямам никаква представа по какъв начин става балансирането дали е per-packet or per-destination , също така като гледам , май става въпрос за баланс само на изход (Round Robin) . Което ще рече че ако изкарваш на изход мрежа , за която другия доставчик незнае (или най-малкото прави проверка [rp_filter в линукс (reverse packet forwarding) / rx verify в cisco ] за мрежите който ще рутира навън) то това може да ти бъде проблема. Направи си пробите с tcptraceroute или с някакъв друг tool , пусни 1 tcpdump и разгледай трафика който ти се връща/отива.


Поздрави,
Данаил Петров


Alexander Iliev wrote:

Danail Petrov wrote:

Как балансираш трафика ? на вход ? на изход ?
по какъв начин си организирал балансирането ? какъв рутинг протокол
използваш? дай повече информация,
така зададен въпроса се съмнявам някой да успее да те насочи към каквото
и да е било :)


Ок, извинявам се, че не съм дал достатъчна информация... :)

Трафика го балансирам през PF с route-to правила. Давам направо
конфигурацията:

====
#       $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#######################################
#  MACRO DEFINITIONS                  #
#######################################

########### interfaces

# external interface
ext_if1         = "rl0"
ext_if2         = "dc0"
ext_ifs         = "{" $ext_if1 $ext_if2 "}"

ppp_if          = "tun0"

# internal interface
int_if          = "fxp0"

# vpn interface
vpn_if          = "tun1"

########### known ip addresses and ports

ext_gw1         = "W.X.Y.Z"
ext_gw2         = "Z.Y.X.W"

#######################################
#  TABLE DEFINITIONS                  #
#######################################

# non-routable networks
table <rfc1918>           persist { 10/8, 172.16/12, 192.168/16 }

table <spamd>             persist
table <spamd-my>  persist file "/etc/pf/spamd.table"
table <spamd-white>       persist

table <bruteforce>        persist

table <single-route>      persist file "/etc/pf/single-route.table"

#######################################
#  OPTIONS                            #
#######################################

###### set logging on for ext_if1
set block-policy return
set loginterface $ext_if1
set loginterface $ext_if2

scrub in

#######################################
#  TRAFFIC SHAPING                    #
#######################################

altq on $ext_if1 priq bandwidth 4320Kb queue { q_std_out1, q_pri_out1 }
  queue q_std_out1 priority 1 priq(default)
  queue q_pri_out1 priority 7

altq on $ext_if2 priq bandwidth 8000Kb queue { q_std_out2, q_pri_out2 }
  queue q_std_out2 priority 1 priq(default)
  queue q_pri_out2 priority 7

#######################################
#  NAT                                #
#######################################

###### nat local network
nat pass on $ext_if1 \
        from $int_if:network to <single-route> -> ($ext_if1)
nat pass on $ext_if1 \
        from $int_if:network to !$int_if:network -> ($ext_if1)
nat pass on $ext_if2 \
        from $int_if:network to !$int_if:network -> ($ext_if2)

###### handle active mode ftp connections
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp \
        from $int_if:network to !$int_if:network port 21 -> 127.0.0.1 port 8021

###### redirect spammers to local spamd
rdr pass on $ext_if1 proto tcp \
        from <spamd> to ($ext_if1) port smtp -> 127.0.0.1 port spamd
rdr pass on $ext_if1 proto tcp \
        from <spamd-my> to ($ext_if1) port smtp -> 127.0.0.1 port spamd

#######################################
#  FILTERING - OUTBOUND TRAFFIC       #
#######################################

###### deny all by default
block log all

###### allow loopback
pass quick on lo0

###### ftp-proxy anchor
anchor "ftp-proxy/*"

###### reject all packets from and to private networks on ext_if1
block in  quick on $ext_ifs from <rfc1918> to any
block out quick on $ext_ifs from any to <rfc1918>

###### allow traffic from local network
pass in  on $int_if from $int_if:network to any keep state

###### outgoing traffic load balancing
pass in  on $int_if route-to \
        { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
        proto tcp from $int_if:network to !$int_if:network flags S/SA \
        modulate state
pass in on $int_if route-to \
        { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
        proto { udp, icmp } from $int_if:network to !$int_if:network \
        keep state

###### override load balancing for single-route table
pass in  on $int_if route-to \
        ($ext_if1 $ext_gw1) round-robin \
        proto tcp from $int_if:network to <single-route> flags S/SA \
        modulate state
pass in  on $int_if route-to \
        ($ext_if1 $ext_gw1) round-robin \
        proto { udp, icmp } from $int_if:network to <single-route> keep state

###### allow traffic from localhost to local network
pass out on $int_if from ($int_if) to $int_if:network keep state

###### allow outgoing traffic keeping state and prioritizing tcp ack packets
pass out on $ext_if1 proto tcp all flags S/SA keep state \
        queue (q_std_out1, q_pri_out1)
pass out on $ext_if2 proto tcp all flags S/SA keep state \
        queue (q_std_out2, q_pri_out2)
pass out on $ext_ifs proto { udp, icmp } all keep state

###### route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
###### $ext_if2 and $ext_gw2 (again outgoing traffic load balancing)
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any


###### allow icmp
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
        proto icmp from any to ($ext_if1) keep state
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
        proto icmp from any to ($ext_if2) keep state

###### allow ssh to this machine, limiting connection rate
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
        proto tcp to ($ext_if1) port ssh keep state \
        (max-src-conn 15, max-src-conn-rate 5/2, \
         overload <bruteforce> flush global)
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
        proto tcp to ($ext_if2) port ssh keep state \
        (max-src-conn 15, max-src-conn-rate 5/2, \
         overload <bruteforce> flush global)

###### allow smtp traffic
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
        proto tcp from any to ($ext_if1) port smtp \
        label "mail" keep state \
        (max-src-conn 15, max-src-conn-rate 10/5, \
         overload <bruteforce> flush global)
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
        proto tcp from any to ($ext_if2) port smtp \
        label "mail" keep state \
        (max-src-conn 15, max-src-conn-rate 10/5, \
         overload <bruteforce> flush global)

###### allow domain query
pass in  on $ext_if1 reply-to ($ext_if1 $ext_gw1) \
        proto { tcp udp } from any \
        to ($ext_if1) port domain keep state \
        label "dns"
pass in  on $ext_if2 reply-to ($ext_if2 $ext_gw2) \
        proto { tcp udp } from any \
        to ($ext_if2) port domain keep state \
        label "dns"

====

Има доста кусури, но в момента ме интересува по проблема с ICQ-то дали
ще може да се измисли нещо, другите неща са ми (повече или по-малко)
ясни. :)

Таблицата single-route я направих с цел да прекарвам трафика към
login.icq.com винаги през единия интерфейс, но или нещо съм оплескал
или проблема е другаде - т.е. резултата е както преди да я сложа тая
таблица.

Поздрави,


--
Danail Petrov
Network Administrator
Evolink, Sofia
+359(2)9691650
www.evolink.com
icq uin 989677

smime.p7s
Description: S/MIME Cryptographic Signature

Re: lug-bg: ICQ + load balancing на изходя щия трафик (дълго)

Reply via email to