Re: Load balancing and fail-over

Fri, 18 May 2012 00:12:37 -0700 

> Now, the interesting thing is this ( Taken from openbsd website)
>
>
> #  keep https traffic on a single connection; some web applications,
> #  especially "secure" ones, don't allow it to change mid-session
> pass in on $int_if proto tcp from $lan_net to port https \
>     route-to ($ext_if1 $ext_gw1)
>
>
> When both links are UP and WAN1 is UP https traffic will go via WAN1
> When, WAN1 goes down, https should go via WAN2
>
>   I think If I add another variable to /etc/pf.conf, I will be able to
> achieve it too.
>
>
> ONEWAYHTTPS="1.1.1.1@em0"
>
>
> pass in on $int_if proto tcp from $lan_net to port https \
>     route-to { $ONEWAYHTTPS }
>
>
> and use this below while WAN1 goes DOWN
>
> pfctl -D ONEWAYHTTPS="2.2.2.2@em1" -f /etc/pf.conf
>
>
> Is it allringt ?
>

No, It is NOT OK ( I think it messes up )


So, I myself found a method. it would be easier with an anchor.

http://www.openbsd.org/faq/pf/anchors.html

The above URL shows the power of PF with anchors. I just tried it. It
worked. Pls see below . ( I feel really sorry to disturb you.) ,


In /etc/pf.conf


GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"

##BEGIN - Loadbalancingwithfailover

pass in on $int_if from $lan_net route-to { $GATEWAYS }

anchor "onewayhttps" {
   pass in on em2 proto tcp from 192.168.0.0/24 to port https route-to
2.2.2.2@em1
}

##END



and ,


my script is now like this.


#Checking WAN1
ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 > /dev/null 2>&1
VARWAN1=$(echo $?)

#Checking WAN2
ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 > /dev/null 2>&1
VARWAN2=$(echo $?)

if [ ${VARWAN1} = 0 ] && [ ${VARWAN2} = 0 ]; then
    echo "Both links are UP"
    route add -mpath default 1.1.1.1
    route add -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ] && [ ${VARWAN2} != 0 ]; then
    echo "Both links are DOWN "
    route add -mpath default 1.1.1.1
    route add -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN1} != 0 ] ; then
    echo "WAN1 is DOWN"
    route add -mpath default 2.2.2.2
    route delete -mpath default 1.1.1.1
    pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf

elif [ ${VARWAN2} != 0 ] ; then
    echo "WAN2 is DOWN"
    route add -mpath default 1.1.1.1
    route delete -mpath default 2.2.2.2
    pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
    echo "pass in on em2 proto tcp from 192.168.0.0/24 to port https
route-to 1.1.1.1@em0" | pfctl -a onewayhttps -f -
fi


I think I am NOW all right. Anyway,  I will have to test it in 2 or 3 days
time. Then, I will let you know everything.

Stuart , Thanks a LOT for your compassion towards me. I worked hard. I am
very happy. Any way, I will have to test its behaviour.


Hope to hear from you.




>
>


-- 
Thank you
Indunil Jayasooriya

Reply via email to