Hi all,
I've been having a headache using the round-robin with the
sticky-address option. I do have two exit links, and I'm doing load
balancing with the round-robin on the outgoing packets from the internal
net and from my other 2 dmz's. This setup works perfectly with some
exceptions. There are some buggy web applications that use ip address in
the sessions, and i do have to put their ip address in a table and use
normal routing in this case. I want to use sticky-address, to make one
machine that initially go out through one link, keeps going out through
this one, until there are no more states or connections. I did some
tests using a virtual openbsd machine with vmware, and putted one
machine behind it, and the virtual machine was doing load balancing,
with the same rules i use in my main firewall (only changed ip address
and interfaces on the macros). This test worked nicely, without problems.
Then, when i putted the sticky-address in the main firewall, strange
things happened. The source-tracking states were created, but the
machines, sometimes, were directed to the other link, not the one in the
source-track. For example, when pinging an external address from an
internal machine, the initial source track directed it to one of the
links. The packets went right. Then, if i stopped the ping, and tried it
again, the packets were directed to the other link. I confirmed this
with tcpdump in the firewall's interfaces.
Then, today i managed to get a switch, and putted more machines behind
my test firewall. The sticky-address is working flawlessly. I don't know
where to look. Both the main firewall and the test machine were mainly
idle and with free memory, during the tests. There is some kind of limit
with sticky-address? I read the man page, and saw that i can limit the
number of source-tracks and/or states, etc. But i think that this isn't
the right solution. Someone have a clue?
Thanks in advance,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
