Re: pf and load balancing some webservers

Thu, 18 Jan 2007 02:12:10 -0800 

Hej Stuart,

On Thu, 18 Jan 2007 09:52:15 +0000, Stuart Henderson <[EMAIL PROTECTED]>
wrote:
> On 2007/01/18 09:17, Marian Hettwer wrote:
>> That doesn't make sense to me... why should the destination reply
> directly to the origin?
>
> That's because rdr only rewrites the destination address, not the
> source address.
>
I see...

>> The answer from the destination to the origin wouldn't be interpreted at
> all by the origin...
>
> That's exactly the problem. Run tcpdump on the origin host (or the
> firewall before it) and you'll see those packets arrive straight from
> the backend.
>
You are right :-)

>> > I'm not certain whether it will help so I won't bother posting to
> misc@
>> > now, but you could try adding a NAT rule in addition to the RDR.
>> Any other way than using NAT?
>
> Not without a userland proxy.
>
okay, that's even worse than nat ;) (performance wise)

>> Would it be a nat rule like that one?
>> nat on $ext_if proto tcp from any to $ext_if port 80 -> $web_servers
>
> Not quite; you need to rewrite the outgoing traffic to the backends
> so that it has the load-balancer's address.
>
> nat on $ext_if proto tcp from !($ext_if) to $web_servers port 80 ->
> ($ext_if)
>
thanks for that rule!

> I just tried this on my colo box and it works. (I assume you
> already enabled ip forwarding, I think you must have done this to
> get the packet trace you sent before).
>
> If it works for you can you followup to misc@ for the archives, please?
And yes, it works. ip forwarding is set  to 1
By the way, why do I need ip forwarding? I thought it's only needed if you are
using more than one interface. In my case, it's just one interface (fxp0)?
However, thanks for your help, it's working now :-)
For the archives, this is my pf.conf
ext_if="fxp0"
web_servers = "{ 193.99.144.85,66.135.208.93 }"
#int_if="int0"

set skip on lo

scrub in

nat on $ext_if proto tcp from !($ext_if) to $web_servers port 80 -> ($ext_if)

rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
    round-robin sticky-address

best regards and thanks again!
./Marian

PS.: although wrong thread, any chance to use the brand new hoststated in
OpenBSD 4.0 ?
If I get it via CVS, will it build? I don't like the idea to upgrade my
production box to -CURRENT at all ;)

Reply via email to