Hi,
QUITE UNFORTUNATELY THIS DOES NOT SEEM TO WORK :-(
Could some one please let me see the flaw in logic or implementation?
Thank you so much :-)
Kind Regards
Siju
On Nov 21, 2007 10:46 AM, Siju George <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have two internet connections connected to my firewall now.
> Both are from the same ISPs with IP addresses "IP1" and "IP2"
> Both have the same gateway "GWIP"
>
> $ext_if="IP1"
> $ext_if2="IP2"
>
> Now to load balance squid what I am doing is to tag half of the
> packets comming to squid using the rules
>
> ===================================================================
> pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
> keep state tag squid probability 50% label squid
>
> pass in quick on $int_if inet proto tcp from $int_if:network to any
> port { 21, 8080 } keep state
>
> pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
> } round-robin \
> from $int_if:network to any keep state
>
> ===================================================================
>
> This gets half of the traffic that comes to squid tagged and labeled as
> 'squid'
>
> then I have the following NAT rule for the $ext_if which is the
> default route to NAT the tagged rules ( i.e half of squid traffic )
> to "IP2" on $ext_if2
>
> =================================================
>
> nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2)
>
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
>
> =================================================
>
> and finally for the filter rules to route the tagged packets through
> the second interface.
>
> ==============================================================
>
> pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
> all modulate state flags S/SA tagged squid
>
> pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
> all modulate state flags S/SA
>
> pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
> all modulate state flags S/SA
>
> pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
> all keep state
>
> pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
> } all keep state
>
> ===============================================================
>
> derived this Idea from
>
> http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html
>
> after searching the archives.
>
> Just wondering if there is a better way to do it :-)
>
> Thank you so much especially Danny for the post :-)))))))
>
> Kind Regards
>
> Siju
