Hello all,
Is it possible to get round-robin load balancing running with squid using
two T1 on the firewall ?
rl0 = lan interface
rl1 = wan one interface
rl2 = wan two interface
These rules work fine for web surfing with no proxy -
pfctl -sn
pfctl -sr
nat on rl1 inet proto tcp from 192.168.50.0/24 to any -> 67.173.76.81
nat on rl1 inet proto udp from 192.168.50.0/24 to any -> 67.173.76.81
nat on rl1 inet proto icmp from 192.168.50.0/24 to any -> 67.173.76.81
nat on rl2 inet proto tcp from 192.168.50.0/24 to any -> 67.162.61.107
nat on rl2 inet proto udp from 192.168.50.0/24 to any -> 67.162.61.107
nat on rl2 inet proto icmp from 192.168.50.0/24 to any -> 67.162.61.107
scrub in all fragment reassemble
pass out log quick on rl0 inet from 192.168.50.80 to 192.168.50.0/24 keep
state
pass in log quick on rl0 inet from 192.168.50.0/24 to 192.168.50.80 keep
state
block in log quick on rl1 inet from <rfc1918> to any
block in log quick on rl2 inet from <rfc1918> to any
pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state
pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state
pass in log quick on rl0 route-to { (rl1 67.173.76.1), (rl2 67.162.60.1) }
round-robin inet all keep state
pass out quick on rl1 inet from 67.173.76.81 to any keep state
pass out quick on rl2 inet from 67.162.61.107 to any keep state
block drop in log quick inet all
pfctl -vsr shows the rule set being used -
scrub in all fragment reassemble
[ Evaluations: 2554 Packets: 1338 Bytes: 0 States: 0
]
pass out log quick on rl0 inet from 192.168.50.80 to 192.168.50.0/24 keep
state
[ Evaluations: 110 Packets: 165 Bytes: 16328 States: 1
]
pass in log quick on rl0 inet from 192.168.50.0/24 to 192.168.50.80 keep
state
[ Evaluations: 14 Packets: 7 Bytes: 395 States: 1
]
block drop in log quick on rl1 inet from <rfc1918> to any
[ Evaluations: 108 Packets: 39 Bytes: 12940 States: 0
]
block drop in log quick on rl2 inet from <rfc1918> to any
[ Evaluations: 61 Packets: 39 Bytes: 12940 States: 0
]
pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state
[ Evaluations: 17 Packets: 0 Bytes: 0 States: 0
]
pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state
[ Evaluations: 13 Packets: 0 Bytes: 0 States: 0
]
pass in log quick on rl0 route-to { (rl1 67.173.76.1), (rl2 67.162.60.1) }
round-robin inet all keep state
[ Evaluations: 30 Packets: 533 Bytes: 415670 States:
13 ]
pass out quick on rl1 inet from 67.173.76.81 to any keep state
[ Evaluations: 17 Packets: 230 Bytes: 170509 States: 6
]
pass out quick on rl2 inet from 67.162.61.107 to any keep state
[ Evaluations: 9 Packets: 303 Bytes: 245161 States: 7
]
block drop in log quick inet all
[ Evaluations: 4 Packets: 4 Bytes: 932 States: 0
]
pfctl -ss also shows multiple state entries for both wan IP's.
Round-robin works fine when the route-to is using "in on rl0".
Round-robin does not work when using route-to "out on rl1"
rl1 is my wan with the default gateway.
There are strange results when using out on rl1. Pages appear to load
partialy.
Just using ssh from the firewall shows signs of the problem. One ssh
session works fine. The next ssh session hangs.
pfctl -ss shows state tables created only for the interface that has the
default route.
Here are the rule sets being used by route-to "out on rl1"
nat on rl1 inet proto tcp from 192.168.50.0/24 to any -> 67.173.76.81
nat on rl1 inet proto udp from 192.168.50.0/24 to any -> 67.173.76.81
nat on rl1 inet proto icmp from 192.168.50.0/24 to any -> 67.173.76.81
nat on rl2 inet proto tcp from 192.168.50.0/24 to any -> 67.162.61.107
nat on rl2 inet proto udp from 192.168.50.0/24 to any -> 67.162.61.107
nat on rl2 inet proto icmp from 192.168.50.0/24 to any -> 67.162.61.107
scrub in all fragment reassemble
pass in log quick on rl1 reply-to (rl1 67.173.76.1) inet proto tcp all
keep state
pass out log quick on rl0 inet from 192.168.50.80 to 192.168.50.0/24 keep
state
pass in log quick on rl0 inet from 192.168.50.0/24 to 192.168.50.80 keep
state
block drop in log quick on rl1 inet from <rfc1918> to any
block drop in log quick on rl2 inet from <rfc1918> to any
pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state
pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state
pass in log quick inet from 192.168.50.0/24 to 127.0.0.1 keep state
pass out log quick on rl2 route-to { (rl1 67.173.76.1), (rl2 67.162.60.1)
} round-robin inet from 67.162.61.107 to any keep state
pass out quick on rl1 inet from 67.173.76.81 to any keep state
pass out quick on rl2 inet from 67.162.61.107 to any keep state
block drop in log quick inet all
I added the reply-to on the interface that doesn't have the default route.
ssh sessions into that address work.
Any input would be appreciated.
btb
