On Tue, 25 Jan 2005 18:19:36 -0300 (BRT), Emilio Lucena
<[EMAIL PROTECTED]> wrote:
> I am trying to ge these two features to work together. The rule I am using
> for load balancing is:
Can you provide more information on your load-balancing configuration,
specifically on what the two external interfaces are connected through?
Are you doing any NAT?
(I suppose this is why everybody insists on seeing a complete pf.conf)
> pass in log-all on $int_if route-to \
> { ($ext_if1 <gws_if1>) , ($ext_if2 <gws_if2>) } round-robin \
> inet proto tcp from $lan_net to any flags S/SA modulate state
>
> I am following Daniel's intructions (http://www.benzedrine.cx/transquid.html)
> for setting up transparent squid. Now, since web traffic is automatically
> redirected to 127.0.0.1:3128, I think there must be a pass rule, like the one
> below, BEFORE the above rule. Otherwise, squid will not be able to handle
> the web traffic.
>
> pass in quick on $int_if inet proto tcp from any to 127.0.0.1:3128 keep state
^^^^^^^^^^^
I think this line should read:
pass in quick on $int_if inet proto tcp from $int_net to ($int_if)
port=3128 keep state
> Then the traffic is delivered to squid to be dealt with. But, then this
> means squid will use the default route to open the http connection to the
> Internet server and bypass the load balance rule, right?
Correct. Squid, being a full "application proxy" for HTTP/HTTPS/FTP/Gopher,
will generate new TCP sessions for the outbound connection. These sessions
will of course originate from the local machine (not come in via $int_if),
and will show as the source IP address the address of the "default" outbound
interface, unless you configure a tcp_outgoing_address in squid.conf
If you set tcp_outgoing_address to an alias IP on $int_if, you could try this:
pass out route-to \
{ ($ext_if1 <gws_if1>) , ($ext_if2 <gws_if2>) } round-robin \
inet proto tcp from $squid_ip to any flags S/SA modulate state
> So, is this setup incompatible or there is some trick I can do to make it
> work?
Depending on how your inbound traffic is load-balanced, you might not need to
do any tricks, as 99.99% of the squid-related traffic is going to be downloads,
limiting the need to load-balance outbound -- the exception being if you are
using NAT to rewrite outbound sessions to be sourced with a different ext_if
interface address to force reply traffic to come back the same path it went out?
Kevin
