Kevin,
First of all, thanks for your help.
On Tue, 25 Jan 2005, Kevin wrote:
> Can you provide more information on your load-balancing configuration,
> specifically on what the two external interfaces are connected through?
> Are you doing any NAT?
Yes .. we are doing NAT.
lan_net=$int_if:network
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
Also, we are redirecting web traffic to the firewall where squid runs.
rdr on $int_if inet proto tcp from $lan_net to any port www -> 127.0.0.1 port
3128
The external interfaces are connected to a cable Internet connection and
an ADSL Internet connection.
> I think this line should read:
> pass in quick on $int_if inet proto tcp from $int_net to ($int_if)
> port=3128 keep state
Daniel's setup for transparent squid tells us to use the rule I mentioned.
> If you set tcp_outgoing_address to an alias IP on $int_if, you could try this:
> pass out route-to \
> { ($ext_if1 <gws_if1>) , ($ext_if2 <gws_if2>) } round-robin \
> inet proto tcp from $squid_ip to any flags S/SA modulate state
>
Thanks ... I will try this and see if it works.
> Depending on how your inbound traffic is load-balanced, you might not need to
> do any tricks, as 99.99% of the squid-related traffic is going to be
> downloads,
> limiting the need to load-balance outbound -- the exception being if you are
> using NAT to rewrite outbound sessions to be sourced with a different ext_if
> interface address to force reply traffic to come back the same path it went
> out?
This is how I am doing inbound load balance:
# Internal services on the LAN
pass in log on $ext_if1 from any to $intweb tag from_ef1 keep state
pass in log on $ext_if2 from any to $intweb tag from_ef2 keep state
# packets for the internal webserver
pass out log on $int_if reply-to ($ext_if1 $gw_if1) \
from any to $intweb tagged from_ef1 keep state
pass out log on $int_if reply-to ($ext_if2 $gw_if2) \
from any to $intweb tagged from_ef2 keep state
Regards,
ebl
