On Tue, Jan 25, 2005 at 06:19:36PM -0300, Emilio Lucena wrote:
> Then the traffic is delivered to squid to be dealt with. But, then this
> means squid will use the default route to open the http connection to the
> Internet server and bypass the load balance rule, right?
Yes, the connections from squid to the external web servers are not
passing through $int_if at all, and are unrelated (for pf) to the client
connections causing them.
> So, is this setup incompatible or there is some trick I can do to make it
> work?
Instead of using route-to on $int_if, you can let connections go out
through the one interface to the default gateway, and use route-to on a
'pass out on $ext_if1' rule to re-route the outgoing connection to
another interface. Packets will 'try' to get out on the default
interface, but re-routing occurs before they are actually sent out
through the interface.
pass out on $ext_if1 route-to { ($ext_if1 $gwy_if1), \
($ext_if2 $gwy_if2) } round-robin ... keep state
Where $ext_if1 is the interface to your default gateway, where all
connections will go out through by default. Half of them will be
re-routed out on $ext_if2, and half will go out throuh $ext_if1.
You'd use the same construct if you wanted to load-balance outgoing
connections opened by the firewall itself (say, a DNS server there),
which don't arrive in on any interface at all.
Daniel
