You were right in your "if you want to.." part. I do have multiple
servers that I want to load balance the requests across. Basically,
it's a sort of poor-man's peering with the traffic normally
load-balanced by short-TTL DNS records and a monitor on each line.
If one goes down, DNS is updated to not point to it until it returns.
Can you explain in more detail what you mean about "tags" between the
rules? The problem I'm seeing is that the un-RDR action doesn't appear
to be taking place until after the filter rules (which contain the
route-to statements) are checked, so the source address on the packets
is not the address of the "router" itself, but is still the private
address of the server in the back-end farm.
I've hackishly worked around it by assigning different static IPs to
the backend server farm. For example an address in 192.168.0.0/24 on
each server to service the ISP-A requests, 192.168.1.0/24 for the ISP-B
requests, and so on. Doing this, the route-to rules properly fire
based on the private source address and set the gateway.
It doesn't work when the upstream lines are coming in on different
physical interfaces; "route-to (fxp2 1.2.3.4)" doesn't work if the
machines default route is on fxp1; but that's a different problem (I
think).
Quoting Daniel Hartmeier <[EMAIL PROTECTED]>:
If I understand correctly, you have serveral uplinks, and you redirect
requests coming from each uplink to dedicated servers, i.e. server A
handles all requests coming in through uplink A.
You want the return packets to go back through the appropriate uplink.
This should work:
Use rdr on the external interface like you are already doing.
On the internal interface use
pass out on fxp0 reply-to (fxp1 $ext_gw_a) from any \
to $int_net_a port 80 keep state
pass out on fxp0 reply-to (fxp1 $ext_gw_b) from any \
to $int_net_b port 80 keep state
Note that the rdr on the external interface has already replaced the
destination address when these rules are evaluated on the internal
interface.
As an example, an external client C sends a SYN to $ext_gw_b. This
packet will first hit the external interface, match the rdr rule, and
the destination address is replaced with int_net_b. This then goes out
through the internal interface, matching the second rule above.
When the SYN+ACK comes back from the server, it will match the second
rule's state entry, and the reply-to option gets used, bypassing the
normal routing table lookup. The packet will go out through the external
interface with $ext_gw_b's MAC address as destination. There it will
match the rdr rule's state, and the source address is replaced.
You might want to try with 'set state-policy if-bound', but it should
work either way.
This works as long as you have one dedicated server per external uplink.
If you want to load-balance all incoming requests to a server farm,
you'd have to use tags between the rdr rules and the reply-to rules.
Daniel
