Re: Is this load balancing Idea for squid ok while using route-to or is there a better one?
Hi Siju,
Are you running the squid on the same box where the firewall is?
If so, tags will not be preserved on the outgoing connections from squid
to the internet.
Regards,
Rosen
Siju George wrote:
Hi,
QUITE UNFORTUNATELY THIS DOES NOT SEEM TO WORK :-(
Could some one please let me see the flaw in logic or implementation?
Thank you so much :-)
Kind Regards
Siju
On Nov 21, 2007 10:46 AM, Siju George <[EMAIL PROTECTED]> wrote:
Hi,
I have two internet connections connected to my firewall now.
Both are from the same ISPs with IP addresses "IP1" and "IP2"
Both have the same gateway "GWIP"
$ext_if="IP1"
$ext_if2="IP2"
Now to load balance squid what I am doing is to tag half of the
packets comming to squid using the rules
===
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
keep state tag squid probability 50% label squid
pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state
pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
from $int_if:network to any keep state
===
This gets half of the traffic that comes to squid tagged and labeled as 'squid'
then I have the following NAT rule for the $ext_if which is the
default route to NAT the tagged rules ( i.e half of squid traffic )
to "IP2" on $ext_if2
=
nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2)
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
=
and finally for the filter rules to route the tagged packets through
the second interface.
==
pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
all modulate state flags S/SA tagged squid
pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
all keep state
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
} all keep state
===
derived this Idea from
http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html
after searching the archives.
Just wondering if there is a better way to do it :-)
Thank you so much especially Danny for the post :-)))
Kind Regards
Siju
Re: Is this load balancing Idea for squid ok while using route-to or is there a better one?
Hi,
QUITE UNFORTUNATELY THIS DOES NOT SEEM TO WORK :-(
Could some one please let me see the flaw in logic or implementation?
Thank you so much :-)
Kind Regards
Siju
On Nov 21, 2007 10:46 AM, Siju George <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have two internet connections connected to my firewall now.
> Both are from the same ISPs with IP addresses "IP1" and "IP2"
> Both have the same gateway "GWIP"
>
> $ext_if="IP1"
> $ext_if2="IP2"
>
> Now to load balance squid what I am doing is to tag half of the
> packets comming to squid using the rules
>
> ===
> pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
> keep state tag squid probability 50% label squid
>
> pass in quick on $int_if inet proto tcp from $int_if:network to any
> port { 21, 8080 } keep state
>
> pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
> } round-robin \
> from $int_if:network to any keep state
>
> ===
>
> This gets half of the traffic that comes to squid tagged and labeled as
> 'squid'
>
> then I have the following NAT rule for the $ext_if which is the
> default route to NAT the tagged rules ( i.e half of squid traffic )
> to "IP2" on $ext_if2
>
> =
>
> nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2)
>
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
>
> =
>
> and finally for the filter rules to route the tagged packets through
> the second interface.
>
> ==
>
> pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
> all modulate state flags S/SA tagged squid
>
> pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
> all modulate state flags S/SA
>
> pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
> all modulate state flags S/SA
>
> pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
> all keep state
>
> pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
> } all keep state
>
> ===
>
> derived this Idea from
>
> http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html
>
> after searching the archives.
>
> Just wondering if there is a better way to do it :-)
>
> Thank you so much especially Danny for the post :-)))
>
> Kind Regards
>
> Siju
Is this load balancing Idea for squid ok while using route-to or is there a better one?
Hi,
I have two internet connections connected to my firewall now.
Both are from the same ISPs with IP addresses "IP1" and "IP2"
Both have the same gateway "GWIP"
$ext_if="IP1"
$ext_if2="IP2"
Now to load balance squid what I am doing is to tag half of the
packets comming to squid using the rules
===
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
keep state tag squid probability 50% label squid
pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state
pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
from $int_if:network to any keep state
===
This gets half of the traffic that comes to squid tagged and labeled as 'squid'
then I have the following NAT rule for the $ext_if which is the
default route to NAT the tagged rules ( i.e half of squid traffic )
to "IP2" on $ext_if2
=
nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2)
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
=
and finally for the filter rules to route the tagged packets through
the second interface.
==
pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
all modulate state flags S/SA tagged squid
pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
all keep state
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
} all keep state
===
derived this Idea from
http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html
after searching the archives.
Just wondering if there is a better way to do it :-)
Thank you so much especially Danny for the post :-)))
Kind Regards
Siju
