Re: Round-robin + Squid + 3 ISP
Can you try it??. Some people tell me I can't use Squid with round-robin.. I see this for pfsense : http://forum.pfsense.org/index.php?topic=7591.msg42943 tcp_outgoing_address 10.10.1.1 slow;tcp_outgoing_address 10.10.1.1 any idea? 2010/1/16 Stuart Henderson s...@spacehopper.org: On 2010/01/16 03:37, mashenko shenua wrote: I'm trying to setup a Multiwan OpenBSD firewall. I need to use Squid but I cannot setup with rdr and round-robin.. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any port http Does squid run on the firewall itself? If so, this pass in rule will not apply; squid makes its own connection from the firewall, so the packet will be outbound (i.e. you would need a pass out ... route-to {($ext_if1 $ext_gw1) ($ext_if2 $ext_gw2)} rule).
Re: Round-robin + Squid + 3 ISP
I just use freebsd on the squid VM since squid performs better/faster on freebsd. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - k a h l i l e r w i n t a l l e d o tp: +1.284.440.0102 im: talledo...@yahoo.com fb: www.facebook.com/kstalledo little knowledge that acts is worth infinitely more than much knowledge that is idle. - k. gibran On Jan 16, 2010, at 3:12 PM, mashenko shenua wrote: I think this can be work.. I don't understand why two OS. 2010/1/16 Kahlil Erwin S. Talledo kstall...@binarysalad.com: Hello, I have tried doing this several time before and have spent quite a significant time trying to accomplish what you are doing but in the long run, running squid and have it loadbalanced through two wan connections in a single machine is just too complicated or not possible as of the moment. What I ended up doing is virtualize two machines in one box. Installing openbsd on one VM to do the wan loadbalancing and another VM for squid (i used freebsd on the squid VM) and just did internal networking to connect both. this would introduce more latency though and i/o speed may be hampered. you can also separate both services (squid, loadbalancing) on different physical machines. Cheers, - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - k a h l i l e r w i n t a l l e d o tp: +1.284.440.0102 im: talledo...@yahoo.com fb: www.facebook.com/kstalledo little knowledge that acts is worth infinitely more than much knowledge that is idle. - k. gibran On Jan 16, 2010, at 9:36 AM, mashenko shenua wrote: Hi, Yes Squid it's running on same machine.. ¿Can you rewrite it? 2010/1/16 Stuart Henderson s...@spacehopper.org: On 2010/01/16 03:37, mashenko shenua wrote: I'm trying to setup a Multiwan OpenBSD firewall. I need to use Squid but I cannot setup with rdr and round-robin.. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any port http Does squid run on the firewall itself? If so, this pass in rule will not apply; squid makes its own connection from the firewall, so the packet will be outbound (i.e. you would need a pass out ... route-to {($ext_if1 $ext_gw1) ($ext_if2 $ext_gw2)} rule). smime.p7s Description: S/MIME cryptographic signature
Re: Round-robin + Squid + 3 ISP
Then I can use pass out how you tellme at first e-mail ?. 2010/1/17 Stuart Henderson s...@spacehopper.org: On 2010/01/16 22:00, mashenko shenua wrote: Can you try it??. Some people tell me I can't use Squid with round-robin.. I see this for pfsense : http://forum.pfsense.org/index.php?topic=7591.msg42943 tcp_outgoing_address 10.10.1.1 slow;tcp_outgoing_address 10.10.1.1 That diff is for pfsense to allow it to add 'pass out...route-to' rules, you can add these entries anyway with pf.conf. Seems there's a mistake in their sample squid.conf entries though, I think they meant to have different tcp_outgoing_addresses for the 'slow' and normal networks. They are telling squid to use different source address for different connections, and then using route-to to push those out of the correct interface for the outgoing address they use. The other way is to leave squid alone and just handle it with pf. The main area people might have problems is getting things natted correctly so the right source addresses are used on outgoing packets. It's probably simplest to use 'probability' something like this pass out quick proto tcp to 209.85.227.105 port 80 \ route-to (vlan4 192.168.46.49) nat-to (vlan4:0) probability 50% (and of course the other 50% will be handled by other rules matching this packet to go via the default route). Thinking about it some more, perhaps this isn't possible with old PF where nat was handled separately from filter rules; you might need -current to do this...
Re: Round-robin + Squid + 3 ISP
On 2010/01/17 12:08, Steven Surdock wrote: -Original Message- From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf Of Stuart Henderson Sent: Sunday, January 17, 2010 6:20 AM To: mashenko shenua Cc: pf@benzedrine.cx Subject: Re: Round-robin + Squid + 3 ISP On 2010/01/16 22:00, mashenko shenua wrote: Can you try it??. Some people tell me I can't use Squid with round-robin.. I see this for pfsense : http://forum.pfsense.org/index.php?topic=7591.msg42943 .. Thinking about it some more, perhaps this isn't possible with old PF where nat was handled separately from filter rules; you might need -current to do this... I think I have seen references to using, nat on $ext1 from self to any - ($ext1) nat on $ext1 from $internal_net to any - ($ext1) nat on $ext2 from self to any - ($ext2) nat on $ext2 from $internal_net to any - ($ext2) Ah, that happens before route-to, so you could probably do round-robin nat to a couple of addresses, and then have route-to punt them to the correct interface. But I can't test it, any systems that I can experiment on have been running PF with the new NAT code for several months.. To guarantee correct outbound addressing. IMHO, this is something that Squid should handle... Well, it's also something PF should handle, there are any number of reasons you might want to load-balance and you can't expect every app that makes an outgoing network connection to have a way to set the source address. Looks like you can do it with squid 3 using a random ACL.
Re: Round-robin + Squid + 3 ISP
Hi, Yes Squid it's running on same machine.. ¿Can you rewrite it? 2010/1/16 Stuart Henderson s...@spacehopper.org: On 2010/01/16 03:37, mashenko shenua wrote: I'm trying to setup a Multiwan OpenBSD firewall. I need to use Squid but I cannot setup with rdr and round-robin.. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any port http Does squid run on the firewall itself? If so, this pass in rule will not apply; squid makes its own connection from the firewall, so the packet will be outbound (i.e. you would need a pass out ... route-to {($ext_if1 $ext_gw1) ($ext_if2 $ext_gw2)} rule).
RE: Round-robin + Squid + 3 ISP
Be careful doing this as you will possibly break some websites. Youtube, for example, seems to use cookies based on source address. So, if you are doing NAT with load balancing Youtube videos may or may not come up, depending on if the requests exited the same ISP or not. -Steve S. -Original Message- From: mashenko shenua mashenko.shen...@gmail.com Sent: Saturday, January 16, 2010 1:07 PM To: mashenko shenua mashenko.shen...@gmail.com; pf@benzedrine.cx pf@benzedrine.cx Subject: Re: Round-robin + Squid + 3 ISP Hi, Yes Squid it's running on same machine.. ¿Can you rewrite it? 2010/1/16 Stuart Henderson s...@spacehopper.org: On 2010/01/16 03:37, mashenko shenua wrote: I'm trying to setup a Multiwan OpenBSD firewall. I need to use Squid but I cannot setup with rdr and round-robin.. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any port http Does squid run on the firewall itself? If so, this pass in rule will not apply; squid makes its own connection from the firewall, so the packet will be outbound (i.e. you would need a pass out ... route-to {($ext_if1 $ext_gw1) ($ext_if2 $ext_gw2)} rule).
Re: Round-robin + Squid + 3 ISP
I think this can be work.. I don't understand why two OS. 2010/1/16 Kahlil Erwin S. Talledo kstall...@binarysalad.com: Hello, I have tried doing this several time before and have spent quite a significant time trying to accomplish what you are doing but in the long run, running squid and have it loadbalanced through two wan connections in a single machine is just too complicated or not possible as of the moment. What I ended up doing is virtualize two machines in one box. Installing openbsd on one VM to do the wan loadbalancing and another VM for squid (i used freebsd on the squid VM) and just did internal networking to connect both. this would introduce more latency though and i/o speed may be hampered. you can also separate both services (squid, loadbalancing) on different physical machines. Cheers, - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - k a h l i l e r w i n t a l l e d o tp: +1.284.440.0102 im: talledo...@yahoo.com fb: www.facebook.com/kstalledo little knowledge that acts is worth infinitely more than much knowledge that is idle. - k. gibran On Jan 16, 2010, at 9:36 AM, mashenko shenua wrote: Hi, Yes Squid it's running on same machine.. ¿Can you rewrite it? 2010/1/16 Stuart Henderson s...@spacehopper.org: On 2010/01/16 03:37, mashenko shenua wrote: I'm trying to setup a Multiwan OpenBSD firewall. I need to use Squid but I cannot setup with rdr and round-robin.. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any port http Does squid run on the firewall itself? If so, this pass in rule will not apply; squid makes its own connection from the firewall, so the packet will be outbound (i.e. you would need a pass out ... route-to {($ext_if1 $ext_gw1) ($ext_if2 $ext_gw2)} rule).