load-balancing, DNS

Michael Zimmer drakyri at hotmail.com
Tue Jan 1 13:44:02 PST 2008 

Hi everyone,
 
I just installed pf on FreeBSD 6.2 for a firewall/NAT/load-balancer ... but I'm having some trouble.  I'm pretty sure that it isn't actually splitting the outgoing traffic (trying to load-balance over two uplinks), and the users are experiencing intermittent trouble resolving DNS entries (and being silly users, instead of reloading the page, they yell 'the Internet isn't working!' and then use that as a reason for reeeeaaally long lunches).
 
The workstations behind the FreeBSD box are mostly running some flavor of Windows; static private IPs, gateway set to the BSD box, primary DNS set to the DNS server of the ISP on uplink #1, secondary to the ISP on uplink #2.  I can force it to use either connection successfully, but not both.
 
 
Thanks in advance for any help.  Happy New Year!
 
-mike
 
 
Here's my setup:
 
dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass-through); bfe0 links to the internal network.
 
resolv.conf:
 
domain  x.comnameserver      66.z.z.z    # DNS provided by ISP #1
 
-------------
rc.conf:
 
defaultrouter="66.x.x.x"   #this is the upstream gateway on dc0gateway_enable="YES"hostname="x.x.com"ifconfig_dc0="inet 68.y.y.y  netmask 255.255.255.0"
ifconfig_dc1="inet 66.y.y.y netmask 255.255.255.224"ifconfig_bfe0="inet 192.168.1.1  netmask 255.255.255.0"
 
inetd_enable="YES"linux_enable="YES"sshd_enable="YES"usbd_enable="YES"
 
ntpdate_enable="YES"ntpdate_hosts="0.us.pool.ntp.org"
 
nfs_reserved_port_only="NO"
pf_enable="YES"pf_rules="/etc/pf.conf"pf_flags=""pflog_enable="YES"pflog_logfile="/var/log/pflog"pflog_flags=""
---------------
pf.conf:
 
ext_if1="dc0"ext_if2="dc1"int_if="bfe0"ext_gw1="68.x.x.x"ext_gw2="66.x.x.x"
internal_net="192.168.1.1/24"
tcp_services="( 22 )"icmp_types="( 8 )"
#tablestable <blocktable> persist file "/etc/blocktable"
 
set block-policy drop
set limit { states 20000, frags 5000 }
 
set skip on lo0
 
scrub in all
 
nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on $ext_if2 from $internal_net to any -> ($ext_if2)
block in from any to anyblock out from any to any
pass out on $int_if from any to $internal_net keep state
pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 flags S/SA keep state #ext_if1
 
#allows ICMP outboundpass in quick on $int_if proto icmp all keep state
#allows incoming from client's serverpass in quick on {$ext_if1, $ext_if2} proto tcp from a.b.c.d/32pass in quick on {$ext_if1, $ext_if2} proto tcp from a.b.c.d/30
 
#blocks to inside-to-outside here#spoofsblock in quick on $int_if from any to 172.16.0.0/12block in quick on $int_if from any to 10.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block in quick on $int_if from any to 192.168.0.0/16block in quick on $int_if from any to 204.152.64.0/23block in quick on $int_if from any to 224.0.0.0/3
 
# traffic from inside goes straight outpass in quick on $int_if from 192.168.1.0/24 to $int_ifpass out on $ext_if1 from [address of $ext_if1] to any flags S/SA keep statepass out on $ext_if2 from [address of $ext_if2] to any flags S/SA keep state
 
#load balancing ...?
pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to any flags S/SA modulate statepass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { tcp icmp udp } from any to any flags S/SA modulate state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
 
_________________________________________________________________
Get the power of Windows + Web with the new Windows Live.
http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007

More information about the freebsd-pf mailing list