load-balancing, DNS

Tommy Pham tommyhp2 at yahoo.com
Tue Jan 1 22:23:16 PST 2008 

Hi Michael,

Another method that you can try is:

pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \
    from any to { $ns1a, $ns1b } keep state
pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \
    from any to { $ns2a, $ns2b } keep state

the number corresponds to the provider's info

I also have load balancing from 2 different providers.  The above rules
work great for me.

~Tommy


--- Michael Smith <mksmith at adhost.com> wrote:

> Hello Michael:
> 
> I think you want to use "reply-to" instead of "route-to" on load  
> balance rules since you need it to go out the same interface it came 
> 
> in on.  This will work in conjunction with any connection that has  
> state, so make sure your DNS pass rule has keep-state.
> 
> Try
> 
> pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2  
> $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to
>  
> any flags S/SA keep-state
> 
> pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2  
> $ext_gw2) } round-robin sticky-address proto { tcp icmp udp } from
> any  
> to any flags S/SA keep-state
> 
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to
> any
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to
> any
> 
> Regards,
> 
> Mike
> 
> On Jan 1, 2008, at 1:32 PM, Michael Zimmer wrote:
> 
> >
> > Hi everyone,
> >
> > I just installed pf on FreeBSD 6.2 for a firewall/NAT/load- 
> > balancer ... but I'm having some trouble.  I'm pretty sure that it 
> 
> > isn't actually splitting the outgoing traffic (trying to load- 
> > balance over two uplinks), and the users are experiencing  
> > intermittent trouble resolving DNS entries (and being silly users, 
> 
> > instead of reloading the page, they yell 'the Internet isn't  
> > working!' and then use that as a reason for reeeeaaally long
> lunches).
> >
> > The workstations behind the FreeBSD box are mostly running some  
> > flavor of Windows; static private IPs, gateway set to the BSD box, 
> 
> > primary DNS set to the DNS server of the ISP on uplink #1,
> secondary  
> > to the ISP on uplink #2.  I can force it to use either connection  
> > successfully, but not both.
> >
> >
> > Thanks in advance for any help.  Happy New Year!
> >
> > -mike
> >
> >
> > Here's my setup:
> >
> > dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass- 
> > through); bfe0 links to the internal network.
> >
> > resolv.conf:
> >
> > domain  x.comnameserver      66.z.z.z    # DNS provided by ISP #1
> >
> > -------------
> > rc.conf:
> >
> > defaultrouter="66.x.x.x"   #this is the upstream gateway on  
> > dc0gateway_enable="YES"hostname="x.x.com"ifconfig_dc0="inet  
> > 68.y.y.y  netmask 255.255.255.0"
> > ifconfig_dc1="inet 66.y.y.y netmask  
> > 255.255.255.224"ifconfig_bfe0="inet 192.168.1.1  netmask  
> > 255.255.255.0"
> >
> >
>
inetd_enable="YES"linux_enable="YES"sshd_enable="YES"usbd_enable="YES"
> >
> > ntpdate_enable="YES"ntpdate_hosts="0.us.pool.ntp.org"
> >
> > nfs_reserved_port_only="NO"
> > pf_enable="YES"pf_rules="/etc/ 
> > pf.conf"pf_flags=""pflog_enable="YES"pflog_logfile="/var/log/ 
> > pflog"pflog_flags=""
> > ---------------
> > pf.conf:
> >
> > ext_if1 
> >
> ="dc0"ext_if2="dc1"int_if="bfe0"ext_gw1="68.x.x.x"ext_gw2="66.x.x.x"
> > internal_net="192.168.1.1/24"
> > tcp_services="( 22 )"icmp_types="( 8 )"
> > #tablestable <blocktable> persist file "/etc/blocktable"
> >
> > set block-policy drop
> > set limit { states 20000, frags 5000 }
> >
> > set skip on lo0
> >
> > scrub in all
> >
> > nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on  
> > $ext_if2 from $internal_net to any -> ($ext_if2)
> > block in from any to anyblock out from any to any
> > pass out on $int_if from any to $internal_net keep state
> > pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22  
> > flags S/SA keep state #ext_if1
> >
> > #allows ICMP outboundpass in quick on $int_if proto icmp all keep  
> > state
> > #allows incoming from client's serverpass in quick on {$ext_if1,  
> > $ext_if2} proto tcp from a.b.c.d/32pass in quick on {$ext_if1,  
> > $ext_if2} proto tcp from a.b.c.d/30
> >
> > #blocks to inside-to-outside here#spoofsblock in quick on $int_if  
> > from any to 172.16.0.0/12block in quick on $int_if from any to  
> > 10.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block
>  
> > in quick on $int_if from any to 192.168.0.0/16block in quick on  
> > $int_if from any to 204.152.64.0/23block in quick on $int_if from  
> > any to 224.0.0.0/3
> >
> > # traffic from inside goes straight outpass in quick on $int_if
> from  
> > 192.168.1.0/24 to $int_ifpass out on $ext_if1 from [address of  
> > $ext_if1] to any flags S/SA keep statepass out on $ext_if2 from  
> > [address of $ext_if2] to any flags S/SA keep state
> >
> > #load balancing ...?
> > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 
> 
> > $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 
> 
> > to any flags S/SA modulate statepass in quick on $int_if route-to  
> > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto {
> tcp  
> > icmp udp } from any to any flags S/SA modulate state
> > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to 
> 
> > anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 
> 
> > to any
> >
> > _________________________________________________________________
> > Get the power of Windows + Web with the new Windows Live.
> >
>
http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007_______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to
> "freebsd-pf-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list