load-balancing, DNS

Michael Zimmer drakyri at hotmail.com
Wed Jan 2 01:45:39 PST 2008 

Thanks to both of you ... it looks okay remotely - I'll test it on-site tomorrow.
 
-mike> Date: Tue, 1 Jan 2008 21:56:34 -0800> From: tommyhp2 at yahoo.com> To: freebsd-pf at freebsd.org> Subject: Re: load-balancing, DNS> > Hi Michael,> > Another method that you can try is:> > pass in quick on $int_if route-to ($ext_if1 $ext_gw1) \> from any to { $ns1a, $ns1b } keep state> pass in quick on $int_if route-to ($ext_if2 $ext_gw2) \> from any to { $ns2a, $ns2b } keep state> > the number corresponds to the provider's info> > I also have load balancing from 2 different providers. The above rules> work great for me.> > ~Tommy> > > --- Michael Smith <mksmith at adhost.com> wrote:> > > Hello Michael:> > > > I think you want to use "reply-to" instead of "route-to" on load > > balance rules since you need it to go out the same interface it came > > > > in on. This will work in conjunction with any connection that has > > state, so make sure your DNS pass rule has keep-state.> > > > Try> > > > pass in quick on $int_if reply-to { ($ext_if1 $ext_gw1), ($ext_if2 > > $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 to> > > > any flags S/SA keep-state> > > > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > > $ext_gw2) } round-robin sticky-address proto { tcp icmp udp } from> > any > > to any flags S/SA keep-state> > > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to> > any> > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to> > any> > > > Regards,> > > > Mike> > > > On Jan 1, 2008, at 1:32 PM, Michael Zimmer wrote:> > > > >> > > Hi everyone,> > >> > > I just installed pf on FreeBSD 6.2 for a firewall/NAT/load- > > > balancer ... but I'm having some trouble. I'm pretty sure that it > > > > > isn't actually splitting the outgoing traffic (trying to load- > > > balance over two uplinks), and the users are experiencing > > > intermittent trouble resolving DNS entries (and being silly users, > > > > > instead of reloading the page, they yell 'the Internet isn't > > > working!' and then use that as a reason for reeeeaaally long> > lunches).> > >> > > The workstations behind the FreeBSD box are mostly running some > > > flavor of Windows; static private IPs, gateway set to the BSD box, > > > > > primary DNS set to the DNS server of the ISP on uplink #1,> > secondary > > > to the ISP on uplink #2. I can force it to use either connection > > > successfully, but not both.> > >> > >> > > Thanks in advance for any help. Happy New Year!> > >> > > -mike> > >> > >> > > Here's my setup:> > >> > > dc1 is uplink #1; dc0 is uplink #2 (via a DSL modem on IP pass- > > > through); bfe0 links to the internal network.> > >> > > resolv.conf:> > >> > > domain x.comnameserver 66.z.z.z # DNS provided by ISP #1> > >> > > -------------> > > rc.conf:> > >> > > defaultrouter="66.x.x.x" #this is the upstream gateway on > > > dc0gateway_enable="YES"hostname="x.x.com"ifconfig_dc0="inet > > > 68.y.y.y netmask 255.255.255.0"> > > ifconfig_dc1="inet 66.y.y.y netmask > > > 255.255.255.224"ifconfig_bfe0="inet 192.168.1.1 netmask > > > 255.255.255.0"> > >> > >> >> inetd_enable="YES"linux_enable="YES"sshd_enable="YES"usbd_enable="YES"> > >> > > ntpdate_enable="YES"ntpdate_hosts="0.us.pool.ntp.org"> > >> > > nfs_reserved_port_only="NO"> > > pf_enable="YES"pf_rules="/etc/ > > > pf.conf"pf_flags=""pflog_enable="YES"pflog_logfile="/var/log/ > > > pflog"pflog_flags=""> > > ---------------> > > pf.conf:> > >> > > ext_if1 > > >> > ="dc0"ext_if2="dc1"int_if="bfe0"ext_gw1="68.x.x.x"ext_gw2="66.x.x.x"> > > internal_net="192.168.1.1/24"> > > tcp_services="( 22 )"icmp_types="( 8 )"> > > #tablestable <blocktable> persist file "/etc/blocktable"> > >> > > set block-policy drop> > > set limit { states 20000, frags 5000 }> > >> > > set skip on lo0> > >> > > scrub in all> > >> > > nat on $ext_if1 from $internal_net to any -> ($ext_if1)nat on > > > $ext_if2 from $internal_net to any -> ($ext_if2)> > > block in from any to anyblock out from any to any> > > pass out on $int_if from any to $internal_net keep state> > > pass in quick on $ext_if1 proto tcp from any to 68.y.y.y port 22 > > > flags S/SA keep state #ext_if1> > >> > > #allows ICMP outboundpass in quick on $int_if proto icmp all keep > > > state> > > #allows incoming from client's serverpass in quick on {$ext_if1, > > > $ext_if2} proto tcp from a.b.c.d/32pass in quick on {$ext_if1, > > > $ext_if2} proto tcp from a.b.c.d/30> > >> > > #blocks to inside-to-outside here#spoofsblock in quick on $int_if > > > from any to 172.16.0.0/12block in quick on $int_if from any to > > > 10.0.0.0/8block in quick on $int_if from any to 169.254.0.0/16block> > > > > in quick on $int_if from any to 192.168.0.0/16block in quick on > > > $int_if from any to 204.152.64.0/23block in quick on $int_if from > > > any to 224.0.0.0/3> > >> > > # traffic from inside goes straight outpass in quick on $int_if> > from > > > 192.168.1.0/24 to $int_ifpass out on $ext_if1 from [address of > > > $ext_if1] to any flags S/SA keep statepass out on $ext_if2 from > > > [address of $ext_if2] to any flags S/SA keep state> > >> > > #load balancing ...?> > > pass in quick on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 > > > > > $ext_gw2) } round-robin proto { tcp icmp udp } from 192.168.1.1/24 > > > > > to any flags S/SA modulate statepass in quick on $int_if route-to > > > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto {> > tcp > > > icmp udp } from any to any flags S/SA modulate state> > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to > > > > > anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 > > > > > to any> > >> > > _________________________________________________________________> > > Get the power of Windows + Web with the new Windows Live.> > >> >> http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007_______________________________________________> > > freebsd-pf at freebsd.org mailing list> > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf> > > To unsubscribe, send any mail to> > "freebsd-pf-unsubscribe at freebsd.org"> > > > _______________________________________________> > freebsd-pf at freebsd.org mailing list> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"> > > > > _______________________________________________> freebsd-pf at freebsd.org mailing list> http://lists.freebsd.org/mailman/listinfo/freebsd-pf> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007

More information about the freebsd-pf mailing list