Per flow load balancing

Darcy Buskermolen darcy at wavefire.com
Tue Dec 21 08:25:48 PST 2004 

On December 20, 2004 10:33 am, Corey Smith wrote:
> On Fri, 2004-12-17 at 14:31 -0800, Darcy Buskermolen wrote:
> > Yes you can do this through the use of keep-state/check-state
>
> I'm trying a rule base like:
>
> 00005	check-state
> 00006	allow udp from any to any
> 00007	allow icmp from any to any
> 00010	reject tcp from any to any established
> 00015	prob 0.5 fwd tun1peerip tcp from any to any \
> 	recv bge0 xmit tun0 setup keep-state
> 00020	allow tcp from any to any setup keep-state
> 65535	allow ip from any to any
>
> Unfortunately no connections ever match rule 15.  Any way you can show
> me an example of using keep-state/check-state for per flow load
> balancing?

Here is a cut down set I use in one of my setups that does perflow load 
ballancing


add 1    skipto 50000 tcp from any 1023-65535 to me 22 via xl1
#interactive traffic like ssh or telnet is best suited to the DSL
1000 skipto 1012 tcp from 192.168.0.0/16 to 1.2.3.0/24 22,23    #skip vpn 
traffic
1010 divert 8668 tcp from 192.168.0.0/16 to not 192.168.0.0/16 22    #xl0
1011 divert 8668 tcp from 192.168.0.0/16 to not 192.168.0.0/16 23    #xl0

#5000 -> 5999  default divert rules
5000 divert 8668 ip from any to me in via xl0
5001 divert 8669 ip from any to me in via fxp0

add 5010 check-state
#push 45% of the traffic down the DSL
5100 prob 0.4 skipto 5500 ip from 192.168.0.0/16 to not 192.168.0.0/16 out 
keep-state
5101 skipto 5550 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 20,2
1 out keep-state
#the rest down cable
5110 skipto 5550 ip from 192.168.0.0/16 to not 192.168.0.0/16 out keep-state
5500 divert 8668 ip from 192.168.0.0/16 to not 192.168.0.0/16
550 divert 8669 ip from 192.168.0.0/16 to not 192.168.0.0/16

10000 skipto 50000 ip   from 192.162.0.0/16 to me     in  via xl1
10020 skipto 50000 tcp  from any to any established
11010 skipto 50000 icmp from me to any
60000 fwd dslgateway ip from  mydslip to not 192.168.0.0/16
60001 fwd cablegateway  ip from   mycableip to not 192.168.0.0/16
65534 allow ip from any to any


>
> -Corey Smith
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

-- 
Darcy Buskermolen
Wavefire Technologies Corp.
ph: 250.717.0200
fx:  250.763.1759
http://www.wavefire.com

More information about the freebsd-ipfw mailing list