Help: Load Balancing 2 external connections

LD ldsift-applels at yahoo.com.au
Mon Nov 8 13:40:01 PST 2004 

Hi Paweł,

Thanks for your explanations. If I can bother you some more...

On 09/11/2004, at 7:36 AM, Pawel Malachowski wrote:

> On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote:
>> My Questions are:
>> a) Do I need any specific kernel options? i.e., features that aren't
>> available otherwise through dynamic loading.
>
> Using divert requires IPDIVERT option (loadable version of divert is
> in very fresh sources only), which is not in GENERIC I guess.
> Both ipfw and dummynet can be loaded from modules.
> Warning: ipfw default policy is to block all traffic so be careful when
> loading it remotly. :)

That won't be a problem as I'll be at the machine.

>> b) I'd like to make the whole thing transparent to the internal
>> network. i.e., internal computers nameserver references are to the
>> gateway (rather than isp) which then translates such requests to the
>> appropriate nameserver(s) of the relevant isp according to which pipe
>> the request is sent through :-)
>
> That's obsolete. Set up your caching DNS server or allow to use
> nameservers of both upstream ISPs.

No worries.

>> b) I'm assuming that for the most part 'prob 0.5' will balance the 
>> load
>> between two pipes to the external interfaces...but is there a better
>> scheme? Also guaranteeing that a complete conversation, once initiated
>> via an interface would continue through that interface...
>
> What You want is called `fwd'. Still, prob 0.5 will match 50% of 
> packets,
> which are not TCP sessions, so it won't work this way. You want 
> connection
> (flow) balancing. This may be hard to achieve. I would experiment with
> fwd rule with keep-state option.

Is my understanding correct that the following (placed before the fwd 
rules) achieves that?
i.e., 'ipfw add check-state' placed prior to '<some fwd rule> setup 
keep-state'

>> d) any other tricks of the trade?
>
> As said, this DNS stuff seems weird.
> Also fwd is not used.

Would you be able to show me a quick skeleton example of how you'd do 
your script?

> Also prob 0.5 is not used properly (forst 50% will match 50%, second
> will match 50% of rest 50%, which gives 25%).

Ah, so second one should not have a prob so as to match the 
remainder...of course (was too early in the morning).

> Try setting default route to one ISP and fwd 50% of flows from its
> interface to second ISP gateway.

Quick example?

> Note, by default pipe will accept packet (it won't be check against
> another rules). Same with fwd. Same with allow.
>
> I would suggest temporary resigning from blocking and dummynet stuff
> and just trying to create pure load-balancing. It will be hard enough.

The reason I went for the dummynet stuff (and hence got off track as 
you've said) is that I'm wanting to test this out at home (where I 
don't have 2 external connections or 3 network cards - but instead 2 
network cards) prior to taking down the company network. So, how would 
you simulate this? Or what would you suggest?

> Always do `ipfw -d show' and look at rule counters to make sure that
> packets go as expected.

Okay, thanks.

> I would also look at ipf and pf firewalls, they have strong session
> handling, You may find one of them to be more easy to setup or even
> find some ready-to-use examples with google.

I will certainly have another look should this avenue fail...I just 
liked the syntax/concept/integration of ipfw/dummynet.

I've spent a fair amount of time trying to get familiar with ipfw - so 
it'd be good if these things can be done through it...

Thanks for your assistance!

with regards,

--
LD

More information about the freebsd-ipfw mailing list