Help: Load Balancing 2 external connections

Pawel Malachowski pawmal-posting at freebsd.lublin.pl
Thu Nov 11 05:02:42 PST 2004 

On Tue, Nov 09, 2004 at 08:39:58AM +1100, LD wrote:

> >fwd rule with keep-state option.
> 
> Is my understanding correct that the following (placed before the fwd 
> rules) achieves that?
> i.e., 'ipfw add check-state' placed prior to '<some fwd rule> setup 
> keep-state'

Something like:
 // route add default ISP1
 ipfw add A check-state
 ...
 ipfw add B prob 0.5 fwd ISP2 ip from LAN to any out xmit ISP1 keep-state

(Haven't tried.)

Still, connections speed and direction may vary so trafic on ISP1 and ISP2
may not be shared equally. It can't be helped.

I forgot to note that `fwd' requires yet another option in kernel config,
IPFIREWALL_FORWARD.

There is another problem here: NAT.
Outgoing packets have to be NAT-ed before they match fwd rule.
With natd, keep-state and prob should be moved from fwd rule to natd rule,
and fwd rule should match packets using their NAT-ed address. (Ouch, there
is also problem with prob, it is checked before keep-state is checked.
We will try to workaround this.)
Incoming packets have to be un-NAT-ed before they touch check-state rule.

So, it would be something like this:

 default gw is ISP1GW
 on ISP1 link, NAT to ISP1NATIP
 on ISP2 link, NAT to ISP2NATIP


add divert NATD1 ip from any to any in recv ISP1
add divert NATD2 ip from any to any in recv ISP2
// we have private IPs now

add check-state // If we have state, packets belongs to fwded flow so jump to count line
// only packets without state left here

add prob 0.5 skipto X ip from LAN to any out xmit ISP1 // prob matches before keep-state, try to workaround
// we have half of new (not belongign to any flow) packets here
add count ip from any to any keep-state // our workaround. create state for them, no prob here
add divert NATD2 ip from LAN to any out xmit ISP1 // pass outgoing to NATD2 so they will be fwded to ISP2 later
add fwd ISP2GW ip from ISP2NATIP to any out xmit ISP1 // redirect ISP2 traffic from ISP1 to ISP2 link
// theoretically, what we have here left is:
// traffic in recv ISP2, after un-NATing, with state (jumped from check-state)

add X divert NATD1 ip from any to any out xmit ISP1 // another 50% of flows is left via ISP1
// traffic to ISP1 goes via default route, so do nothing


This is written from scratch, untested and may not work, don't blame me. ;)


-- 
Paweł Małachowski

More information about the freebsd-ipfw mailing list