Load Balancing Outgoing, its possible ?
G Bryant
gbryant at roamingsolutions.net
Fri Oct 28 10:02:03 PDT 2005
Daniel Dias Gonçalves wrote:
> G Bryant escreveu:
>
>> Daniel Dias Gonçalves wrote:
>>
>>>
>>> Complicated ? Its possible ?
>>>
>>> TELECOM
>>> LOAD SHARING PER PACKET
>>> ------------------------------------------------------------------------------------------
>>>
>>> | | | |
>>> | |
>>> | | | |
>>> | |
>>> -------------------------------------
>>> -------------------------------------
>>> CISCO 2600 (6mbps) HAUWEI (6mbps)
>>> LOAD SHARING PER PACKET LOAD SHARING PER
>>> PACKET
>>> -------------------------------------
>>> -------------------------------------
>>> Ethernet (64.XX.XX.1/30) Ethernet
>>> (65.XX.XX.1/30)
>>> | |
>>> | |
>>> | |
>>> XL0 (64.XX.XX.2/30) XL1
>>> (65.XX.XX.2/30)
>>> ------------------------------------------------------------------------------------------
>>>
>>> FREEBSD 5.4 + PF
>>> ------------------------------------------------------------------------------------------
>>>
>>> XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30)
>>> |
>>> |
>>> ------------------
>>> SWITCH
>>> ------------------------------- IP: 65.XX.XX.6/30
>>>
>>> ------------------
>>> GW: 65.XX.XX.5
>>> / \
>>> / \
>>> IP: 192.168.0.10/24 IP:
>>> 64.XX.XX.6/30
>>> GW: 192.168.0.254 GW: 64.XX.XX.5
>>> and more clients ... I need
>>> load balancing outgoing traffic from:
>>> 192.168.0.0/24 ( NAT )
>>> and 64.XX.XX.0/24, 65.XX.XX.0/24
>>>
>>> It is possible to make this balancing with the PF ? Exists some
>>> software that I make this ? Zebra can help me?
>>> This type of balancing gives to problems with the navigation of the
>>> user of NAT or IP valid ?
>>> If it is possible, wanted to see examples with rules.
>>>
>>> Thanks,
>>>
>> If you do not manage to come right with PF, I have a working example
>> of a similar setup using IPFW & natd.
>> Let me know if you would like the config files.
>> Regards
>> Graham
>>
>>
>>
> Send me yours config and net scheme.
> Thanks ;-)
>
A system I recently installed is up and running.
here are the config files.
netmon2.sh runs from crontab to monitor the links and switches the
traffic to the good link if one link fails.
Also uses squid proxy and bandwidth management for internal users.
Regards
Graham
-------------- next part --------------
hostname="xx.yy.zz"
# Configure the internal network
ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0"
# Configure the external networks (connected to the internet)
#ifconfig_rl0="DHCP"
ifconfig_rl0="inet 192.168.8.70 netmask 255.255.255.0"
ifconfig_rl0_alias0="inet 192.168.0.99 netmask 255.255.255.0"
defaultrouter="192.168.8.1"
#ifconfig_rl1="inet 192.168.0.99 netmask 255.255.255.0"
#ifconfig_rl1="DHCP"
# - Enabling the FreeBSD Firewall, IPFirewall (IPFW)-
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
# - Enabling the specific NAT server for IPFW
natd_enable="YES"
natd_flags="-f /etc/natd1.conf"
natd2_enable="YES"
natd2_flags="-f /etc/natd2.conf"
sshd_enable="YES"
usbd_enable="NO"
rwhod_enable="NO"
dhcpd_enable="YES"
dhcpd_flags="-cf /usr/local/etc/dhcpd.conf -q"
#Enable the proxy server
squid_enable="YES"
ntpd_enable="YES"
ntpd_flags="-c /etc/ntp.conf"
# Bandwidth monitoring with html graphs
bandwidthd_enable="YES"
# jftpgw ftp proxy for anonymous ftp proxy-cache
jftpgw_enable="YES"
# Dynamic DNS Client
ddclient_enable="YES"
# Load the script to hook the two external nic's together
netmon1_enable="YES"
-------------- next part --------------
#!/bin/sh
# Load the kernel modules
kldload ng_ether
kldload ng_one2many
ifconfig rl0 down
ifconfig rl1 down
# Plumb nodes together
ngctl mkpeer rl0: one2many upper one
ngctl connect rl0: rl0:upper lower many0
ngctl connect rl1: rl0:upper lower many1
# Allow rl0 to xmit / recv rl0 frames
ifconfig rl1 promisc
ngctl msg rl1: setautosrc 0
# Configure to transmit
ngctl msg rl0:upper setconfig "{xmitAlg=2 failAlg=1 enabledLinks =[ 1 1 ] }"
echo "Now up the interfaces again"
ifconfig rl0 up
ifconfig rl1 up
ifconfig rl0 inet 192.168.8.70 netmask 255.255.255.0
ifconfig rl0 inet 192.168.0.99 netmask 255.255.255.0 alias
route delete default
route add default 192.168.8.1
echo "Done"
-------------- next part --------------
#!/bin/sh
target="196.7.0.138"
ext_gw1="192.168.8.1"
ext_gw2="192.168.0.1"
# Setup route to ping through
route -q add -host $target $ext_gw1
# Test link one through ext_gw1
ping1=$( ping -q -c 3 -f -s 8 -o -t 2 196.7.0.138 | grep "packet loss" | cut -c24-24 )
# Test link two through ext_gw2
route -q delete $target
route -q add -host $target $ext_gw2
ping2=$( ping -q -c 3 -f -s 8 -o -t 2 196.7.0.138 | grep "packet loss" | cut -c24-24 )
# Remove route
route -q delete $target
# Configure the ipfw sets as per network route availability
if [ "$ping1" != "0" ]; then
if [ "$ping2" = "1" ]; then
ipfw set enable 1 2 12
else
ipfw set enable 1
ipfw set disable 2 12
fi
else
if [ "$ping2" != "0" ]; then
ipfw set disable 1 12
ipfw set enable 2
else
# echo "enabling everything to wait for network recovery"
ipfw set enable 1 2 12
fi
fi
-------------- next part --------------
alias_address 192.168.8.70
pid_file /var/run/natd1.pid
port natd1
-------------- next part --------------
alias_address 192.168.0.99
pid_file /var/run/natd2.pid
port natd2
-------------- next part --------------
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
bwm="ipfw -q pipe"
skip="skipto 8000"
ext_if1="rl0" # public interface name of NIC
ext_if2="rl0"
int_if="vr0" # private interface name of NIC
ext_ip1="192.168.8.70"
ext_ip2="192.168.0.99"
ext_gw1="192.168.8.1"
ext_gw2="192.168.0.1"
# Setup the different Sets to be used for different connection options
ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
# Initially only enable set 1 (and 2 and 12 when we have 2 WAN links)
ipfw -q set enable 1 2 5 12
# Specify which ip addresses get what bandwidth
# Can also tell this dhcp server to give certain addresses to selected mac
# addresses in file /usr/local/etc/dhcpd.conf
u512k="192.168.10.2" # Users given 512kb/s link
u256k="192.168.1.0/24{2-254}" # Users given 256kb/s link
u128k="192.168.10.2" # Users given 128kb/s link
u64k="192.168.10.2" # Users given 64kb/s link (default from dhcp)
$cmd 10 allow ip from any to any
#################################################################
# Check and drop packets that are appearing to come from
# the destination LAN i.e. a spoofed source ip address
$cmd 100 deny ip from any to any not antispoof in
#################################################################
# No restrictions on Loopback Interface
# Protect spoofing to localhost
$cmd allow ip from any to any via lo0
$cmd deny ip from any to 127.0.0.0/8
$cmd deny ip from 127.0.0.0/8 to any
#################################################################
# check if packet is inbound and nat address if it is
$cmd 1000 divert natd1 ip from any to $ext_ip1 in
$cmd 1000 divert natd2 ip from any to $ext_ip2 in
#$cmd skipto 5000 ip from any to any in via $ext_if1
#$cmd skipto 5000 ip from any to any in via $ext_if2
################################################################
# Divert incoming http and ftp traffic to the proxy (squid and jftpgw)
$cmd set 5 fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 in via $int_if
#$cmd fwd 192.168.1.1,2370 tcp from 192.168.1.0/24 to any 21 via $int_if
#################################################################
# Allow the rest of the LAN traffic in and out
$cmd allow ip from any to any via $int_if
################################################################
############## Bandwidth Management ############################
################################################################
# Setup up pipes for each of the user groups
################################################################
# Users with 512Kb / 256Kb access (in / out)
################################################################
$cmd pipe 10 ip from any to $u512k in via $ext_if1
$cmd pipe 11 ip from $u512k to any out via $ext_if1
$bwm 10 config mask dst-ip 0x000000ff bw 512Kbit/s queue 4KBytes
$bwm 11 config mask src-ip 0x000000ff bw 256Kbit/s queue 3KBytes
################################################################
# Users with 256Kb / 128Kb access
################################################################
$cmd pipe 20 ip from any to $u256k in via $ext_if1
$cmd pipe 21 ip from $u256k to any out via $ext_if1
$bwm 20 config mask dst-ip 0x000000ff bw 256Kbit/s queue 4KBytes
$bwm 21 config mask src-ip 0x000000ff bw 128Kbit/s queue 3KBytes
################################################################
# Users with 128Kb / 64Kb access
################################################################
$cmd pipe 30 ip from any to $u128k in via $ext_if1
$cmd pipe 31 ip from $u128k to any out via $ext_if1
$bwm 30 config mask dst-ip 0x000000ff bw 128Kbit/s queue 4KBytes
$bwm 31 config mask src-ip 0x000000ff bw 64Kbit/s queue 3KBytes
################################################################
# Users with 64Kb / 56Kb access
################################################################
$cmd pipe 40 ip from any to $u64k in via $ext_if1
$cmd pipe 41 ip from $u64k to any out via $ext_if1
$bwm 40 config mask dst-ip 0x000000ff bw 64Kbit/s queue 14KBytes
$bwm 41 config mask src-ip 0x000000ff bw 56Kbit/s queue 12KBytes
# 40 was set to 7KB
# 41 was set to 6KB
#################################################################
# Interface facing Public Internet (Outbound Section)
#################################################################
# Allow out access to my ISP's Domain name server.
# Get the IP addresses from /etc/resolv.conf file
#$cmd $skip UDP from any to { 196.7.0.138 or 196.28.86.2 or 196.28.86.3 or 196.25.1.1 } 53 out
#$cmd allow udp from me to any 53 out # rather use working adsl line out
$cmd $skip udp from any to any 53 out
# Allow this box out access to my ISP's DHCP server (or adsl router)
# to get it's network configuration settings (IP, DNS, etc).
$cmd $skip udp from me to any 67 out
# Allow skype connections out
# Allow ntp time server out
$cmd $skip UDP from any to any 80,443,123,1024-65535 out
$cmd $skip UDP from any 80,443,1024-65535 to any out
$cmd $skip tcp from any 1024-65535 to any 1024-65535 out
# Allow me to reach local routers from this box (tunneled via ssh)
$cmd allow tcp from me to 192.168.0.0/16 80 out
# Allow out www, ftp from me or from proxy out
$cmd $skip tcp from me to any 20,21,80 out
# Natting because of the 2 outgoing lines
# Allow out secure www function https over TLS SSL
# Allow out send & get email function (GMail uses ports 587, 995)
# Allow out MSN messenger
# Allow out Time, nntp news (i.e. news groups),
# SSH (secure FTP, Telnet, and SCP), whois
$cmd $skip tcp from any to any 443,25,110,587,995,1863,37,119,22,43 out
# Allow out regular ftp access (not via proxy)
$cmd $skip tcp from any to any 20,21,80 out
# Allow out ping
$cmd $skip icmp from 192.168.1.0/24 to any out icmptypes 3,8
$cmd allow icmp from me to any out icmptypes 3,8
$cmd allow icmp from me to 192.168.0.0/16 out
# Allow external ssh connection back out
$cmd $skipto tcp from me 22 to any out
# Allow external web traffic from internal servers back out
$cmd $skip tcp from 192.168.1.8 80,443 to any out
# Allow external mail traffic from internal servers back out
$cmd $skip tcp from 192.168.1.3 25,110 to any out
# Allow external ftp, vpn connection traffic from internal servers back out
$cmd $skip tcp from 192.168.1.9 20,21,1723 to any out
# Allow out FreeBSD (make install & CVSUP) functions
# Give user root "GOD" privileges.
$cmd allow ip from me to any out uid root
# Deny the rest out
$cmd deny log ip from any to any out
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 300 deny all from 192.168.0.0/16 to any in via $ext_if1 #RFC 1918 private IP
$cmd deny all from 172.16.0.0/12,10.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 to any in #RFC 1918 private IP
#RFC 1918 private IP #DHCP auto-config #reserved for docs #Sun cluster #Class D & E multicast
# Deny ident
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd deny all from any to any 113,137,138,139,81 in
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
$cmd allow udp from 192.168.8.1,192.168.0.1 to any 68,1900,5678 in
# Allow dns lookups back in
$cmd allow udp from any 53,67 to 192.168.1.0/24 in
$cmd allow udp from any 53,67 to me in
# Allow skype connections in
$cmd allow udp from any 80,123,443,1024-655353 to 192.168.1.0/24 in
$cmd allow udp from any to 192.168.1.0/24 80,443,1024-655353 in
$cmd deny log udp from any to any in # Deny the rest
$cmd allow tcp from any 1024-65535 to 192.168.1.0/24 1024-65535 in
# Allow in standard www function because I have Apache server - or is there an internal webserver?
# Allow Webmin connections from close-by
$cmd allow tcp from { 192.168.8.0/24 or 192.168.0.0/24 } to me 10000,80 in
$cmd allow tcp from any to 192.168.1.8,192.168.1.9 80,443 in
# Allow outgoing ftp, web traffic (via proxy) back in
$cmd allow tcp from any 80 to me in
# Allow in regular ftp, http access if proxy is off
$cmd allow tcp from any 20,21,80 to 192.168.1.0/24 in
# Allow in secure www function https over TLS SSL
# Allow in send & get email function (GMail uses ports 587, 995)
# Allow in MSN messenger
# Allow in Time, nntp news (i.e. news groups),
# SSH (secure FTP, Telnet, and SCP), whois
$cmd allow tcp from any 443,25,110,587,995,1863,37,119,22,43 to any in
# Allow external web traffic in to internal servers
$cmd allow tcp from any to 192.168.1.8 80,443 in keep-state
# Allow external mail traffic in to internal servers
$cmd allow tcp from any to 192.168.1.3 25,110 in keep-state
# Allow external ftp, vpn connection traffic in to internal servers
$cmd allow tcp from any to 192.168.1.9 20,21,1723 in keep-state
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd allow tcp from { 192.168.0.0/24 or 192.168.1.0/24 or 192.168.8.0/24 } to me 22 in #setup limit src-addr 3
$cmd allow tcp from any to me 22 in setup limit src-addr 3
# Deny the rest to me
$cmd deny log tcp from any to me in
#Allow in ICMP (ping) from public networks close by only.
$cmd allow icmp from 196.7.0.138,196.25.1.1,196.4.160.7 to me in icmptypes 0,3,11
$cmd allow icmp from any to 192.168.1.0/24 in icmptypes 0,3,11
$cmd allow icmp from any to me in icmptypes 0,3,11
$cmd allow icmp from 192.168.0.0/16 to me in
#Deny the rest icmp
$cmd deny icmp from any to any in
# Reject & Log all unauthorized incoming connections from the public Internet (/var/log/security)
$cmd deny log all from any to any in
### *********************************************************
# This is skipto location for outbound stateful rules
$cmd 8000 skipto 9000 tcp from any to any out setup
$cmd 8010 skipto 9000 udp from any to any out
$cmd 8020 skipto 9000 icmp from any to any out
$cmd 8100 tee natd1 ip from any to any out
$cmd 8150 check-state
$cmd 8160 allow ip from me 20,21,22,25,80,110,443,1723 to any out
$cmd 8200 divert natd2 ip from any to any out
$cmd 8250 check-state
$cmd 8260 allow ip from me 20,21,22,25,80,110,443,1723 to any out
$cmd 8400 deny ip from any to any out
$cmd 9000 set 12 prob 0.5 skipto 9500 ip from any to any out
$cmd 9100 set 1 divert natd1 ip from any to any out
$cmd 9200 set 1 fwd 192.168.8.1 ip from any to any out keep-state
$cmd 9500 set 2 divert natd2 ip from any to any out
$cmd 9600 set 2 fwd 192.168.0.1 ip from any to any out keep-state
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 9999 deny log all from any to any
ipfw -q delete 10
################ End of IPFW rules file ###############################
More information about the freebsd-net
mailing list