Trying to setup DSR load balancing with pf route-to
Chip Marshall
chip at 2bithacker.net
Mon Feb 12 21:48:50 UTC 2007
I've been trying to get a Direct Server Return (DSR) load balancing
arrangment set up using FreeBSD 6.2's pf and the route-to option.
The arrangement looks something like this
Router
|
/---------+-------\
| |
| +--------+ | +--------+
+-0| lb 1 |1----+----0| web 1 |lo0--(x.100)
| +--------+ | +--------+
| |
| +--------+ | +--------+
\-0| lb 2 |1----+----0| web 2 |lo0--(x.100)
+--------+ | +--------+
|
| +--------+
+----0| web n |lo0--(x.100)
+--------+
Where x.100 is the routable IP address of the website. The Router has a
route to x.100 via interface 0 of the load balancers, which use pf's route-to
option to redirect the packets to one of the web servers, keeping state
so further packets for the same connection go to the same web server.
The web servers then sent the returning packets directly to the router.
The problem I'm having is that the load balancers aren't actually
passing packets. I have the following in their pf.conf:
pass in on fxp0 route-to { web1, web2, webn } from any to x.100 keep state
and that's it.
Using tcpdump, I see packets coming into the load balancers, and I see
state rules being setup according to that rule, but I never see
packets leaving the load balancers, and definitely never see them
hitting the web farm.
Any ideas for what I'm doing wrong here?
--
Chip Marshall <chip at 2bithacker.net>
More information about the freebsd-pf
mailing list