|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Load balancing network traffic with PF
I have OpenBSD running as a firewall in a PC with 3 network interfaces, one is used for the intranet and teh other two for the external network and i was expecting to do Load Balancing to improve the two external connections use so i found this code at the PF FAQ
Code:
lan_net = "192.168.0.0/24" int_if = "dc0" ext_if1 = "fxp0" ext_if2 = "fxp1" ext_gw1 = "aaa.bbb.ccc.ddd" ext_gw2 = "eee.fff.ggg.hhh" # nat outgoing connections on each internet interface match out on $ext_if1 from $lan_net nat-to ($ext_if1) match out on $ext_if2 from $lan_net nat-to ($ext_if2) # default deny block in block out # pass all outgoing packets on internal interface pass out on $int_if to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if # load balance outgoing traffic from internal network. pass in on $int_if from $lan_net \ route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin # keep https traffic on a single connection; some web applications, # especially "secure" ones, don't allow it to change mid-session pass in on $int_if proto tcp from $lan_net to port https \ route-to ($ext_if1 $ext_gw1) # general "pass out" rules for external interfaces pass out on $ext_if1 pass out on $ext_if2 # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2) pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1) Code:
# keep https traffic on a single connection; some web applications, # especially "secure" ones, don't allow it to change mid-session pass in on $int_if proto tcp from $lan_net to port https \ route-to ($ext_if1 $ext_gw1) Last edited by ocicat; 23rd May 2012 at 11:15 PM. Reason: redacting public IP addresses -- spammers may harvest these... |
|
|||
i have just set up the same on the network i have never try out to see if there could be any failover one link what happen with my configuration it is that the first time that one packet try to pass over the death link it just time out the request a refresh on the request will send the packet over the other interface
|
|
|||
You need ifstated or relayd, here is my ifstated.conf (I use 3 different pf.conf, 1 Dual Wan conf, and 1 gw1 conf and 1 gw2 conf):
Code:
net1 = '"ping -q -c1 -w1 10.1.1.1 >/dev/null" every 5' net2 = '"ping -q -c1 -w1 10.222.222.222 >/dev/null" every 5' init-state one state one { init { run "route delete default 10.1.1.1" run "route delete default 10.222.222.222" run "route add -mpath default 10.1.1.1" run "route add -mpath default 10.222.222.222" } if ! $net1 { if $net2 set-state two } if ! $net2 { if $net1 set-state three } } state two { init { run "route delete default 10.1.1.1" run "route delete default 10.222.222.222" run "route add -mpath default 10.222.222.222" run "pfctl -f /etc/pf.conf.gw2" } if $net1 { if $net2 set-state four } if ! $net2 { if $net1 set-state three } } state three { init { run "route delete default 10.1.1.1" run "route delete default 10.222.222.222" run "route add -mpath default 10.1.1.1" run "pfctl -f /etc/pf.conf.gw1" } if $net1 { if $net2 set-state four } if ! $net1 { if $net2 set-state two } } state four { init { run "route delete default 10.1.1.1" run "route delete default 10.222.222.222" run "route add -mpath default 10.1.1.1" run "route add -mpath default 10.222.222.222" run "pfctl -f /etc/pf.conf" } if ! $net1 { if $net2 set-state two } if ! $net2 { if $net1 set-state three } } Last edited by ocicat; 28th May 2012 at 09:52 PM. Reason: Please use [code] & [/code] tags when posting file contents. |
Tags |
load balancing, network backup, pf |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to stop network traffic fighting like cat and dog | J65nko | News | 0 | 29th November 2011 10:18 AM |
Feasibility: "Load Balance Outgoing Traffic" with 2 NICs only | Tramboi | FreeBSD Security | 3 | 29th April 2010 09:13 AM |
Load balancing on fbsd | drhowarddrfine | General software and network | 2 | 28th December 2008 03:49 AM |
pf, hfsc and load balancing | hamba | FreeBSD Security | 5 | 15th October 2008 10:08 PM |
Load balancing cluster. | bigb89 | General software and network | 16 | 3rd July 2008 09:28 PM |