DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd May 2012
eherrera eherrera is offline
New User
 
Join Date: May 2012
Posts: 2
Default Load balancing network traffic with PF

I have OpenBSD running as a firewall in a PC with 3 network interfaces, one is used for the intranet and teh other two for the external network and i was expecting to do Load Balancing to improve the two external connections use so i found this code at the PF FAQ

Code:
lan_net = "192.168.0.0/24"
int_if  = "dc0"
ext_if1 = "fxp0"
ext_if2 = "fxp1"
ext_gw1 = "aaa.bbb.ccc.ddd"
ext_gw2 = "eee.fff.ggg.hhh"

#  nat outgoing connections on each internet interface
match out on $ext_if1 from $lan_net nat-to ($ext_if1)
match out on $ext_if2 from $lan_net nat-to ($ext_if2)

#  default deny
block in
block out

#  pass all outgoing packets on internal interface
pass out on $int_if to $lan_net
#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
#  load balance outgoing traffic from internal network. 
pass in on $int_if from $lan_net \
    route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
    round-robin
#  keep https traffic on a single connection; some web applications,
#  especially "secure" ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
    route-to ($ext_if1 $ext_gw1)

#  general "pass out" rules for external interfaces
pass out on $ext_if1
pass out on $ext_if2

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
I supoused to do exetly what a want, the problem comes at

Code:
#  keep https traffic on a single connection; some web applications,
#  especially "secure" ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
    route-to ($ext_if1 $ext_gw1)
here is my question, what happens if ext_if1 is down? is there some how to recognice when an interface is down and switch among them?

Last edited by ocicat; 23rd May 2012 at 11:15 PM. Reason: redacting public IP addresses -- spammers may harvest these...
Reply With Quote
  #2   (View Single Post)  
Old 28th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default

i have just set up the same on the network i have never try out to see if there could be any failover one link what happen with my configuration it is that the first time that one packet try to pass over the death link it just time out the request a refresh on the request will send the packet over the other interface
Reply With Quote
  #3   (View Single Post)  
Old 28th May 2012
gessler gessler is offline
New User
 
Join Date: Apr 2012
Posts: 8
Default

You need ifstated or relayd, here is my ifstated.conf (I use 3 different pf.conf, 1 Dual Wan conf, and 1 gw1 conf and 1 gw2 conf):
Code:
net1 = '"ping -q -c1 -w1 10.1.1.1 >/dev/null" every 5'
net2 = '"ping -q -c1 -w1 10.222.222.222 >/dev/null" every 5'

init-state one

state one {
    init {
        run "route delete default 10.1.1.1"
        run "route delete default 10.222.222.222"
        run "route add -mpath default 10.1.1.1"
        run "route add -mpath default 10.222.222.222"
    }
    if ! $net1 {
    if $net2
       set-state two
    }
    if ! $net2 {
    if $net1
       set-state three
    }
}

state two {
    init {
        run "route delete default 10.1.1.1"
        run "route delete default 10.222.222.222"
        run "route add -mpath default 10.222.222.222"
        run "pfctl -f /etc/pf.conf.gw2"
    }
    if $net1 {
    if $net2
       set-state four
    }
    if ! $net2 {
    if $net1
       set-state three
    }
}

state three {
    init {
        run "route delete default 10.1.1.1"
        run "route delete default 10.222.222.222"
        run "route add -mpath default 10.1.1.1"
        run "pfctl -f /etc/pf.conf.gw1"
    }
    if $net1 {
    if $net2
       set-state four
    }
    if ! $net1 {
    if $net2
       set-state two
    }
}

state four {
    init {
        run "route delete default 10.1.1.1"
        run "route delete default 10.222.222.222"
        run "route add -mpath default 10.1.1.1"
        run "route add -mpath default 10.222.222.222"
        run "pfctl -f /etc/pf.conf"
    }
    if ! $net1 {
    if $net2
       set-state two
    }
    if ! $net2 {
    if $net1
       set-state three
    }
}

Last edited by ocicat; 28th May 2012 at 09:52 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
Reply

Tags
load balancing, network backup, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to stop network traffic fighting like cat and dog J65nko News 0 29th November 2011 10:18 AM
Feasibility: "Load Balance Outgoing Traffic" with 2 NICs only Tramboi FreeBSD Security 3 29th April 2010 09:13 AM
Load balancing on fbsd drhowarddrfine General software and network 2 28th December 2008 03:49 AM
pf, hfsc and load balancing hamba FreeBSD Security 5 15th October 2008 10:08 PM
Load balancing cluster. bigb89 General software and network 16 3rd July 2008 09:28 PM


All times are GMT. The time now is 10:30 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick