DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th November 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default Using multiple gateways

Hello,
Could I have two gateways for my PC? Here is an example setup:
=====================
NIC - rl0 - IP 192.168.0.50
GW1 - IP 192.168.0.1
GW2 - IP 10.10.10.1
=====================
All of these is connected via simple switches and cables into one network.
In order to reach the second GW, should I put an alias for rl0 with IP in 10.10.10.0/24 network, or just add a static route to that network via rl0?
More - I want to be able to use both gateways to access Internet. Every of the two shapes its clients to a X Mbit speed, so I want to have total of 2*X Mbit connection.
I know about adding static routes, and I could set one of the GWs to be used for accessing specific addresses or networks, but I want to dynamically change routes on round-robin basis. This is how I think of it in a timeline:
- GET page from www.host1.com - GW1 is used
- GET page from www.host2.com - GW2 is used
- connect to ICQ - GW1 is used
- ssh to server1.com - GW2 is used
and so on...
Is there a pf based solution for this? I think I've seen something like 'probability match' somewhere in the manual - can I use it?

Oh, and why I can't find anything on 'freebsd load balancing' in Google? Is there a reason for this, or just I'm misunderstanding the terms?
Reply With Quote
  #2   (View Single Post)  
Old 7th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

Have a look at http://openbsd.org/faq/pf/pools.html#outgoing
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 9th November 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

I've tried to do something with route-to, but no success. Here is the exact situation:

Here is my routing table for IPv4 (I'm not using IPv6, so everything here will be about IPv4):
Code:
[ivanatora] /etc# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1        UGS         0    66819    rl0
127.0.0.1          127.0.0.1          UH          0     6746    lo0
192.168.0.0/24     link#1             UC          0        0    re0
192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWb       1      259    re0
192.168.1.0/24     link#2             UC          0        0    rl0
192.168.1.1        00:19:e0:a0:79:e6  UHLW        2        0    rl0    940
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWb       1      261    rl0
194.145.63.12      192.168.0.1        UGHS        0       60    re0
Currently one of the gateways is a default route (should I remove the default rote in order to do load balancing?) and the other is just a static route to a host for some testing.
Here is my pf.conf:
Code:
### Macros
int_if = "re0"
ext_if = "rl0"

ext_ip = "192.168.1.2"
tcp_services = "{80, https, ssh, domain, 5190, 5222, ftp, whois, 18768, 6881:6889, 1025, 6921}"
udp_services = "{domain, 5190, 5222, ftp, whois, 18768, 1025, 137:139, 6921}"

### Tables
table <aonsu_net>  { 192.168.0.34, 192.168.0.223 }

### Options
set block-policy return

### Normalizations
scrub in all

### Queueing

### Translation
nat pass on $ext_if from <aonsu_net> to any -> $ext_ip # NAT for two other PCs, I don't think it is important, but I decided to show you my full pf.conf

### Filtering

pass on $int_if from <aonsu_net> to any
pass on $ext_if from any to <aonsu_net>

pass on $ext_if proto tcp to any port $tcp_services
pass on $ext_if proto udp to any port $udp_services

pass in on $ext_if proto tcp from any to 192.168.1.2 port 220 label "ssh:)" # here I've tried some features of PF - labeling
pass out on $ext_if proto tcp to any port 80 label "outgoing http"

#pass out on $ext_if route-to { 192.168.1.1, 192.168.0.1 } round-robin from 192.168.1.2 to any # I've tried that, don't work

# I've tried these two at the same time - there was example in that way on http://openbsd.org/faq/pf/pools.html#outgoing
#pass out log (to pflog0) on $int_if route-to ( $ext_if 192.168.1.1 ) from $ext_ip to any
#pass out log (to pflog1) on $ext_if route-to ( $int_if 192.168.0.1 ) from 192.168.0.68 to any

#doesn't work too
#pass in on $ext_if route-to { ($ext_if 192.168.1.1) , ($int_if 192.168.0.68) } round-robin from self to any

# I've tried this one, too - doesn't work
pass in on $ext_if route-to (  $ext_if 192.168.1.1 ) from $ext_ip to any
When I mean doesn't work, I've tried with traceroute some.host to see where it goes from. Everytime it goes trough the default gateway (except for the static route, I've added for testing). So should I remove the default route?
Actually I will try that tomorrow when I get physical access to my PC (I don't want to get cut off ssh )

Oh, and something else - in one case I've tried logging packets to pflog0 and pflog1. When I fire tcpdump on these interfaces I see not a single packet captured. Could it be that no packet matches these filtering rules?
Attached Images
File Type: jpg situation.jpg (11.4 KB, 749 views)

Last edited by ivanatora; 9th November 2008 at 04:44 PM.
Reply With Quote
  #4   (View Single Post)  
Old 9th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

From http://openbsd.org/faq/pf/pools.html#outgoing
Quote:
One additional piece of information that's needed to do this is the IP address of the adjacent router on each Internet connection. This is fed to the route-to option to control the destination of outgoing packets.

The following example balances outgoing traffic across two Internet connections:
lan_net = "192.168.0.0/24"
int_if = "dc0"
ext_if1 = "fxp0"
ext_if2 = "fxp1"
ext_gw1 = "68.146.224.1"
ext_gw2 = "142.59.76.1"
I don't have 2 internet connections, so I never did get a chance to play with this, but from what I understand the network topology should be something like this:
Code:
 INTERNET         INTERNET
    |                 |
    |                 |
    |                 |
   adj.              adj.
  router           router
 80.0.0.254      22.0.0.254
    |                 |
    |                 |
    |                 |
    |                 |
    |                 |
----|-----------------|------
|  re0               fxp0    |
| 80.0.0.1          22.0.0.1 |
|                            |
|     gateway/firewall       |
|                            |
|         rl0                |
|      192.168.0.1           |
-----------|------------------
           |
           |
           |
      internal lan
This diagram looks rather different from yours, so I wonder whether your setup will work
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 10th November 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

How comes that their setup is different than mine? IMHO, it is exactly the same The location of the internal lan? I don't put it in the game at all. Or do I *need* an internal LAN + 3rd NIC in order to work load balancing?

Btw, I tried with default gateway removed (route del -net 0.0.0.0 192.168.1.1), and in that case there is no outgoing connection trough that link at all. I thought PF will manage routes with that *route-to* keyword, but it seems PF has nothing common with these routes.
Hmmm, something else - is there a daemon that manages routes on dynamic manner? If yes, can I use it in my case?
Reply With Quote
  #6   (View Single Post)  
Old 10th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

The same? I neither don't see the addresses of the adjacent routers in your diagram, nor mentioned in your pf.conf
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 15th November 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

Errr, what?
These boxes with IPs - 192.168.0.1 and 192.168.1.1 - are the adjacent routers. I had not stated it clear enough or someone is not wearing his glasses? :P
Reply With Quote
  #8   (View Single Post)  
Old 15th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

The big difference is that you are using RFC 1918 addresses an not public ones. For the load balancing ruleset of the OpenBSD user guide you need public IPs.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
dhcpd and multiple subnets vdubjunkie OpenBSD General 5 11th March 2009 11:02 PM
Obtaining multiple IPs from ISP via DHCP dextro General software and network 15 9th January 2009 02:36 AM
Multiple VPN rondynames OpenBSD General 5 24th July 2008 11:51 AM
Multiple instances of Opera ebzzry FreeBSD General 7 24th July 2008 03:53 AM
Problems with multiple ISP connections ebzzry FreeBSD General 2 1st July 2008 11:32 PM


All times are GMT. The time now is 01:36 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick