From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 6 05:11:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F12837B404 for ; Wed, 6 Aug 2003 05:11:49 -0700 (PDT) Received: from mta07-svc.ntlworld.com (mta07-svc.ntlworld.com [62.253.162.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 757B843F3F for ; Wed, 6 Aug 2003 05:11:47 -0700 (PDT) (envelope-from andywhite@ntlworld.ie) Received: from deskgx ([81.98.89.6]) by mta07-svc.ntlworld.com (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id <20030806121145.DSBZ27190.mta07-svc.ntlworld.com@deskgx> for ; Wed, 6 Aug 2003 13:11:45 +0100 From: "Andrew White" To: Date: Wed, 6 Aug 2003 13:11:54 +0100 Message-ID: <000001c35c13$ed1d24b0$3201a8c0@deskgx> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: NEWBIE: Help with Dual ISP load balance IPFW/NATD CPU optimizaion X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 12:11:49 -0000 Hi, Firstly apologies if this is to the wrong list. I am trying to load balance two ISP's as below with Freebsd 5.1 Using this firewall rule list below, the CPU get's maxed out at 1.2mb, I suspect that my ruleset needs to be optimized, when running natd -v, I see packets go to both NAT Deamons but only out one per flow. Natd run as below natd -p 8868 -dynamic -interface aue0 natd -p 8869 -dynamic -interface tun0 There are some duplicate rules here, but I use this for accounting to try and analyse traffic flows to workout the order of events It does seem to work well otherwise, despite 1 kernel panic sofar Any help or comments appreciated. /Andrew ISP1 ISP2 Cable Modem ADSL 600kbs/128kbs 1mb/256kbs 172.16.1.1/23 10.0.0.1/23 | | | | | | | | DHCP PPPOE 172.16.1.5 10.0.1.15 *aue0*******************tun0* * FreeBSD * *************ep0************* 192.168.1.254 | | ***** Private LAN 192.168.1.0/24 # allow local traffic 00100 allow ip from 192.168.1.0/24 to 192.168.1.0/24 00125 allow ip from 127.0.0.0/24 to 192.168.1.0/24 00130 allow ip from 192.168.1.0/24 to 127.0.0.0/24 00150 allow ip from 127.0.0.0/24 to 127.0.0.0/24 via lo0 # stop simple incoming attempts from internet 00200 deny tcp from any to any setup in via tun0 00250 deny tcp from any to any setup in via aue0 #send incoming traffic to natd 00400 divert 8869 ip from any to any in via tun0 00450 divert 8868 ip from any to any in via aue0 #if flow is already going via NATD, send it back to same NATD 00500 check-state # send 38% of traffic to isp 1 as 600k = 38% of 1mb + 600k 00600 prob 0.380000 skipto 700 ip from 192.168.1.0/24 to any out keep-state # remaining 62% of traffic send to isp2 00650 skipto 900 ip from 192.168.1.0/24 to any out keep-state #nat everything that get's here, should be ok as local allowed in first lines to go direct 00700 divert 8868 ip from 192.168.1.0/24 to any in 00750 divert 8868 ip from 192.168.1.0/24 to any out 00900 divert 8869 ip from 192.168.1.0/24 to any out 00950 divert 8869 ip from 192.168.1.0/24 to any in #policy route to send traffic to correct isp 02000 fwd 172.16.1.1 ip from 172.16.1.5 to any 02500 fwd 10.0.0.1 ip from 10.0.1.5 to any #break out traffic to allow accounting to show me what's going where 30000 allow ip from any to 192.168.1.0/24 30100 allow ip from any to any in via tun0 30200 allow ip from any to any in via aue0 30300 allow ip from any to any out via tun0 30400 allow ip from any to any out via aue0 65000 allow ip from any to any 65535 deny ip from any to any