From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 31 11:02:33 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A906D16A41F for ; Mon, 31 Oct 2005 11:02:33 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8478C43D8E for ; Mon, 31 Oct 2005 11:02:19 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9VB2JM1008960 for ; Mon, 31 Oct 2005 11:02:19 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9VB2IoC008953 for freebsd-ipfw@freebsd.org; Mon, 31 Oct 2005 11:02:18 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 31 Oct 2005 11:02:18 GMT Message-Id: <200510311102.j9VB2IoC008953@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 11:02:33 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2003/12/11] kern/60154 ipfw [ipfw] ipfw core (crash) o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/02/01] kern/76971 ipfw [ipfw] ipfw antispoof incorrectly blocks o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple 17 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 31 20:22:27 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1988816A420; Mon, 31 Oct 2005 20:22:27 +0000 (GMT) (envelope-from rob@ipninja.net) Received: from storm.ipninja.net (storm.ipninja.net [209.161.218.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5165143D45; Mon, 31 Oct 2005 20:22:26 +0000 (GMT) (envelope-from rob@ipninja.net) Received: from storm.ipninja.net (www@localhost [127.0.0.1]) by storm.ipninja.net (8.13.3/8.13.1) with ESMTP id j9VKMIYh005618; Mon, 31 Oct 2005 15:22:18 -0500 (EST) (envelope-from rob@ipninja.net) Received: (from www@localhost) by storm.ipninja.net (8.13.3/8.13.1/Submit) id j9VKMI3e005617; Mon, 31 Oct 2005 15:22:18 -0500 (EST) (envelope-from rob@ipninja.net) X-Authentication-Warning: storm.ipninja.net: www set sender to rob@ipninja.net using -f Received: from ::ffff:66.203.207.9 (SquirrelMail authenticated user rob) by mail.ipninja.net with HTTP; Mon, 31 Oct 2005 15:22:18 -0500 (EST) Message-ID: <41765.::ffff:66.203.207.9.1130790138.squirrel@mail.ipninja.net> In-Reply-To: <1130514267.81705.101.camel@localhost> References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> Date: Mon, 31 Oct 2005 15:22:18 -0500 (EST) From: "Rob Viau" To: "Corey Smith" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.3 X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on storm.ipninja.net Cc: G Bryant , freebsd-pf@freebsd.org, FreeBSD , freebsd-net@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 20:22:27 -0000 > On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: >> Daniel Dias Gonçalves wrote: >> >> > >> > It is possible to make this balancing with the PF ? Exists some >> > software that I make this ? Zebra can help me? >> > This type of balancing gives to problems with the navigation of the >> > user of NAT or IP valid ? >> > If it is possible, wanted to see examples with rules. >> > > > It would be much better to do per flow load balancing then per packet. > With per packet your TCP flows will arrive out of order which is a bad > situation since it will lead to a large number of retransmissions and > zero-window acknowledgments. > > The only tunable to help correct that is to allow selective > acknowledgments. > > You are going to get much higher utilization on your load balanced lines > by using per flow with multiple TCP connections. > > Anybody know how to implement per flow load balancing in FreeBSD? Are > multiple default routes supported? > > It would be beautiful if you could put multiple routes with the same > metric into the kernel and then the kernel would enable per flow load > balancing of the routes... > > -Corey Smith > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I believe pf is per-flow. If it was not, then not only would your packets arrive out-of-order, but also with different source IPs when you were NATing to different interfaces on different ISPs (without your own block) which is something I was able to do with 3 links (with three different IP addresses) from 2 different providers. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 31 21:07:21 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8001B16A420; Mon, 31 Oct 2005 21:07:21 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7E0443D4C; Mon, 31 Oct 2005 21:07:20 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id E2C567058; Mon, 31 Oct 2005 21:24:53 +0100 (CET) Received: from (165.146.246.21 [165.146.246.21]) by MailEnable Inbound Mail Agent with ESMTP; Mon, 31 Oct 2005 21:44:25 +0100 Message-ID: <436680D0.8070307@roamingsolutions.net> Date: Mon, 31 Oct 2005 22:38:40 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en To: Rob Viau References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> <41765.::ffff:66.203.207.9.1130790138.squirrel@mail.ipninja.net> In-Reply-To: <41765.::ffff:66.203.207.9.1130790138.squirrel@mail.ipninja.net> Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0544-0, 2005/10/31), Outbound message X-Antivirus-Status: Clean MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, FreeBSD , freebsd-pf@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 21:07:21 -0000 Rob Viau wrote: On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: Daniel Dias Gonçalves wrote: It is possible to make this balancing with the PF ? Exists some software that I make this ? Zebra can help me? This type of balancing gives to problems with the navigation of the user of NAT or IP valid ? If it is possible, wanted to see examples with rules. It would be much better to do per flow load balancing then per packet. With per packet your TCP flows will arrive out of order which is a bad situation since it will lead to a large number of retransmissions and zero-window acknowledgments. The only tunable to help correct that is to allow selective acknowledgments. You are going to get much higher utilization on your load balanced lines by using per flow with multiple TCP connections. Anybody know how to implement per flow load balancing in FreeBSD? Are multiple default routes supported? It would be beautiful if you could put multiple routes with the same metric into the kernel and then the kernel would enable per flow load balancing of the routes... -Corey Smith _______________________________________________ [1]freebsd-pf@freebsd.org mailing list [2]http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to [3]"freebsd-pf-unsubscribe@freebsd.org" I believe pf is per-flow. If it was not, then not only would your packets arrive out-of-order, but also with different source IPs when you were NATing to different interfaces on different ISPs (without your own block) which is something I was able to do with 3 links (with three different IP addresses) from 2 different providers. The scripts I attached with previous email provide per-flow load sharing using ipfw and natd. System is currently live. Regards, Graham References 1. mailto:freebsd-pf@freebsd.org 2. http://lists.freebsd.org/mailman/listinfo/freebsd-pf 3. mailto:freebsd-pf-unsubscribe@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 2 19:30:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B265D16A41F for ; Wed, 2 Nov 2005 19:30:57 +0000 (GMT) (envelope-from routester@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40ED943D49 for ; Wed, 2 Nov 2005 19:30:55 +0000 (GMT) (envelope-from routester@gmail.com) Received: by xproxy.gmail.com with SMTP id h29so341178wxd for ; Wed, 02 Nov 2005 11:30:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ZEKsPg/634Wr77LsCefRuH6yMHWn2EzmeTCD4sN3YuwpBDmwQZ4vgD++hrvnCHv/TA8exSzkXTzFCKyLeGeQfiew1d2FzyenJ2KZeSRiZ/EIJ/pfXvhCF/nVJIQiW1B64zs9DbaG1HCrjiqS2q31oiyDZNRaXR59yXHwfgOxOHM= Received: by 10.65.215.15 with SMTP id s15mr2128595qbq; Wed, 02 Nov 2005 11:30:54 -0800 (PST) Received: by 10.64.193.18 with HTTP; Wed, 2 Nov 2005 11:30:54 -0800 (PST) Message-ID: Date: Wed, 2 Nov 2005 14:30:54 -0500 From: Router Guy To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW FWD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2005 19:30:57 -0000 I've searched the archive, and read the man page...possible that I've misse= d something. ipfw rules... 00700 0 0 allow ip from 172.16.200.2 to 172.16.200.2 00800 9 756 fwd 172.16.200.1 ip from 172.16.200.2to any 00900 0 0 allow ip from any to 172.16.200.2 via vlan3 vlan3: flags=3D8843 mtu 1500 inet 172.16.200.2 netmask 0xffffff00 broadcast 172.16.200.255 ether 00:b0:d0:49:00:bd media: Ethernet autoselect (100baseTX) status: active vlan: 3 parent interface: fxp0 Kern options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options IPFIREWALL_FORWARD 5.4-RELEASE-p8 As you can see from the ipfw output, the fwd rules match - but the packets are still forwarded out the primary interface following the default route (verified via tcpdump). The fwd is reachable from the host, and is a router that knows what to do with the packets.... Any ideas? From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 2 21:46:33 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0570916A41F for ; Wed, 2 Nov 2005 21:46:33 +0000 (GMT) (envelope-from routester@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF1EF43D45 for ; Wed, 2 Nov 2005 21:46:31 +0000 (GMT) (envelope-from routester@gmail.com) Received: by wproxy.gmail.com with SMTP id i27so79564wra for ; Wed, 02 Nov 2005 13:46:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=gi1jF64TQ5uZec0AN97PyXbfKPrOcUtl8Wm4X+3pRtC3CWO4+BmqiEXNpF+6uF4rfCMB8dmcVonqVi7DbwAkZtnHXZEIRwX5dsbWhum//3dtIhnmg+dNVCuzKWJyMgyKb0ryEHZCYWsbsv9idcms9e7cWkgPVjmCqdHv0OUgUQA= Received: by 10.65.230.6 with SMTP id h6mr10741qbr; Wed, 02 Nov 2005 13:46:30 -0800 (PST) Received: by 10.64.193.18 with HTTP; Wed, 2 Nov 2005 13:46:30 -0800 (PST) Message-ID: Date: Wed, 2 Nov 2005 16:46:30 -0500 From: Router Guy To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Possible repost, new subscriber - IPFW+FWD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2005 21:46:33 -0000 I've searched the archive, and read the man page...possible that I've misse= d something. ipfw rules... 00700 0 0 allow ip from 172.16.200.2 to 172.16.200.2 00800 9 756 fwd 172.16.200.1 ip from 172.16.200.2to any 00900 0 0 allow ip from any to 172.16.200.2 via vlan= 3 vlan3: flags=3D8843 mtu 1500 inet 172.16.200.2 netmask 0xffffff00 broadcast 172.16.200.255 ether 00:b0:d0:49:00:bd media: Ethernet autoselect (100baseTX) status: active vlan: 3 parent interface: fxp0 Kern options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options IPFIREWALL_FORWARD 5.4-RELEASE-p8 As you can see from the ipfw output, the fwd rules match - but the packets are still forwarded out the primary interface following the default route (verified via tcpdump). The fwd is reachable from the host, and is a router that knows what to do with the packets....