Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Apr 2006 19:13:05 -0300
From:      Patrick Tracanelli <>
To:        Bill Fumerola <>
Subject:   Re: Load-balancing
Message-ID:  <>
In-Reply-To: <>
References:  <20060411092932.42148fd8@giboia> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Bill Fumerola wrote:
> On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote:
>>I would make load-balancing using ipfw, but I have 2 routers in the same interface:
>>FreeBSD ( -------> GW1 ( (63%)
>>                            |--> GW2 ( (33%)
>>How can I make load-balancing using ipfw???
>>I'm using pf (pass out on em0 route-to (em0 round-robin from any to any keep state probability 33%), but I would like use just one firewall.
> the same concept you're using applies to ipfw:
> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any
> or if you have multiple interfaces:
> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0
> any laziness-induced syntax errors i've made notwithstanding those should
> work fine. remember to compile IPFIREWALL_FORWARD and enable ip forwarding.
> -- bill

Very nice.

How hard would it be to have "keep-state" working with "fwd" action?

Also, what about some sort of algorith more similar to "plr" for "prob" 
action? As my understanding prob is really a probability, which does not 
mean say 33% of the packets will match (while plr says it will match - 
and drop the packet), it means 33% of probability, right? This would be 
different of 33% of matching rate. Lets think of a "rate" option for 
"matching rate", a

ipfw add rate 0.33 fwd <next hop> tcp from <inet> to any xmit em0 setup 

keep-state in this case would make all other packets from the given 
source IP to the given destination IP always get forwarded...

Because as I see (I may be wrong) the above example may break sessions, 
right? Thinking on an https session, for example. Some packets would 
match the prob, some other would not. So what do we get? Some packets 
going out via link #1 and some other via link #2. The other end will not 
know about the incoming packets from the other link.

The mentioned two features (which I have no idea how hard it would be to 
add), a plr-like sort of "prob" and keeping FWD state, would solve the 
problem, wouldnt it?

Also, I dont know what "probability" really means on PF. If it is really 
probability or a "rate match" spec. Try to figure it out correctly, or 
you might be doing the wrong thing...

Patrick Tracanelli

FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
"Long live Hanin Elias, Kim Deal!"

Want to link to this message? Use this URL: <>