From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 22:16:28 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC64616A404 for ; Wed, 12 Apr 2006 22:16:28 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id C3FF743D45 for ; Wed, 12 Apr 2006 22:16:26 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 28912 invoked by uid 0); 12 Apr 2006 19:17:21 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(200.210.42.5):. Processed in 190.342443 secs); 12 Apr 2006 22:17:21 -0000 Received: from unknown (HELO ?10.69.69.69?) (200.210.42.5) by capeta.freebsdbrasil.com.br with SMTP; 12 Apr 2006 19:14:11 -0300 Message-ID: <443D7B71.5070004@freebsdbrasil.com.br> Date: Wed, 12 Apr 2006 19:13:05 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bill Fumerola References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> In-Reply-To: <20060412214619.GT9364@elvis.mu.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 22:16:28 -0000 Bill Fumerola wrote: > On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote: > >>I would make load-balancing using ipfw, but I have 2 routers in the same interface: >> >>FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%) >> |--> GW2 (200.xxx.xxx.2) (33%) >> >>How can I make load-balancing using ipfw??? >> >>I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) round-robin from any to any keep state probability 33%), but I would like use just one firewall. > > > the same concept you're using applies to ipfw: > > # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any > > or if you have multiple interfaces: > > # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0 > > any laziness-induced syntax errors i've made notwithstanding those should > work fine. remember to compile IPFIREWALL_FORWARD and enable ip forwarding. > > -- bill Very nice. How hard would it be to have "keep-state" working with "fwd" action? Also, what about some sort of algorith more similar to "plr" for "prob" action? As my understanding prob is really a probability, which does not mean say 33% of the packets will match (while plr says it will match - and drop the packet), it means 33% of probability, right? This would be different of 33% of matching rate. Lets think of a "rate" option for "matching rate", a ipfw add rate 0.33 fwd tcp from to any xmit em0 setup keep-state keep-state in this case would make all other packets from the given source IP to the given destination IP always get forwarded... Because as I see (I may be wrong) the above example may break sessions, right? Thinking on an https session, for example. Some packets would match the prob, some other would not. So what do we get? Some packets going out via link #1 and some other via link #2. The other end will not know about the incoming packets from the other link. The mentioned two features (which I have no idea how hard it would be to add), a plr-like sort of "prob" and keeping FWD state, would solve the problem, wouldnt it? Also, I dont know what "probability" really means on PF. If it is really probability or a "rate match" spec. Try to figure it out correctly, or you might be doing the wrong thing... -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"