Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Aug 2003 13:11:54 +0100
From:      "Andrew White" <andywhite@ntlworld.ie>
To:        <freebsd-ipfw@freebsd.org>
Subject:   NEWBIE: Help with Dual ISP load balance IPFW/NATD CPU optimizaion
Message-ID:  <000001c35c13$ed1d24b0$3201a8c0@deskgx>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi,  

Firstly apologies if this is to the wrong list.

I am trying to load balance two ISP's as below with Freebsd 5.1

Using this firewall rule list below, the CPU get's maxed out at 1.2mb, I
suspect that my ruleset needs to be optimized,  when running natd -v, I
see packets go to both NAT Deamons but only out one per flow. 

Natd run as below

natd -p 8868 -dynamic -interface aue0
natd -p 8869 -dynamic -interface tun0

There are some duplicate rules here, but I use this for accounting to
try and analyse traffic flows to workout the order of events

It does seem to work well otherwise, despite 1 kernel panic sofar

Any help or comments appreciated.

/Andrew

   ISP1			  ISP2
 Cable Modem		  ADSL
600kbs/128kbs	        1mb/256kbs
172.16.1.1/23	        10.0.0.1/23
     |			    |	
     |			    |	
     |			    |	
     |			    |	
    DHCP		  PPPOE
 172.16.1.5		10.0.1.15
   *aue0*******************tun0*
   *          FreeBSD	       *
   *************ep0*************	     
   	 192.168.1.254
  		 | 	 
  		 | 	 
  	       *****
  	    Private LAN
  	  192.168.1.0/24
   	
# allow local traffic
00100 allow ip from 192.168.1.0/24 to 192.168.1.0/24
00125 allow ip from 127.0.0.0/24 to 192.168.1.0/24
00130 allow ip from 192.168.1.0/24 to 127.0.0.0/24
00150 allow ip from 127.0.0.0/24 to 127.0.0.0/24 via lo0
# stop simple incoming attempts from internet
00200 deny tcp from any to any setup in via tun0
00250 deny tcp from any to any setup in via aue0

#send incoming traffic to natd
00400 divert 8869 ip from any to any in via tun0
00450 divert 8868 ip from any to any in via aue0
#if flow is already going via NATD, send it back to same NATD
00500 check-state
# send 38% of traffic to isp 1 as 600k = 38% of 1mb + 600k
00600 prob 0.380000 skipto 700 ip from 192.168.1.0/24 to any out
keep-state
# remaining 62% of traffic send to isp2
00650 skipto 900 ip from 192.168.1.0/24 to any out keep-state
#nat everything that get's here, should be ok as local allowed in first
lines to go direct
00700 divert 8868 ip from 192.168.1.0/24 to any in
00750 divert 8868 ip from 192.168.1.0/24 to any out
00900 divert 8869 ip from 192.168.1.0/24 to any out
00950 divert 8869 ip from 192.168.1.0/24 to any in

#policy route to send traffic to correct isp
02000 fwd 172.16.1.1 ip from 172.16.1.5 to any
02500 fwd 10.0.0.1 ip from 10.0.1.5 to any
#break out traffic to allow accounting to show me what's going where
30000 allow ip from any to 192.168.1.0/24
30100 allow ip from any to any in via tun0
30200 allow ip from any to any in via aue0
30300 allow ip from any to any out via tun0
30400 allow ip from any to any out via aue0

65000 allow ip from any to any
65535 deny ip from any to any




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c35c13$ed1d24b0$3201a8c0>