From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 30 01:12:55 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36EB5106564A for ; Thu, 30 Jun 2011 01:12:55 +0000 (UTC) (envelope-from gregoire.leroy@retenodus.net) Received: from slow3-v.mail.gandi.net (slow3-v.mail.gandi.net [217.70.178.89]) by mx1.freebsd.org (Postfix) with ESMTP id 892FB8FC0A for ; Thu, 30 Jun 2011 01:12:54 +0000 (UTC) X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by slow3-v.mail.gandi.net (Postfix) with ESMTP id A76F03839D for ; Thu, 30 Jun 2011 03:01:57 +0200 (CEST) X-Originating-IP: 217.70.178.134 Received: from mfilter4-d.gandi.net (mfilter4-d.gandi.net [217.70.178.134]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id 82582172083 for ; Thu, 30 Jun 2011 03:01:45 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter4-d.gandi.net Received: from relay4-d.mail.gandi.net ([217.70.183.196]) by mfilter4-d.gandi.net (mfilter4-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id aZ6Y+Ma6dPDE for ; Thu, 30 Jun 2011 03:01:43 +0200 (CEST) X-Originating-IP: 212.234.55.192 Received: from rena.localnet (unknown [212.234.55.192]) (Authenticated sender: lupuscramus@hyperthese.net) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 5DD6217207B for ; Thu, 30 Jun 2011 03:01:43 +0200 (CEST) From: =?iso-8859-1?q?Gr=E9goire_Leroy?= To: freebsd-ipfw@freebsd.org Date: Thu, 30 Jun 2011 03:01:42 +0200 User-Agent: KMail/1.13.7 (Linux/2.6.39-2-amd64; KDE/4.6.4; x86_64; ; ) X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201106300301.42182.gregoire.leroy@retenodus.net> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Load balancing ipfw + NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2011 01:12:55 -0000 Hi, I try to use load-balancing with IPFW. I've 3 lines : 2 ADSL and 1 SDSL. I = try=20 to loadbalance http trafic on ADSL1(192.168.7.1) and ADSL2(192.168.6.1). My gateway has 4 network devices. 1 for each line (em 1 ->192.168.5.10, em2= ->=20 192.168.6.10, em3 ->192.168.7.10), and one for local network (em0 ->=20 192.168.4.1) On my gateway, there are 3 nat instances : natd -p 8868 -dynamic -interface em3 natd -p 8869 -dynamic -interface em2 natd -p 8868 -dynamic -interface em1 =20 Here is my config relative to the load balanc : $cmd 300 divert 8868 ip from any to any via $adsl1_if $cmd 301 divert 8869 ip from any to any via $adsl2_if $cmd 302 divert 8870 ip from any to any via $sdsl_if $cmd 00320 check-state $cmd 0670 prob 0.5 skipto 17000 tcp from $clients to any $tcp_web setup $ks $cmd 0671 skipto 19000 tcp from $clients to any $tcp_web setup $ks $cmd 017000 divert 8868 ip from $clients to any in $cmd 017500 divert 8868 ip from $clients to any out=20 $cmd 017700 allow all from any to any=20 $cmd 019000 divert 8869 ip from $clients to any out=20 $cmd 019500 divert 8869 ip from $clients to any in $cmd 19700 allow all from any to any=20 $cmd 17550 fwd $isp1 ip from 192.168.7.10 to any=20 $cmd 19550 fwd $isp2 ip from 192.168.6.10 to any=20 $cmd 23500 fwd $isp3 ip from 192.168.5.10 to any=20 $cmd 65534 allow all from any to any ipfw show : 00300 16789 17438940 divert 8868 ip from any to any via em3=20 00301 0 0 divert 8869 ip from any to any via em2=20 00302 0 0 divert 8870 ip from any to any via em1=20 00670 6409 7934908 prob 0.500000 skipto 17000 tcp from 192.168.4.2 to any= =20 dst-port 80,443,25,3128 setup keep-state 00671 21464 26576872 skipto 19000 tcp from 192.168.4.2 to any dst-port=20 80,443,25,3128 setup keep-state 17000 1145 59132 divert 8868 ip from 192.168.4.2 to any in 17500 0 0 divert 8868 ip from 192.168.4.2 to any out 17700 6409 7934908 allow ip from any to any 19000 0 0 divert 8869 ip from 192.168.4.2 to any out 19500 3848 198584 divert 8869 ip from 192.168.4.2 to any in The skipto seems good, so I don't understand why I don't catch packet with = a=20 tcpdump on em2 : it seems that all web traffic pass by em3. Can someone explain me what is wrong ? PS : my work is based on http://lists.freebsd.org/pipermail/freebsd-ipfw/20= 03- August/000399.html Regards, Gr=E9goire leroy