From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 18:45:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9623A16A4CE for ; Mon, 8 Nov 2004 18:45:13 +0000 (GMT) Received: from jay.exetel.com.au (jay.exetel.com.au [220.233.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4B5943D39 for ; Mon, 8 Nov 2004 18:45:12 +0000 (GMT) (envelope-from ldsift-applels@yahoo.com.au) Received: (qmail 23446 invoked by uid 507); 9 Nov 2004 05:45:11 +1100 Received: from 63.7.233.220.exetel.com.au (HELO ?192.168.1.2?) (220.233.7.63) by jay.exetel.com.au with SMTP; 9 Nov 2004 05:45:11 +1100 Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> Content-Type: text/plain; charset=US-ASCII; format=flowed To: FreeBSD-IPFW From: LD Date: Tue, 9 Nov 2004 05:45:11 +1100 X-Mailer: Apple Mail (2.619) Subject: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 18:45:13 -0000 Hi there, I'm setting up a FreeBSD gateway at work to replace 2 [RH9] gateways that serve 2 separate external connections through 2 different isp's. Only the cable is currently utilised by most - and there's no redundancy in place without fiddling with individual machines. The 2nd gateway, however, does currently allow VPN connectivity for external users. The external connections: 1) Cable (dynamic IP); 2) ADSL 512/512 (static IP). I'm fairly new to FreeBSD/ipfw/dummynet and so I'm hoping that people here might be able to point me in the right direction. i.e., things to bear in mind include: My Questions are: a) Do I need any specific kernel options? i.e., features that aren't available otherwise through dynamic loading. b) I'd like to make the whole thing transparent to the internal network. i.e., internal computers nameserver references are to the gateway (rather than isp) which then translates such requests to the appropriate nameserver(s) of the relevant isp according to which pipe the request is sent through :-) b) I'm assuming that for the most part 'prob 0.5' will balance the load between two pipes to the external interfaces...but is there a better scheme? Also guaranteeing that a complete conversation, once initiated via an interface would continue through that interface... c) How would you set it up to automatically place all traffic out via one of the external interfaces should the other connection not be available? i.e., auto-redundancy. d) any other tricks of the trade? I've based my 'draft' script (below - which has various problems for the problem at hand) off the last example on... freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html ...adjusting for pipes. Any pointers in the right direction would be much appreciated. Thanks. #!/bin/sh <..> cmd="ipfw -q add" skip="skipto 800" ipfw -q -f flush $cmd 005 allow all from any to any via $iif $cmd 010 allow all from any to any via lo0 $cmd 014 divert natd ip from any to any via $pif1 $cmd 014 divert natd ip from any to any via $pif2 $cmd 015 check-state # Public Interface for DNS in `cat /etc/resolv.conf | grep nameserver | awk -F\t '{print $2}'`; do $cmd 020 $skip tcp from any to $DNS 53 out setup keep-state done # access isp dhcp server for cable $cmd 021 $skip udp from any to $ISP_DHCPs 67 out via $pif1 keep-state # outgoing traffic $cmd 030 $skip tcp from any to any $tcpports out <...> # deny various incoming <...> # allow cable dhcp $cmd 360 allow udp from $ISP_DHCPs to any 68 in keep-state <...> # reject/log $cmd 400 deny log all from any to any in $cmd 400 deny log all from any to any out # SKIPTO Section $cmd 800 prob 0.5 pipe 1 from any to any out via $pif1 $cmd 800 prob 0.5 pipe 2 from any to any out via $pif2 ipfw -q 800 pipe 1 config bw ipfw -q 800 pipe 2 config bw # Natd $cmd 801 divert natd ip from any to any out $cmd 802 allow ip from any to any # deny/log all else $cmd 999 deny log all from any to any with regards, -- LD