Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Nov 2004 21:36:16 +0100
From:      Pawel Malachowski <>
Subject:   Re: Help: Load Balancing 2 external connections
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote:

> My Questions are:
> a) Do I need any specific kernel options? i.e., features that aren't 
> available otherwise through dynamic loading.

Using divert requires IPDIVERT option (loadable version of divert is
in very fresh sources only), which is not in GENERIC I guess.
Both ipfw and dummynet can be loaded from modules.
Warning: ipfw default policy is to block all traffic so be careful when
loading it remotly. :)

> b) I'd like to make the whole thing transparent to the internal 
> network. i.e., internal computers nameserver references are to the 
> gateway (rather than isp) which then translates such requests to the 
> appropriate nameserver(s) of the relevant isp according to which pipe 
> the request is sent through :-)

That's obsolete. Set up your caching DNS server or allow to use
nameservers of both upstream ISPs.

> b) I'm assuming that for the most part 'prob 0.5' will balance the load 
> between two pipes to the external interfaces...but is there a better 
> scheme? Also guaranteeing that a complete conversation, once initiated 
> via an interface would continue through that interface...

You don't understand what `pipe' is.
Pipe is for bandwidth limiting, not for redirecting traffic between
What You want is called `fwd'. Still, prob 0.5 will match 50% of packets,
which are not TCP sessions, so it won't work this way. You want connection
(flow) balancing. This may be hard to achieve. I would experiment with
fwd rule with keep-state option.

> c) How would you set it up to automatically place all traffic out via 
> one of the external interfaces should the other connection not be 
> available? i.e., auto-redundancy.

Set up some shell script that somehow checks if connection is working
and if not, modifies default route or ipfw ruleset (using rule SETs
may be helpful in atomic ipfw ruleset changes).

> d) any other tricks of the trade?
> #!/bin/sh
> <..>
> cmd="ipfw -q add"
> skip="skipto 800"
> ipfw -q -f flush
> $cmd 005 allow all from any to any via $iif
> $cmd 010 allow all from any to any via lo0
> $cmd 014 divert natd ip from any to any via $pif1
> $cmd 014 divert natd ip from any to any via $pif2
> $cmd 015 check-state
> # Public Interface
> for DNS in `cat /etc/resolv.conf | grep nameserver | awk -F\t '{print 
> $2}'`; do
> 	$cmd 020 $skip tcp from any to $DNS 53 out setup keep-state
> done
> # access isp dhcp server for cable
> $cmd 021 $skip udp from any to $ISP_DHCPs 67 out via $pif1 keep-state
> # outgoing traffic
> $cmd 030 $skip tcp from any to any $tcpports out
> <...>
> # deny various incoming
> <...>
> # allow cable dhcp
> $cmd 360 allow udp from $ISP_DHCPs to any 68 in keep-state
> <...>
> # reject/log
> $cmd 400 deny log all from any to any in
> $cmd 400 deny log all from any to any out
> # SKIPTO Section
> $cmd 800 prob 0.5 pipe 1 from any to any out via $pif1
> $cmd 800 prob 0.5 pipe 2 from any to any out via $pif2
> ipfw -q 800 pipe 1 config bw <suggestions?>
> ipfw -q 800 pipe 2 config bw <suggestions?>
> # Natd
> $cmd 801 divert natd ip from any to any out
> $cmd 802 allow ip from any to any
> # deny/log all else
> $cmd 999 deny log all from any to any

As said, this DNS stuff seems weird.
Also fwd is not used.
Also prob 0.5 is not used properly (forst 50% will match 50%, second
will match 50% of rest 50%, which gives 25%).
Try setting default route to one ISP and fwd 50% of flows from its
interface to second ISP gateway.
When configuring pipes, no rule number is needed, pipe configuration
is not part of ruleset.
Note, by default pipe will accept packet (it won't be check against
another rules). Same with fwd. Same with allow.
I would suggest temporary resigning from blocking and dummynet stuff
and just trying to create pure load-balancing. It will be hard enough.
Always do `ipfw -d show' and look at rule counters to make sure that
packets go as expected.
I would also look at ipf and pf firewalls, they have strong session
handling, You may find one of them to be more easy to setup or even
find some ready-to-use examples with google.

Paweł Małachowski

Want to link to this message? Use this URL: <>