Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Nov 2004 08:39:58 +1100
From:      LD <>
To:        Pawel Malachowski <>
Subject:   Re: Help: Load Balancing 2 external connections
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi Pawe=A9=A9,

Thanks for your explanations. If I can bother you some more...

On 09/11/2004, at 7:36 AM, Pawel Malachowski wrote:

> On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote:
>> My Questions are:
>> a) Do I need any specific kernel options? i.e., features that aren't
>> available otherwise through dynamic loading.
> Using divert requires IPDIVERT option (loadable version of divert is
> in very fresh sources only), which is not in GENERIC I guess.
> Both ipfw and dummynet can be loaded from modules.
> Warning: ipfw default policy is to block all traffic so be careful =
> loading it remotly. :)

That won't be a problem as I'll be at the machine.

>> b) I'd like to make the whole thing transparent to the internal
>> network. i.e., internal computers nameserver references are to the
>> gateway (rather than isp) which then translates such requests to the
>> appropriate nameserver(s) of the relevant isp according to which pipe
>> the request is sent through :-)
> That's obsolete. Set up your caching DNS server or allow to use
> nameservers of both upstream ISPs.

No worries.

>> b) I'm assuming that for the most part 'prob 0.5' will balance the=20
>> load
>> between two pipes to the external interfaces...but is there a better
>> scheme? Also guaranteeing that a complete conversation, once =
>> via an interface would continue through that interface...
> What You want is called `fwd'. Still, prob 0.5 will match 50% of=20
> packets,
> which are not TCP sessions, so it won't work this way. You want=20
> connection
> (flow) balancing. This may be hard to achieve. I would experiment with
> fwd rule with keep-state option.

Is my understanding correct that the following (placed before the fwd=20
rules) achieves that?
i.e., 'ipfw add check-state' placed prior to '<some fwd rule> setup=20

>> d) any other tricks of the trade?
> As said, this DNS stuff seems weird.
> Also fwd is not used.

Would you be able to show me a quick skeleton example of how you'd do=20
your script?

> Also prob 0.5 is not used properly (forst 50% will match 50%, second
> will match 50% of rest 50%, which gives 25%).

Ah, so second one should not have a prob so as to match the=20
remainder...of course (was too early in the morning).

> Try setting default route to one ISP and fwd 50% of flows from its
> interface to second ISP gateway.

Quick example?

> Note, by default pipe will accept packet (it won't be check against
> another rules). Same with fwd. Same with allow.
> I would suggest temporary resigning from blocking and dummynet stuff
> and just trying to create pure load-balancing. It will be hard enough.

The reason I went for the dummynet stuff (and hence got off track as=20
you've said) is that I'm wanting to test this out at home (where I=20
don't have 2 external connections or 3 network cards - but instead 2=20
network cards) prior to taking down the company network. So, how would=20=

you simulate this? Or what would you suggest?

> Always do `ipfw -d show' and look at rule counters to make sure that
> packets go as expected.

Okay, thanks.

> I would also look at ipf and pf firewalls, they have strong session
> handling, You may find one of them to be more easy to setup or even
> find some ready-to-use examples with google.

I will certainly have another look should this avenue fail...I just=20
liked the syntax/concept/integration of ipfw/dummynet.

I've spent a fair amount of time trying to get familiar with ipfw - so=20=

it'd be good if these things can be done through it...

Thanks for your assistance!

with regards,


Want to link to this message? Use this URL: <>