From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 11 13:02:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1D9F16A4CE for ; Thu, 11 Nov 2004 13:02:42 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EC1E43D4C for ; Thu, 11 Nov 2004 13:02:42 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 1D24F347BA8; Thu, 11 Nov 2004 14:04:08 +0100 (CET) Date: Thu, 11 Nov 2004 14:04:07 +0100 From: Pawel Malachowski To: LD Message-ID: <20041111130407.GC21054@shellma.zin.lublin.pl> References: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> <20041108203616.GA21361@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.2i cc: freebsd-ipfw@freebsd.org Subject: Re: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 13:02:42 -0000 On Tue, Nov 09, 2004 at 08:39:58AM +1100, LD wrote: > >fwd rule with keep-state option. > > Is my understanding correct that the following (placed before the fwd > rules) achieves that? > i.e., 'ipfw add check-state' placed prior to ' setup > keep-state' Something like: // route add default ISP1 ipfw add A check-state ... ipfw add B prob 0.5 fwd ISP2 ip from LAN to any out xmit ISP1 keep-state (Haven't tried.) Still, connections speed and direction may vary so trafic on ISP1 and ISP2 may not be shared equally. It can't be helped. I forgot to note that `fwd' requires yet another option in kernel config, IPFIREWALL_FORWARD. There is another problem here: NAT. Outgoing packets have to be NAT-ed before they match fwd rule. With natd, keep-state and prob should be moved from fwd rule to natd rule, and fwd rule should match packets using their NAT-ed address. (Ouch, there is also problem with prob, it is checked before keep-state is checked. We will try to workaround this.) Incoming packets have to be un-NAT-ed before they touch check-state rule. So, it would be something like this: default gw is ISP1GW on ISP1 link, NAT to ISP1NATIP on ISP2 link, NAT to ISP2NATIP add divert NATD1 ip from any to any in recv ISP1 add divert NATD2 ip from any to any in recv ISP2 // we have private IPs now add check-state // If we have state, packets belongs to fwded flow so jump to count line // only packets without state left here add prob 0.5 skipto X ip from LAN to any out xmit ISP1 // prob matches before keep-state, try to workaround // we have half of new (not belongign to any flow) packets here add count ip from any to any keep-state // our workaround. create state for them, no prob here add divert NATD2 ip from LAN to any out xmit ISP1 // pass outgoing to NATD2 so they will be fwded to ISP2 later add fwd ISP2GW ip from ISP2NATIP to any out xmit ISP1 // redirect ISP2 traffic from ISP1 to ISP2 link // theoretically, what we have here left is: // traffic in recv ISP2, after un-NATing, with state (jumped from check-state) add X divert NATD1 ip from any to any out xmit ISP1 // another 50% of flows is left via ISP1 // traffic to ISP1 goes via default route, so do nothing This is written from scratch, untested and may not work, don't blame me. ;) -- Paweł Małachowski