[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD-3.3 + PF Load Balancing.

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: OpenBSD-3.3 + PF Load Balancing.
From: Jason Dixon <jason_(_at_)_dixongroup_(_dot_)_net>
Date: 21 Aug 2003 00:15:49 -0400
Organization: DixonGroup Consulting

On Wed, 2003-08-20 at 21:53, Hugo Villeneuve wrote:
> On Wed, Aug 20, 2003 at 09:19:57PM -0400, Jason Dixon wrote:
> > On Wed, 2003-08-20 at 20:59, Javier OpenBSD BSDRLZ . wrote:
> > > Hello Listers :
> > > 
> > > I want to route two networks (NET-1= 192.168.30.0/24 - NET-2=192.168.31.0/24) ,
> > > through two different ISP connections , if packets comes from 192.168.30.0/24 should
> > > be routed via ISP-1 and packets from the other net (NET-2)  by ISP-2 ......
> > 
> > # macros
> > ext_if_A="fxp0"  # or whatever your first interface is
> > ext_if_B="fxp1"  # ditto here
> > lan_if_A="fxp2"  # ditto
> > lan_if_B="fxp3"  # ditto
> > 
> > # nat rules
> > nat on $ext_if_A from $lan_if_A:network to any -> ($ext_if_A)
> > nat on $ext_if_B from $lan_if_B:network to any -> ($ext_if_B)
> 
> This is not sufficient. You will end up sending packets from the
> IP of the second ISP on the default ISP network.
> 
> You can end up with 2 results:
> 1- default ISP doesn't care to route IP he doesn't own. Packets
> from second ISP IP will go out through the default ISP and replys
> will come from the second ISP. This will seem to work but it is
> wrong.
> 
> 2- your default ISP care and drop all traffic from IP he doesn't
> own. This will not work at all.
> 
> 
> When using 2 ISP, you must use the reply-to and route-to statement
> in each block/pass rule you have. (There's nothing special thing
> to do for the default ISP).
> 
> Like on every block/pass in rule from the second ISP interface, you add
> "reply-to $secondisp_if".
> 
> And then, you need to catch up on the default ISP interface what
> should go out on the second ISP. Like:
> 
> pass out on $defaultisp_if route-to $secondisp_if from $secondisp_if to any keep state

All of this is correct, assuming he has incoming traffic.  Based on his
original description (granted, it was lacking in detail), I can only
assume he's only using the two pipes for outgoing traffic.  If this is
the case, he doesn't need to track incoming packets with route-to or
reply-to. 

If I'm wrong, please let me know.

-- 
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

References:
- OpenBSD-3.3 + PF Load Balancing.
  - From: Javier OpenBSD BSDRLZ .
- Re: OpenBSD-3.3 + PF Load Balancing.
  - From: Jason Dixon

Prev by Date: cvsup question.
Next by Date: spews.org alternatives for spamd.conf
Previous by thread: Re: OpenBSD-3.3 + PF Load Balancing.
Next by thread: Re: OpenBSD-3.3 + PF Load Balancing.
Index(es):
- Date
- Thread

Visit your host, monkey.org