[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf address pools

On Fri, 29 Nov 2002, Stefan Sonnenberg-Carstens wrote:
> So, do you think it might be better to use ipfilter than pf on OpenBSD in
> that case ?
This feature ("round-robin sticky") is not in ipfilter 3.4.30 (released
this week), so it's only available in ipfilter 4.0 alpha.
To implement sticky balancing across multiple subnets you have to remember
which address was used for which client source address. The cost of this
is memory and time to search through it.
Calculating a hash is much easier, but you don't have the flexiblity of
redirecting across multiple subnets.
> And the next question is, is it useful to have a wide spread (more than on
> IP subnet) servers to do load-balancing on ?
> After all, that is a feature, the BigIP supports and I know that
> atleast www.heisse.de is using this, to implement complete redundancy
> by location seperated servers.
Then where would you put your load balancing machine? Round-robin DNS is
much easier to acomplish this.
I think most other solutions want to servers in the same subnet.
For instance if you want to do "Virtual Server via Direct Routing" (linux
virtual server project calls it this way), the servers need to be on the
same subnet: http://www.linuxvirtualserver.org/VS-DRouting.html
BTW this technique is much better than a Virtual Server via NAT, because
only the request needs to pass through the load balancer, while the reply
does not.
> ----- Original Message -----
> From: "Darren Reed" <[email protected]>
> To: "Jedi/Sector One" <[email protected]>
> Cc: <[email protected]>
> Sent: Friday, November 29, 2002 9:53 AM
> Subject: Re: pf address pools
> > In some mail from Jedi/Sector One, sie said:
> > >
> > > On Thu, Nov 28, 2002 at 11:59:37PM +0000, Ryan McBride wrote:
> > > > rdr on $ext_if from any to $public_ip port 80 -> \
> > > > source-hash
> > >
> > >   As a side note, source-hash (a feature called 'sticky balancing' on some
> > > hardware load balancers) is very useful for web servers with PHP because:
> > >
> > >  - by default, PHP save sessions in local files.
> > >  - to speed up things, it's also possible to use shared memory.
> > >  - poorly written PHP scripts (those that customers like to install) like to
> > > create temporary files in /tmp.
> > >
> > >   Without sticky balancing, a typical syndrom is that users have to
> > > re-authenticate several times while browsing a web site.
> >
> > Well I don't think the above is a good implementation of sticky
> > load balancing because it confines your destination IP addresses
> > to be a single subnet mask range.
> >
> > I did sticky redirection for IPFilter last month, I think, and that
> > implementation does not have this problem.  More importantly, the
> > stickiness can be mixed with any other redirection options.
> >
> > If routers use the above for stickiness then said routers suck, IMHO.
> >
> > Darren
Dries Schellekens
email: [email protected]