[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Load balancing DHCP (dsl and cable)

Em Ter, 2004-09-28 às 02:00, Matt Sellers escreveu:
> B.  Can I staticly route any ports/protocols over a certain interface
> from NAT?
	Yes, you can. Just add some port/host constraint to your "pass in on
$int_if" rules. Ex.:
pass in on $in_if route-to ($ext_if1 $ext_gw1) \
    proto tcp from $int_if:network to any port 5190 flags S/SA modulate
> C.  Does gasp *linux* or any other open-source packet filter have
> better more powerfull options for this type of situation?
	No, it doesn't. PF RULEZ!! :)
	It tried to work with iptables once... I really regret that... 
> D.  This is broken why?  :-(
	Humm.. correct me if I'm wrong, but seems that you are using only two
	LAN <-----> SWITCH <-----> FIREWALL <-----> CABLE
	              ^---------------------------> DSL MODEM
	If I guessed right, the above diagram should match your network. You
don't need to do NAT for both connection. It's only necessary to send
the traffic back to the DSL modem. A third interface in the firewall
would make your task a lot easier (I have a similar setup at work).
> #  nat outgoing connections on each internet interface
> nat on $ext_if1 from $lan_net to any -> ($ext_if1)
> nat on $ext_if2 from $lan_net to any -> ($ext_if2)
	Remove the second rule. Like I said, you don't need it.
#  pass in quick any packets destined for the gateway itself
> pass in quick on $int_if from $lan_net to $int_if
	Minor mistake.. Add parenthesis to specify the interface address.
	pass in quick on $int_if from $lan_net to ($int_if)
> #  load balance outgoing tcp traffic from internal network. 
> pass in on $int_if route-to \
>     { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
>     proto tcp from $lan_net to any flags S/SA modulate state
> #  load balance outgoing udp and icmp traffic from internal network
> pass in on $int_if route-to \
>     { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
>     proto { udp, icmp } from $lan_net to any keep state
	Those rules are ok!
> #  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
> #  $ext_if2 and $ext_gw2
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any 
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any 
	I think you don't need those.. I can't understand what they do..