[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Load balancing DHCP (dsl and cable)



Hey guys.... network diagram as such:
The firewall has three interfaces (re0 = cable) (fxp0 = dsl) (bge0 =
10.0.0.0/24). NOTE: Both cable and DSL are DHCP so im kind of confused
when some rules require an upstream gateway as an arguement.  I can
usaully get this by DHCP'ing and seeing what my default route is for
each interfaces, but this is a pain.
Which leads me to this: how can I have multiple routes and DHCP leases
without overwriting my default route on the firewall.  Everytime a new
DHCP lease comes in i get a new default route, took me a while to
figure that out.  I assume that this can be set in dhclient.conf
options, but I do see anything.
When I did use the above script I was able to have very WIERD web
browsing behaviour (and I did modify my DSL gateway to one listed on
the modem).   Im going to set that modem into an ethernet bride mode
to see if that alieviates things.
Regardless.. can anybody point out and more documentation of this
setup?  Or maybe a few more pointers, I still feel like im flying
blind here.  Ill be sure to post my well documented results on a
website when im done, for I cant find ANY material out there that
lends a hand to something that more than i probably would like to do. 
And yes, I love PF more than anything in the world... ive seen better
documentation under linux/iptables for this exact setup.
Mr Carmago ... if you dont mind, could you mail me your setup so i can
see a reference of whats going on?  Or does anybody have an example of
just doing round-robin statefull usage of two DHCP connections?
Thanks!
Matt Sellers
indigoblu (at) gmail.com
On Tue, 28 Sep 2004 21:49:21 -0300, Tiago Pierezan Camargo
<[email protected]> wrote:
> Em Ter, 2004-09-28 às 02:00, Matt Sellers escreveu:
> 
> > B.  Can I staticly route any ports/protocols over a certain interface
> > from NAT?
> 
>         Yes, you can. Just add some port/host constraint to your "pass in on
> $int_if" rules. Ex.:
> 
> pass in on $in_if route-to ($ext_if1 $ext_gw1) \
>     proto tcp from $int_if:network to any port 5190 flags S/SA modulate
> state
> 
> > C.  Does gasp *linux* or any other open-source packet filter have
> > better more powerfull options for this type of situation?
> 
>         No, it doesn't. PF RULEZ!! :)
>         It tried to work with iptables once... I really regret that...
> 
> > D.  This is broken why?  :-(
> 
>         Humm.. correct me if I'm wrong, but seems that you are using only two
> interfaces..
> 
>         LAN <-----> SWITCH <-----> FIREWALL <-----> CABLE
>                       ^---------------------------> DSL MODEM
> 
>         If I guessed right, the above diagram should match your network. You
> don't need to do NAT for both connection. It's only necessary to send
> the traffic back to the DSL modem. A third interface in the firewall
> would make your task a lot easier (I have a similar setup at work).
> Anyway...
> 
> > #  nat outgoing connections on each internet interface
> > nat on $ext_if1 from $lan_net to any -> ($ext_if1)
> > nat on $ext_if2 from $lan_net to any -> ($ext_if2)
> 
>         Remove the second rule. Like I said, you don't need it.
> 
> #  pass in quick any packets destined for the gateway itself
> > pass in quick on $int_if from $lan_net to $int_if
> 
>         Minor mistake.. Add parenthesis to specify the interface address.
>         pass in quick on $int_if from $lan_net to ($int_if)
> 
> > #  load balance outgoing tcp traffic from internal network.
> > pass in on $int_if route-to \
> >     { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
> >     proto tcp from $lan_net to any flags S/SA modulate state
> > #  load balance outgoing udp and icmp traffic from internal network
> > pass in on $int_if route-to \
> >     { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
> >     proto { udp, icmp } from $lan_net to any keep state
> 
>         Those rules are ok!
> 
> > #  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
> > #  $ext_if2 and $ext_gw2
> > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
> > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
> 
>         I think you don't need those.. I can't understand what they do..
> 
>         Tiago
> 
>