[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Load balancing DHCP (dsl and cable)



Em Ter, 2004-09-28 às 22:10, Matt Sellers escreveu: 
> Which leads me to this: how can I have multiple routes and DHCP leases
> without overwriting my default route on the firewall.  Everytime a new
> DHCP lease comes in i get a new default route, took me a while to
> figure that out.  I assume that this can be set in dhclient.conf
> options, but I do see anything.
	Do you really need two default routes? You can use route-to to do all
the routing. The default route is only used for traffic originated from
the firewall itself (proxies, local access). If the default route
problem really bothers you, put a static ip on or try Gragnak's
suggestion.
	Remy pointed out the main problem with your ruleset: 
	> ext_if2 = "bge0"  # this should be fxp0 ?!
	My setup is a bit complicated. So let's assume that you want to use dsl
by default and use cable for ssh and smtp.
int_if  = "bge0"
cable_if = "re0"
dsl_if = "fxp0"
cable_gw = "24.148.37.1"  # defailt route on last dhcp renewal.  
ext_gw = "192.168.0.1"  # defualt route for this connection is my dsl
#  nat outgoing connections on each internet interface
nat on $cable_i1 from $lan_net to any -> ($cable_if)
nat on $dsl_if from $lan_net to any -> ($dsl_if)
#  default deny
block in  from any to any
block out from any to any
#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to ($int_if)
#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
# let me change me your setup to make things easier
# we use the pass in on $lan_if to route the packet to the
# desired interface/gateway.
# default route -> dsl 
pass in on $int_if route-to ($dsl_if $dsl_gw) \
    proto tcp from $lan_net to any flags S/SA modulate state
pass in on $int_if route-to ($dsl_if $dsl_gw) \
    proto { udp, icmp } from $lan_net to any keep state
# ssh, smtp -> cable
pass in on $int_if route-to ($cable_if $cable_gw) \
    proto tcp from $lan_net to any port { 22, 25} \
    flags S/SA modulate state
# general pass out rules (packets all already routed, no route-to
needed)
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
	I did not test these rules but they should work without major
modifications. Let me know if you need further help.
	Tiago