[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: transparent squid and load balancing outgoing traffic



>From what I could understand, the tcp_outgoing_address is only really used
if you are not doing NAT on the external connections, right?
If that is the case, the proposed rule will never be matched, and the web
traffic will only go through the default outbound interface, bypassing the 
load-balance policy.
Is my understanding correct? 
Regards,
ebl
On Wed, 26 Jan 2005, Emilio Lucena wrote:
> Kevin,
> 
> First of all, thanks for your help.
> 
> 
> On Tue, 25 Jan 2005, Kevin wrote:
> 
> > Can you provide more information on your load-balancing configuration,
> > specifically on what the two external interfaces are connected through?
> > Are you doing any NAT?
> 
> Yes .. we are doing NAT.
> 
> lan_net=$int_if:network
> 
> nat on $ext_if1 from $lan_net to any -> ($ext_if1)
> nat on $ext_if2 from $lan_net to any -> ($ext_if2)
> 
> Also, we are redirecting web traffic to the firewall where squid runs.
> 
> rdr on $int_if inet proto tcp from $lan_net to any port www -> 127.0.0.1 port 3128
> 
> The external interfaces are connected to a cable Internet connection and 
> an ADSL Internet connection.
> 
> > I think this line should read:
> > pass in quick on $int_if inet proto tcp from $int_net to ($int_if)
> > port=3128 keep state
> 
> Daniel's setup for transparent squid tells us to use the rule I mentioned.
> 
> > If you set tcp_outgoing_address to an alias IP on $int_if, you could try this:
> >     pass out route-to \
> >         { ($ext_if1 <gws_if1>) , ($ext_if2 <gws_if2>) }  round-robin \
> >         inet proto tcp from $squid_ip to any flags S/SA modulate state
> > 
> 
> Thanks ... I will try this and see if it works.
> 
> > Depending on how your inbound traffic is load-balanced, you might not need to
> > do any tricks, as 99.99% of the squid-related traffic is going to be downloads,
> > limiting the need to load-balance outbound -- the exception being if you are
> > using NAT to rewrite outbound sessions to be sourced with a different ext_if
> > interface address to force reply traffic to come back the same path it went out?
> 
> This is how I am doing inbound load balance:
> 
> # Internal services on the LAN
> 
> pass in log on $ext_if1 from any to $intweb tag from_ef1 keep state
> pass in log on $ext_if2 from any to $intweb tag from_ef2 keep state
> 
> # packets for the internal webserver
> 
> pass out log on $int_if reply-to ($ext_if1 $gw_if1) \
>      from any to $intweb tagged from_ef1 keep state
> pass out log on $int_if reply-to ($ext_if2 $gw_if2) \
>      from any to $intweb tagged from_ef2 keep state
> 
> Regards,
> 
> ebl
>