[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

transparent squid and load balancing outgoing traffic REVISITED



Hi there,
On Thu, 27 Jan 2005, Daniel Hartmeier wrote:
> Instead of using route-to on $int_if, you can let connections go out
> through the one interface to the default gateway, and use route-to on a
> 'pass out on $ext_if1' rule to re-route the outgoing connection to
> another interface. Packets will 'try' to get out on the default
> interface, but re-routing occurs before they are actually sent out
> through the interface.
> 
>   pass out on $ext_if1 route-to { ($ext_if1 $gwy_if1), \
> 	($ext_if2 $gwy_if2) } round-robin ... keep state
> 
> Where $ext_if1 is the interface to your default gateway, where all
> connections will go out through by default. Half of them will be
> re-routed out on $ext_if2, and half will go out throuh $ext_if1.
> 
> You'd use the same construct if you wanted to load-balance outgoing
> connections opened by the firewall itself (say, a DNS server there),
> which don't arrive in on any interface at all.
> 
What I noticed when I followed your suggestion was that PF is indeed 
trying to load balance the outgoing traffic. The trouble is that the 
packets sent out through the second (not the default) external interface 
have the source IP address of the default interface. And for that reason, 
they get lost (or discarded by the ISP).
For example, in a setup where I have 
ext_if1:rl0 (default)
IP=200.177.74.209
GW=200.177.74.1
ext_if2:tun0 (vr0)
IP=201.9.168.157
GW=200.164.195.8
When I try to access the web from a client station behind my firewall, if 
the round-robin scheme chooses the default interface, then it all works 
fine. However, if it chooses the other interface, see what pflog shows:
Feb 10 19:50:00.960284 rule 26/0(match): pass out on tun0: 
  200.177.74.209.60024> 129.128.5.191.80: S 1008219106:1008219106(0) 
  win 65535 <mss 1460,nop,nop,sackOK> (DF)
and that can also be confirmed from the output of tcpdump on the vr0 
(tun0) interface:
Feb 10 19:50:07.522986 0:d:87:a3:99:94 0:3:e3:5d:d3:7 8864 70: 
  PPPoE-Session        code Session, version 1, type 1, id 0x1169, 
  length 50        IP: 200.177.74.209.60024 > 129.128.5.191.80: 
  S 1008219106:1008219106(0)
Rule 26 mentioned above is this:
pass out quick log-all on $ext_if1 route-to \
    { ($ext_if1 <gws_if1>) , ($ext_if2 <gws_if2>) } round-robin \
    inet proto tcp from any to any keep state
And the result is that the packet is discarded and the client request 
fails.
Did I miss something here?
Thanks a lot in advance.
Regards,
Emilio