[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf load balancing



Lucas wrote:
i have done it this way, but still have some problems:

                 10.1.1.1 (M)
              |---gw1 ----- |LAN    --|      |            | - WAN
              |---gw2 ----- |                (10.1.1.1) (B)

gw2 just have a backup carp interface
gw1 is carp master with 10.1.1.1
nat is running on both gw with ip address ending with 4 and 5.

This will cause you problems. Assuming gw1 is the carp master, packets from 10.0.0.0/8 to the WAN will get NATed to 192.168.1.4. Now assume that gw2 becomes master. Packets coming back in from the WAN have a dest address of 192.168.1.4. gw2 knows nothing of this address. I'm not quite sure what would happen with outgoing packets that match states created when gw1 was master; they'd probably be passed through and continue to be NATed to 192.168.1.4. What eventually happens is that flow will time out and the LAN client will retry the connection and succeed.


The solution is to create a separate carp group on the WAN side and nat all outbound connections to that VIP.

It's not exactly clear what you're trying to do. Are you still trying to load balance between 3 gateways? In other words, you have 3 OpenBSD routers/firewalls and you want to load balance traffic across them? carp will handle that without issue as long as it's configured properly. arpbalance is what you're looking for.