Hi,
I'm evaluating DSR with route to redirection on relayd on two carped boxes (kvm
VMs) with current.
Don't jump on me... The project is for a high volume download (http/ftp/rsync)
server (mostly mirror/isos, including OpenBSD) and it would be nice if the
streams are not get passed back through the load balancers.
The whole setup has another set of PF real boxes in front which is working fine.
I'm having problem when I do the failover from active LB to backup LB.
pfsync is working fine. I see the sloppy state syncing to backup LB.
wget/browser download from http is able to recover but with a hiccup
2017-05-25 11:33:28 (17.2 MB/s) - Read error at byte 31600632/2023751680
(Connection reset by peer). Retrying.
rsync fails completely after the failover to backup LB.
of course this is not the case with forward instead of route to where LB/router
sees all the traffic.
I guess this might be normal since the LB does not see the whole connection,
but maybe there is a way to make it work.
my setup is like this:
relayd (on rdomain9):
redirect ftp-www {
listen on $ftp_addr port http interface $ftp_if
pftag RELAYD_ftp-www
sticky-address
route to <ftp> mode source-hash ftp check http "/foo.html" digest
9f50f9f6a6d05ebefd6e97b7444e51cc3aa3b8f7 interface vio1
}
pf:
pass quick on vio0 proto carp all keep state (no-sync)
pass quick on vio1 proto carp all keep state (no-sync)
pass quick on vio0 proto pfsync all keep state (no-sync)
anchor "relayd/*" all {
anchor "ftp-rsync" all {
pass in quick on vio1 on rdomain 9 inet proto tcp from any to $vip port =
873 flags any keep state (sloppy, tcp.established 600) tag RELAYD_ftp-rsync
route-to <ftp-rsync>@vio1 source-hash 0xebfa1f07ddc8dc1f881b943a0a106721
sticky-address
}
anchor "ftp-www" all {
pass in quick on vio1 on rdomain 9 inet proto tcp from any to $vip port =
80 flags any keep state (sloppy, tcp.established 600) tag RELAYD_ftp-www
route-to <ftp-www>@vio1 source-hash 0xebfa1f07ddc8dc1f881b943a0a106721
sticky-address
}
}
block drop all
pass out quick on vio0 from (vio0) to any flags S/SA keep state (no-sync)
pass out quick on vio1 from (vio1) to any flags S/SA keep state (no-sync)
match in all scrub (no-df random-id) #with or without
pass in quick from <admin> to any flags S/SA
block drop in log quick all
block drop out log quick all
suggestions?
thanks
Giannis
ps. I've read a couple of threads about this on the list, but I couldn't find a
positive answer.
ps2. tcpdump on pflog gives me wrong rules numbers when the relayd anchor is in
place, but this is another story
