Re: Loading Blance in OpenBSD 3.3 with pf

Thu, 29 May 2003 17:58:11 -0700

On Wednesday, May 28, 2003, at 06:20 US/Pacific, ghost wrote:

>  but my icq still can't login to icq server smoothly
>  (some times I can,and sometimes I can't.)

> tcp 192.168.1.7:1271 -> 211.21.32.58:13770 -> 64.12.161.153:5190 > TIME_WAIT:TIME_WAIT
> tcp 192.168.1.7:1276 -> 210.64.89.130:43488 -> 205.188.9.195:5190 > TIME_WAIT:TIME_WAIT

It's still trying to use both gateways. The problem is the rule order,
I'll point it out below.

> 2.I set a rule for ftp client with link to ftp site,

> I just can't link to ftp1:

> tcp 192.168.1.7:1135 -> ext_if1:62450 -> ftp_site_add1:21 > ESTABLISHED:FIN_WAIT_2
> tcp 192.168.1.7:1137 -> ext_if2:28631 -> ftp_site_add1:36838 > ESTABLISHED:ESTABLISHED

What is the FTP client (192.168.1.7) saying? Any error messages? It looks
like it's at least getting past the login stage. The load balancing may be
the problem here too. ftp-proxy may help or hurt this -- I've never done
this kind of configuration before.

> pass in all
> pass out all

BTW, you'll probably want to change these to "block" when you're done
working out the problems. Not sure if this was intentional or not :)

> # ICQ
>
> pass in on $int_if route-to ($ext_if1 $ext_gw1) round-robin proto tcp > from $internal_net to any port 5190 flags S/SA modulate state

This rule needs to go under the route-to rules below. Remember, without
"quick", pf is last-match, so the next rules override this one. Also,
"round-robin" is not necessary here.

> # load balance outgoing tcp traffic from internal network.
>
> pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) > } round-robin proto tcp from $internal_net to any flags S/SA
> modulate state
>
> # load balance outgoing udp and icmp traffic from internal network
>
> pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) > } round-robin proto { udp, icmp } from $internal_net to any
> keep state

> # rdr outgoing FTP requests to the ftp-proxy
> #rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port > 8081
>
> pass in on $int_if proto tcp from $internal_net to 127.0.0.1 port 8081 > flags S/SA keep state

This rule is only needed if you use the rdr rule for ftp-proxy.

Reply via email to