Hello folks, I am setting up a transparent load balancing gateway for one of my networks. The network expects a lot of traffic with a lot of customers. So far, I have succeeded in doing so with only one problem. Persistent connections seem to disconnect after a while (no matter if they are active or not). I am using pf's route-to with round-robin. My sample pf.conf for the gateway is like this:
set timeout tcp.first 120 set timeout tcp.established 86400 set timeout { adaptive.start 6000, adaptive.end 12000 } set limit states 20000 set optimization conservative # Client internal interface clients_if = "fxp0" # Client internal network clients_net = "{ ! 172.16.2.1, !172.16.2.2, 172.16.2.0/24}" # Backend servers be_servers = "{ 172.16.2.1, 172.16.2.2 }" # Our servers servers = "{ $be_servers, 172.16.2.3 }" # Load balancer, this machine load_bal = "172.16.2.3" # Pass all outgoing packets on internal interface pass out on $clients_if from any to $clients_net # Pass in quick any packets destined for the gateway itself pass in quick on $clients_if from $clients_net to $clients_if # Load balance incoming connections pass in on $clients_if route-to \ { ($clients_if 172.16.2.1), ($clients_if 172.16.2.2) } round-robin \ from $clients_net to any keep state pass out on $clients_if from any to any keep state Before we discuss the problem, others have suggested that the network be split with several gateways, but this approach will not suffice. We need to be able to add as many backend gateways behind the load balancer as required, that is the aim of this. This setup seems to work really well, with packets from the same connection going to the same gateway. The main problem can be illustrated if I use something like IRC or SSH. If any of the clients connects using either of the two protocols, after a while (the value increased when I increased the timeouts and set the optimization to conservative) the connection is simply dropped, and I register a "new" connection on my backend servers. For now, the backend servers are simply Linux boxen that do nothing except NAT anything to the internet. Later on, they are expected to shape bandwidth, limit ports, impose session limitations, etc... Does anyone know why I am having those sudden drops in connections? Is there possibly a better way of doing this? Perhaps using CARP (although that forces me to eliminate the Linux backends)? Thank you for your time! Hisham. -- Hisham Mardam Bey MSc (Computer Science) http://hisham.cc/ +9613609386 Codito Ergo Sum (I Code Therefore I Am)