Transparent Load Balancing Gateway

[Hisham Mardam Bey]

Hello folks,

I am setting up a transparent load balancing gateway for one of my
networks. The network expects a lot of traffic with a lot of
customers. So far, I have succeeded in doing so with only one problem.
Persistent connections seem to disconnect after a while (no matter if
they are active or not). I am using pf's route-to with round-robin. My
sample pf.conf for the gateway is like this:

set timeout tcp.first 120
set timeout tcp.established 86400
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit states 20000
set optimization conservative

# Client internal interface
clients_if = "fxp0"

# Client internal network
clients_net = "{ ! 172.16.2.1, !172.16.2.2, 172.16.2.0/24}"

# Backend servers
be_servers = "{ 172.16.2.1, 172.16.2.2 }"

# Our servers
servers = "{ $be_servers, 172.16.2.3 }"

# Load balancer, this machine
load_bal = "172.16.2.3"

# Pass all outgoing packets on internal interface
pass out on $clients_if from any to $clients_net

# Pass in quick any packets destined for the gateway itself
pass in quick on $clients_if from $clients_net to $clients_if

# Load balance incoming connections
pass in on $clients_if route-to \
  { ($clients_if 172.16.2.1), ($clients_if 172.16.2.2) } round-robin \
     from $clients_net to any keep state

pass out on $clients_if from any to any keep state

Before we discuss the problem, others have suggested that the network
be split with several gateways, but this approach will not suffice. We
need to be able to add as many backend gateways behind the load
balancer as required, that is the aim of this.

This setup seems to work really well, with packets from the same
connection going to the same gateway. The main problem can be
illustrated if I use something like IRC or SSH. If any of the clients
connects using either of the two protocols, after a while (the value
increased when I increased the timeouts and set the optimization to
conservative) the connection is simply dropped, and I register a "new"
connection on my backend servers. For now, the backend servers are
simply Linux boxen that do nothing except NAT anything to the
internet. Later on, they are expected to shape bandwidth, limit ports,
impose session limitations, etc...

Does anyone know why I am having those sudden drops in connections? Is
there possibly a better way of doing this? Perhaps using CARP
(although that forces me to eliminate the Linux backends)?

Thank you for your time!
Hisham.

--
Hisham Mardam Bey
MSc (Computer Science)
http://hisham.cc/
+9613609386
Codito Ergo Sum (I Code Therefore I Am)