Multiwan + LoadBalancer + Failover + AltQ + Squid

Wed, 17 Jun 2009 11:49:20 -0700 

Hi to all,
I've a network running under 192.168.10.x and a OpenBSD with 5 ethernet interfaces : 

re0 -> lan

ste0 -> ISP1 : DSL line 1200kbs to 900Kbs download / 600kbs upload -> 
12Mb DSL  -> 192.168.4.2   (Gateway .1)
ste1 -> ISP2 : DSL line 1200kbs to 900Kbs download / 600kbs upload  -> 
12Mb DSL -> 192.168.3.2   (Gateway .1)
ste2 -> ISP3 : Cable line 400Kbs download / 400Kbs upload symmetrical 
4Mb/4Mb line -> 192.168.2.2 (Gateway .1)
ste3 -> ISP4 : DSL Line 6Mb/300k (Only for 192.168.11.x network i don't 
use at this moment)


I've a Pfsense with :

-Loadbalance round-robin ste0,ste1,ste2

-Failover ste0,ste2. 
-Routing HTTP/HTTPS by ste0,ste1 (I wan't to use this for www surfing)



The problem it's 1.2 of Pfsense not works fine with Squid + MultiWan , 
and I need to run Squid + SquidGuardian.
I'm using OpenBSD many times as Server and I like to run it as my 
firewall/router from my Office. Someone give me
a example to configuratiĆ³n Multiwan but not uses Round-robing only 
routing per interface. And failover it's a crontab

running 1 min to change route if ping fails.

Someone runs similar config and give me to read/edit it ?


MultiWAN + LoadBalancer + FailOver + AltQ (I wan't to get priority 
protocolos : ssh, http, mysql..) + Squid transparent..





My actual conf :

lan0 = "re0"
wan0 = "ste0"
wan1 = "ste1"
wan2 = "ste2"
wan3 = "ste3"

wan0_ip = "192.168.4.2"
wan0_gw = "192.168.4.1"
wan1_ip = "192.168.3.2"
wan1_gw = "192.168.3.1"
wan2_ip = "192.168.2.2"
wan2_gw = "192.168.2.1"





port_svn = "3690"
port_ldap = "389"
port_jabber = "5222"
port_msn = "1863"


table <rfc1918> const { 192.168.10.0/24 }
table <blocked> persist file "/etc/pf.blocked"
table <unrestricted> persist file "/etc/pf.unrestricted"



set skip on lo0



scrub all no-df random-id fragment reassemble




altq on $wan0 hfsc bandwidth 1100Kb queue { std0, bulk0, ftp0, www0, 
smtp0, imap0, pop30, srv0, con0 }

queue con0 bandwidth 5% priority 7 hfsc (realtime 3%)
queue srv0 bandwidth 5% priority 6 hfsc (realtime 3%)
queue smtp0 bandwidth 5% priority 5 hfsc (realtime 2%)
queue imap0 bandwidth 5% priority 4 hfsc (realtime 1%)
queue pop30 bandwidth 5% priority 4 hfsc (realtime 1%)
queue www0 bandwidth 40% priority 3 hfsc (realtime 5% upperlimit 75%)
queue ftp0 bandwidth 20% priority 2 hfsc (realtime 5% upperlimit 75%)
queue bulk0 bandwidth 10% priority 1 hfsc (realtime 5% upperlimit 75%)

queue std0 bandwidth 5% priority 0 hfsc (realtime 1% upperlimit 50% 
default)



altq on $wan1 hfsc bandwidth 1100Kb queue { std1, bulk1, ftp1, www1, 
smtp1, imap1, pop31, srv1, con1 }

queue con1 bandwidth 5% priority 7 hfsc (realtime 3%)
queue srv1 bandwidth 5% priority 6 hfsc (realtime 3%)
queue smtp1 bandwidth 5% priority 5 hfsc (realtime 2%)
queue imap1 bandwidth 5% priority 4 hfsc (realtime 1%)
queue pop31 bandwidth 5% priority 4 hfsc (realtime 1%)
queue www1 bandwidth 40% priority 3 hfsc (realtime 5% upperlimit 75%)
queue ftp1 bandwidth 20% priority 2 hfsc (realtime 5% upperlimit 75%)
queue bulk1 bandwidth 10% priority 1 hfsc (realtime 5% upperlimit 75%)

queue std1 bandwidth 5% priority 0 hfsc (realtime 1% upperlimit 50% 
default)


###
# Nat
###

nat-anchor "ftp-proxy/*"
nat on $wan0 from any to ! <rfc1918> -> $wan0:0
nat on $wan1 from any to ! <rfc1918> -> $wan1:0

rdr-anchor "ftp-proxy/*"

rdr on { $wan0, $wan1 } proto { tcp, udp } from any to any port 3021 -> 
192.168.10.200 port 21    # FTP
rdr on { $wan0, $wan1 } proto { tcp, udp } from any to any port 5973 -> 
192.168.10.73 port 5900   # VNC
rdr on { $wan0, $wan1 } proto { tcp, udp } from any to any port 5900 -> 
192.168.10.251            # VNC
rdr on { $wan0, $wan1 } proto { tcp, udp } from any to any port 3690 -> 
192.168.10.253            # SVN
rdr on { $wan0, $wan1 } proto { tcp, udp } from any to any port 38443 -> 
192.168.10.200 port 8443 # SVN
rdr on { $wan0, $wan1 } proto { tcp, udp } from any to any port 3080 -> 
192.168.10.200 port 80    # HTTP
rdr on { $wan0, $wan1 } proto { tcp, udp } from any to any port 21 -> 
192.168.10.119              # FTP






block all
block quick from <blocked>


pass proto icmp all






pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from <unrestricted> port >= 1024 to any



## Allow DNS traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port domain


## Allow NTP traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port ntp


## Allow WHOIS traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port whois


## Allow SMTP traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port smtp


## Allow SMTPS traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port smtps


## Allow POP3 traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port pop3


## Allow POP3S traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port pop3s


## Allow IMAP traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port imap


## Allow IMAPS traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port imaps


## Allow FTP traffic
anchor "ftp-proxy/*"
pass in on $lan0 proto { tcp, udp } from any to any port ftp
pass in quick on $lan0 proto { tcp, udp } from any to 127.0.0.1 port 8021

pass out on $wan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto 
{ tcp, udp } from any to any port ftp
pass out on $wan1 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto 
{ tcp, udp } from any to any port ftp


## Allow HTTP traffic
pass in on $lan0 proto { tcp, udp } from any to any port www
pass in quick on $lan0 proto { tcp, udp } from any to 127.0.0.1 port 8080

pass out on $wan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto 
{ tcp, udp } from any to any port www
pass out on $wan1 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto 
{ tcp, udp } from any to any port www


## Allow HTTPS traffic

pass in on $lan0 route-to { ($wan0 $wan0_gw), ($wan1 $wan1_gw) } proto { 
tcp, udp } from any to any port https




## Route packets to the appropriate interface . Aqui se aƱaden los 
servicios que irian a Ono

pass out on $wan0 route-to ($wan1 $wan1_gw) from $wan1:0 to any
pass out on $wan1 route-to ($wan0 $wan0_gw) from $wan0:0 to any

## Assign active FTP data transfers to a queue

pass in on $wan0 proto { tcp, udp } from any port ftp-data to any queue 
(bulk0, ftp0)
pass in on $wan1 proto { tcp, udp } from any port ftp-data to any queue 
(bulk1, ftp1)


## Allow WAN traffic
pass out on { $wan0, $wan1 } proto { tcp, udp } from any port > 1024 to any

## Assign outbound traffic to queues
pass out on $wan0 proto icmp all queue srv0
pass out on $wan1 proto icmp all queue srv1

pass out on $wan0 proto { tcp, udp } from any to any port { ssh, mysql, 
$port_svn } queue (bulk0, con0)
pass out on $wan1 proto { tcp, udp } from any to any port { ssh, mysql, 
$port_svn } queue (bulk1, con1)
pass out on $wan0 proto { tcp, udp } from any port { ssh, mysql, 
$port_svn } to any queue (bulk0, con0)
pass out on $wan1 proto { tcp, udp } from any port { ssh, mysql, 
$port_svn } to any queue (bulk1, con1)
pass out on $wan0 proto { tcp, udp } from any to any port { domain, ntp, 
whois } queue srv0
pass out on $wan1 proto { tcp, udp } from any to any port { domain, ntp, 
whois } queue srv1
pass out on $wan0 proto { tcp, udp } from any to any port { smtp, smtps 
} queue (bulk0, smtp0)
pass out on $wan1 proto { tcp, udp } from any to any port { smtp, smtps 
} queue (bulk1, smtp1)
pass out on $wan0 proto { tcp, udp } from any to any port { pop3, pop3s 
} queue (bulk0, pop30)
pass out on $wan1 proto { tcp, udp } from any to any port { pop3, pop3s 
} queue (bulk1, pop31)
pass out on $wan0 proto { tcp, udp } from any to any port { imap, imaps 
} queue (bulk0, imap0)
pass out on $wan1 proto { tcp, udp } from any to any port { imap, imaps 
} queue (bulk1, imap1)
pass out on $wan0 proto { tcp, udp } from any to any port ftp queue 
(bulk0, ftp0)
pass out on $wan1 proto { tcp, udp } from any to any port ftp queue 
(bulk1, ftp1)
pass out on $wan0 proto { tcp, udp } from any to any port { www, https, 
$port_jabber, $port_msn } queue (bulk0, www0)
pass out on $wan1 proto { tcp, udp } from any to any port { www, https, 
$port_jabber, $port_msn } queue (bulk1, www1)



























    











					Reply via email to