Re: Internal loadbalancing
dane johansen wrote: Probably you run into this situation: client (10.0.5.233 http://10.0.5.233) - firewall (10.0.5.200 http://10.0.5.200) - rdr - server (10.0.5.81 http://10.0.5.81) No servers see's that packet came in from the same subnet and goes directly to the client which does not expect reply from 10.0.5.81 http://10.0.5.81 it expects reply from 10.0.5.200 http://10.0.5.200. You may want to read this: http://www.openbsd.org/faq/pf/rdr.html#reflect I figured out what the problem is/was and the document you referenced helped me figure it out. Basically my network is something like this Internet -- ext_if -- Machine -- vlan1/carp1 ( 10.0.1.0/24) | vlan50/carp50 ( 10.0.5.0/24) I was basically trying to get clients from vlan1 to load balance across machines on vlan50. Initially I had rdr pass on vlan50 proto tcp to 10.0.5.200 port $ports_web - 10.0.5.81 This doesn't work since traffic destined from 10.0.1.0 never hits interface vlan50. I had to put a rdr on the interface traffic was coming in from e.g. vlan1 so the correct working configuration is rdr pass on vlan1 proto tcp to 10.0.5.200 port $ports_web - 10.0.5.81 Thanks, Vladimir
Re: Internal loadbalancing
Hi Vladimir, You should post your pf.conf from 10.0.5.200. It seems that you block port 80 on 10.0.5.200. Vladimir wrote: dane johansen wrote: Probably you run into this situation: client (10.0.5.233 http://10.0.5.233) - firewall (10.0.5.200 http://10.0.5.200) - rdr - server (10.0.5.81 http://10.0.5.81) No servers see's that packet came in from the same subnet and goes directly to the client which does not expect reply from 10.0.5.81 http://10.0.5.81 it expects reply from 10.0.5.200 http://10.0.5.200. You may want to read this: http://www.openbsd.org/faq/pf/rdr.html#reflect I obviously omitted the most pertinent information. My apologies. client's IP is actually 10.0.1.50 coming from a different subnet so the path is really client (10.0.1.50) - firewall (10.0.1.1) - firewall (10.0.5.200) - rdr - server (10.0.5.81 = gw is 10.0.5.1) Vladimir
Internal loadbalancing
I have an existing firewall that already load balances our web server traffic from an external IP across two web servers that are on the internal network. I would like to set up internal load balancing since I have webservices internally I would like to provide to the rest of the cluster. These services should not be exposed to the external world. So for such a purpose I added an alias to an existing carp interface for 10.0.5.200 carp50: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:96 carp: MASTER carpdev vlan50 vhid 150 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:196%carp50 prefixlen 64 scopeid 0x10 inet 10.0.5.1 netmask 0xff00 broadcast 10.0.5.255 inet 10.0.5.200 netmask 0xff00 broadcast 10.0.5.255 I would like to load balance that traffic across two other web servers that are on e.g. 10.0.5.81 and 10.0.5.82. For the time being I added a following RDR rule rdr pass on $if_local proto tcp to 10.0.5.200 port $ports_web - 10.0.5.81 Unfortunately I can't connect to 10.0.5.200. For example if from another server on the network I do $ telnet 10.0.5.81 80 Trying 10.0.5.81... Connected to web1.local (10.0.5.81). Escape character is '^]'. However if I do $ telnet 10.0.5.200 80 Trying 10.0.5.200... telnet: connect to address 10.0.5.200: Connection refused telnet: Unable to connect to remote host: Connection refused Sniffing on carp50 shows no activity. I suppose there may be some routing confusion however I even tried setting up another totally different physical interface, created carp10 and IP 10.0.1.200 redirecting to 10.0.5.81 with the same effect. Any help would be appreciated. Thanks, Vladimir
Re: Internal loadbalancing
Probably you run into this situation: client (10.0.5.233) - firewall (10.0.5.200) - rdr - server (10.0.5.81) No servers see's that packet came in from the same subnet and goes directly to the client which does not expect reply from 10.0.5.81 it expects reply from 10.0.5.200. You may want to read this: http://www.openbsd.org/faq/pf/rdr.html#reflect On 10/16/07, Vladimir [EMAIL PROTECTED] wrote: I have an existing firewall that already load balances our web server traffic from an external IP across two web servers that are on the internal network. I would like to set up internal load balancing since I have webservices internally I would like to provide to the rest of the cluster. These services should not be exposed to the external world. So for such a purpose I added an alias to an existing carp interface for 10.0.5.200 carp50: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:96 carp: MASTER carpdev vlan50 vhid 150 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:196%carp50 prefixlen 64 scopeid 0x10 inet 10.0.5.1 netmask 0xff00 broadcast 10.0.5.255 inet 10.0.5.200 netmask 0xff00 broadcast 10.0.5.255 I would like to load balance that traffic across two other web servers that are on e.g. 10.0.5.81 and 10.0.5.82. For the time being I added a following RDR rule rdr pass on $if_local proto tcp to 10.0.5.200 port $ports_web - 10.0.5.81 Unfortunately I can't connect to 10.0.5.200. For example if from another server on the network I do $ telnet 10.0.5.81 80 Trying 10.0.5.81... Connected to web1.local (10.0.5.81). Escape character is '^]'. However if I do $ telnet 10.0.5.200 80 Trying 10.0.5.200... telnet: connect to address 10.0.5.200: Connection refused telnet: Unable to connect to remote host: Connection refused Sniffing on carp50 shows no activity. I suppose there may be some routing confusion however I even tried setting up another totally different physical interface, created carp10 and IP 10.0.1.200 redirecting to 10.0.5.81 with the same effect. Any help would be appreciated. Thanks, Vladimir
Re: Internal loadbalancing
dane johansen wrote: Probably you run into this situation: client (10.0.5.233 http://10.0.5.233) - firewall (10.0.5.200 http://10.0.5.200) - rdr - server (10.0.5.81 http://10.0.5.81) No servers see's that packet came in from the same subnet and goes directly to the client which does not expect reply from 10.0.5.81 http://10.0.5.81 it expects reply from 10.0.5.200 http://10.0.5.200. You may want to read this: http://www.openbsd.org/faq/pf/rdr.html#reflect I obviously omitted the most pertinent information. My apologies. client's IP is actually 10.0.1.50 coming from a different subnet so the path is really client (10.0.1.50) - firewall (10.0.1.1) - firewall (10.0.5.200) - rdr - server (10.0.5.81 = gw is 10.0.5.1) Vladimir