Re: Relayd with dsr and sticky-address
Hi List, i found a workaround for my sticky problem: increasing the value for timeout interval from 10 to 36000 sec. Now the src.track entries for my route to rules will live til the interval of 10 h. The normal state-table would explode with a interval of 10h, so i clean it with a cron-job. I use pfctl -s state -vv | grep -A3 -e FIN_WAIT_2 -e TIME_WAIT:TIME_WAIT \ -e CLOSING -e CLOSED -e NO_TRAFFIC:SINGLE -e SINGLE:NO_TRAFFIC \ -e ^all icmp .*0:0$ -e ^all udp.*:53.*MULTIPLE:SINGLE$ \ -e ^all ipv6-icmp.*0:0$ to find the relevant states. Do you think this is ok ? states missing or some states to much ? If anybody knows a better solution than this dirty thing above please post it. Martin Sorry, i forgot to mention my version 5.4 Hello, i try to set up a load balancing machine for internal use. We have 2 webservers serving a web-app. This application depends on sticky clients, because it is using sessions w/o session replication. I try to set up a dsr environment, which is working perfectly at first glance. I set the set timeout src.track 3600 in my pf.conf, but the source tracking entries in pf only shows with: 10.66.66.2 route-to 10.243.10.4 ( states 0, connections 0, rate 0.0/0s ) age 00:00:01, expires in 00:00:00, 0 pkts, 0 bytes, rule 0 It expires with the next timeout interval which is 10s (default). This ends in a stickyness of my clients only while their tcp-connection is alive + (max 10s). Is there a way to increase this by relayd.conf or by setting magic timeouts in pf.conf? my pf.conf: set limit states 10 set skip on lo set timeout src.track 3600 anchor relayd/* pass in pass out my relayd.conf: table web { 10.243.10.4 10.243.11.4 } redirect nagios { listen on 10.244.2.199 port 80 sticky-address session timeout 3600 route to web mode least-states check tcp interface vlan243 } This is a loadbalancing only set up. So we do not need the security of pf in this case. We also need the dsr, because the routing from the server to the client is asynchronous or in some cases the clients are on the same local network like the balanced servers. Greets Martin
Relayd with dsr and sticky-address
Hello, i try to set up a load balancing machine for internal use. We have 2 webservers serving a web-app. This application depends on sticky clients, because it is using sessions w/o session replication. I try to set up a dsr environment, which is working perfectly at first glance. I set the set timeout src.track 3600 in my pf.conf, but the source tracking entries in pf only shows with: 10.66.66.2 route-to 10.243.10.4 ( states 0, connections 0, rate 0.0/0s ) age 00:00:01, expires in 00:00:00, 0 pkts, 0 bytes, rule 0 It expires with the next timeout interval which is 10s (default). This ends in a stickyness of my clients only while their tcp-connection is alive + (max 10s). Is there a way to increase this by relayd.conf or by setting magic timeouts in pf.conf? my pf.conf: set limit states 10 set skip on lo set timeout src.track 3600 anchor relayd/* pass in pass out my relayd.conf: table web { 10.243.10.4 10.243.11.4 } redirect nagios { listen on 10.244.2.199 port 80 sticky-address session timeout 3600 route to web mode least-states check tcp interface vlan243 } This is a loadbalancing only set up. So we do not need the security of pf in this case. We also need the dsr, because the routing from the server to the client is asynchronous or in some cases the clients are on the same local network like the balanced servers. Greets Martin
Relayd with dsr and sticky-address
Sorry, i forgot to mention my version 5.4 Hello, i try to set up a load balancing machine for internal use. We have 2 webservers serving a web-app. This application depends on sticky clients, because it is using sessions w/o session replication. I try to set up a dsr environment, which is working perfectly at first glance. I set the set timeout src.track 3600 in my pf.conf, but the source tracking entries in pf only shows with: 10.66.66.2 route-to 10.243.10.4 ( states 0, connections 0, rate 0.0/0s ) age 00:00:01, expires in 00:00:00, 0 pkts, 0 bytes, rule 0 It expires with the next timeout interval which is 10s (default). This ends in a stickyness of my clients only while their tcp-connection is alive + (max 10s). Is there a way to increase this by relayd.conf or by setting magic timeouts in pf.conf? my pf.conf: set limit states 10 set skip on lo set timeout src.track 3600 anchor relayd/* pass in pass out my relayd.conf: table web { 10.243.10.4 10.243.11.4 } redirect nagios { listen on 10.244.2.199 port 80 sticky-address session timeout 3600 route to web mode least-states check tcp interface vlan243 } This is a loadbalancing only set up. So we do not need the security of pf in this case. We also need the dsr, because the routing from the server to the client is asynchronous or in some cases the clients are on the same local network like the balanced servers. Greets Martin