'Load balancing doesn't preserve state'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Load balancing doesn't preserve state
From:       Jaime Vargas <jev () mac ! com>
Date:       2005-06-16 14:19:24
Message-ID: 666B1238-DDA9-4103-994F-DADEC0D190AC () mac ! com
[Download RAW message or body]

Hello all,

I have a situation in which I am load balancing traffics between some
ISP(s), and not for others. My problem is that the inbound connections
are being load-balance when I think they just should be replied to
the ISP where the connection originated for.   (Outgoing loadbalancing
works fine, but incoming connection shouldn't be load balance they
should preserve the state).

#  Farmacity firewall configuration casa central
#  v2.0.0 jvargas 2005-06-01

#  set pf options
set state-policy if-bound

#  internal lan ranges
farmacity = "172.16.0.0/24"

#  intefaces
lan0 = "sis0"
wan0 = "sis1"
isp1 = "sis2"
isp2 = "sis3"
isp3 = "sis4"

#  external gateways for all the ISPs
isp1_gw = "65.208.69.177"
isp2_gw = "200.93.147.73"
isp3_gw = "200.118.117.1"

#  servers
int_casacentral = "172.16.0.1"
ext_casacentral = "200.118.117.187"

int_dondb       = "172.16.0.8"
ext_dondb       = "65.208.69.179"

int_replicator  = "172.16.0.9"
ext_replicator  = "65.208.69.178"

int_pruebas     = "172.16.0.16"
ext_pruebas     = "65.208.69.180"

#  nat outgoing connections between isp2 and isp3 (ETB and Cablenet)
nat on $isp2 from $farmacity to any -> ($isp2) static-port
nat on $isp3 from $farmacity to any -> ($isp3) static-port

#  one-to-one mapping to critical servers
binat on $isp1 from $int_replicator to any -> $ext_replicator
binat on $isp1 from $int_dondb      to any -> $ext_dondb
binat on $isp1 from $int_pruebas    to any -> $ext_pruebas

#  incoming rdr to critical server this addresses are shared with nat
no rdr on $isp2 inet proto tcp to ($isp2) port 22
rdr on $isp2 inet proto tcp to ($isp2) port 2022 -> 172.16.0.140 port 22
rdr on $isp3 from any to $ext_casacentral  -> $int_casacentral

#  default deny
pass out log-all all
block in log-all all

#  pass all internal IPv6 management traffic
pass in log-all quick on $lan0 inet6 proto tcp from any to any port  
ssh keep state
pass in log-all quick on $lan0 inet6 proto icmp6 from any to any keep  
state

#  pass all external IPv4 management traffic
pass in log-all quick on $isp2 inet proto tcp from any to $isp2 port  
ssh keep state
pass in log-all quick on $isp2 inet proto icmp from any to $isp2 keep  
state

#  pass in quick any packets destined for the gateway itself
pass in log-all quick on $lan0 inet proto tcp \
     from $farmacity to ($lan0) modulate state flags S/SA
pass in log-all quick on $lan0 inet proto {udp, icmp, gre} \
     from $farmacity to ($lan0) keep state

#  pass out quick any packets from the gateway itself
pass out log-all quick on $lan0 inet from ($lan0) to any keep state
pass out log-all quick on $lan0 inet6 from ($lan0) to any keep state

#  accept traffic for the servers
#  (remember rules are applied after pkt translation)
pass in log-all on $isp1 proto tcp from any to port www \
     modulate state flags S/SA
pass in log-all on $isp2 reply-to ($isp2 $isp2_gw) proto tcp from any  
to port 22 \
     modulate state flags S/SA
pass in log-all on $isp3 proto tcp from any to port www \
     modulate state flags S/SA

##  load balance outgoing tcp traffic from farmacity lan
pass in log-all on $lan0 route-to { ($isp2 $isp2_gw), ($isp3  
$isp3_gw) } \
     round-robin proto tcp \
     from $farmacity to any modulate state

#  load balance outgoing upd, icmp, gre traffic from farmacity lan
pass in log-all on $lan0 route-to { ($isp2 $isp2_gw), ($isp3  
$isp3_gw) } \
     round-robin proto { udp, icmp, gre } \
     from $farmacity to any keep state

##  general "pass out" rules for external interfaces
#pass out on $wan0 proto tcp from any to any flags S/SA modulate state
#pass out on $wan0 proto { udp, icmp, gre} from any to any keep state
#pass out on $isp1 proto tcp all modulate state flags S/SA
#pass out on $isp1 proto { udp, icmp, gre} all keep state
#pass out on $isp2 proto tcp all modulate state flags S/SA
#pass out on $isp2 proto { udp, icmp, gre} all keep state
#pass out on $isp3 proto tcp all modulate state flags S/SA
#pass out on $isp3 proto { udp, icmp, gre} all keep state

#  route packets from any IPs on $isp2 to $isp_gw2 and same for
#  $isp3 and $isp3_gw
pass out log-all on $isp2 route-to ($isp3 $isp3_gw) from $isp3 to any  
keep state
pass out log-all on $isp3 route-to ($isp2 $isp2_gw) from $isp2 to any  
keep state

##  accept traffic for the servers
##  (remember rules are applied after pkt translation)
##  (somehow the pkts are not marked so that the replies return to  
where they originated)
pass in log-all on $isp2 reply-to ($isp2 $isp2_gw) proto tcp from any  
to port 22 \
     modulate state flags S/SA
  
   
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic