[OpenBSD-BR] Problema com Load Balance.

Luis Gatti luis.gatti em zandex.com
Quarta Outubro 24 13:52:29 BRST 2007 

Saudações amigos,
Estou tendo problemas na configuração do meu servidor para utilizar load balance e fail safe.
Minha configuração é a seguinte:
3 conexões DSL 3 Mbs

/etc/mygate
68.74.34.124

/etc/hostname.re0
inet 10.25.1.2 255.255.255.0 NONE

/etc/hostname.re1
inet 68.74.34.125 255.255.255.248 NONE

/etc/hostname.re2
inet 76.248.141.130 255.255.255.248 NONE

/etc/hostname.re3
inet 76.248.141.135 255.255.255.248 NONE


Minha primeira tentativa foi utilizar o round-robin no pf.conf o pf.conf carrega porem apenas a interface re1 que sai pelo gateway que foi especificado no mygate recebe trafego, que pode ser verificado pelo tcpdump -i re1..3
Em um outro grupo de discussão me foi sugerido o uso de trunks mais não encontrei nenhuma documentação a respeito.
Qualquer ajuda é bem vinda. 
Segue a copia do pf.conf
# macros
int_if   = "re0"
ext_if_1   = "re1"
ext_if_2   = "re2"
ext_if_3   = "re3"
ext_gw_1    = "68.74.34.124"
ext_gw_2    = "76.248.141.129"
ext_gw_3    = "76.248.141.134"
dmz_if   = ""
vpn_if   = ""
loop     = "lo0"

# blocked Attack
blocked  = "{ 207.46.1.3/32 }"

# ports
tcp_services = "{ 20, 21, 50, 80, 222, 443, 500 }"
icmp_types   = "echoreq"
priv_nets    = "{ 127.0.0.0/8, 172.16.0.0/12 }"

# redirect Computer
comp1 = ""

# options
set block-policy return
set loginterface $ext_if_1
set loginterface $ext_if_2
set loginterface $ext_if_3
set optimization normal
set skip on $loop

# scrub
scrub in all

# nat
nat on $ext_if_1 from $int_if:network to any -> ($ext_if_1) static-port
nat on $ext_if_2 from $int_if:network to any -> ($ext_if_2) static-port
nat on $ext_if_3 from $int_if:network to any -> ($ext_if_3) static-port

# Proxy
#rdr pass on $int_if proto tcp to port http -> 127.0.0.1 port 3128
rdr pass on $int_if proto tcp to !10.25.1.2/32 port http -> 127.0.0.1 port 3128 round-robin sticky-address

# filter rules
block in log on $ext_if_1 all
block in log on $ext_if_2 all
block in log on $ext_if_3 all
block out log on $ext_if_1 all
block out log on $ext_if_2 all
block out log on $ext_if_3 all

# loopback
pass quick on lo0 all
pass in on $ext_if_1 inet proto icmp from any to $ext_if_1 icmp-type $icmp_types keep state
pass in on $ext_if_2 inet proto icmp from any to $ext_if_2 icmp-type $icmp_types keep state
pass in on $ext_if_3 inet proto icmp from any to $ext_if_3 icmp-type $icmp_types keep state

# Block
block drop in quick on $ext_if_1 from $priv_nets to any
block drop in quick on $ext_if_2 from $priv_nets to any
block drop in quick on $ext_if_3 from $priv_nets to any
block drop in quick on $ext_if_1 from $blocked to any
block drop in quick on $ext_if_2 from $blocked to any
block drop in quick on $ext_if_3 from $blocked to any
block drop out quick on $ext_if_1 from any to $priv_nets
block drop out quick on $ext_if_2 from any to $priv_nets
block drop out quick on $ext_if_3 from any to $priv_nets

# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
         { ($ext_if_1 $ext_gw_1), ($ext_if_2 $ext_gw_2), ($ext_if_3 $ext_gw_3) } round-robin \
         proto tcp from $int_if:network to any flags S/SA modulate state

#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
         { ($ext_if_1 $ext_gw_1), ($ext_if_2 $ext_gw_2), ($ext_if_3 $ext_gw_3) } round-robin \
         proto { udp, icmp } from $int_if:network to any keep state

# general "pass out" rules for external interfaces
pass in on $ext_if_1 inet proto tcp from any to ($ext_if_1) port $tcp_services flags S/SA keep state
pass in on $ext_if_2 inet proto tcp from any to ($ext_if_2) port $tcp_services flags S/SA keep state
pass in on $ext_if_3 inet proto tcp from any to ($ext_if_3) port $tcp_services flags S/SA keep state
pass in on $ext_if_1 inet proto udp from any to ($ext_if_1) port 4500 keep state
pass in on $ext_if_2 inet proto udp from any to ($ext_if_2) port 4500 keep state
pass in on $ext_if_3 inet proto udp from any to ($ext_if_3) port 4500 keep state
pass in on $ext_if_1 inet proto tcp from port 20 to ($ext_if_1) user proxy flags S/SA keep state
pass in on $ext_if_2 inet proto tcp from port 20 to ($ext_if_2) user proxy flags S/SA keep state
pass in on $ext_if_3 inet proto tcp from port 20 to ($ext_if_3) user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if_1 proto tcp all modulate state flags S/SA
pass out on $ext_if_2 proto tcp all modulate state flags S/SA
pass out on $ext_if_3 proto tcp all modulate state flags S/SA
pass out on $ext_if_1 proto { udp, icmp } all keep state
pass out on $ext_if_2 proto { udp, icmp } all keep state
pass out on $ext_if_3 proto { udp, icmp } all keep state

# VPN
pass in quick on $ext_if_1 proto esp from any to any
pass in quick on $ext_if_2 proto esp from any to any
pass in quick on $ext_if_3 proto esp from any to any
pass out quick on $ext_if_1 proto esp from any to any
pass out quick on $ext_if_2 proto esp from any to any
pass out quick on $ext_if_3 proto esp from any to any
pass in quick on enc0 proto ipencap all
pass in quick on enc0 from any to any
pass out quick on enc0 from any to any
pass in quick on $ext_if_1 proto udp from any to any port isakmp
pass in quick on $ext_if_2 proto udp from any to any port isakmp
pass in quick on $ext_if_3 proto udp from any to any port isakmp
pass out quick on $ext_if_1 proto udp from any to any port isakmp
pass out quick on $ext_if_2 proto udp from any to any port isakmp
pass out quick on $ext_if_3 proto udp from any to any port isakmp

-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.openbsd-br.org/pipermail/openbsd/attachments/20071024/8041ac72/attachment-0001.html

Mais detalhes sobre a lista de discussão OpenBSD