[OpenBSD-BR] RES: Problema com Load Balance.
Luciano M. Mercucci
lmercucci em hotmail.com
Domingo Outubro 28 19:46:39 BRST 2007
Olá,
Para essa configuração existem dois porem, uma seria a rota,
no caso você tem 3 default gateways, ouvi falar de configurar os router
speed/virtua para conversar com o openbsd por protocolo de roteamento, mais
nunca testei. Outra forma seira usar o mpath, para essa configuração deve
deixar o /etc/mygate em branco. E usar algum script na inicialização com as
linhas de routeamento. Ex.:
route add -mpath default 189.x.x.1
route add -mpath default 201.x.x.1
route add -mpath default 200.x.x.1
pode fazer isse dar boot na maquina mais se tiver remoto por um dos links,
vai perder a conexão.
Apagar o router default
# route delete default
# route add -mpath default 189.x.x.1
# route add -mpath default 201.x.x.1
# route add -mpath default 200.x.x.1
# route –n show |grep default
Deve aparecer os 3 como default:
# route -n show |grep default
Destination Gateway Flags Refs Use Mtu
Interface
default 189.x.x.1 UGS 0 83108
- xl0
default 201.x.x.1 UGS 1 67014
- ste0
default 200.x.x.1 UGS 1 68148
- fxp0
Outra coisa que faltou no seu script e que pode deixar a navegação bem
lenta, e quase que nula é definir o rota de cada ip com sua interface, essa
configuração iria no fim do seu script:
# roteia pacotes de qualquer IP na $ext_if1 para $ext_gw1 e o mesmo para
# $ext_if2 e $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
De: openbsd-bounces em openbsd-br.org [mailto:openbsd-bounces em openbsd-br.org]
Em nome de Luis Gatti
Enviada em: segunda-feira, 15 de outubro de 2007 23:41
Para: openbsd em openbsd-br.org
Assunto: [OpenBSD-BR] Problema com Load Balance.
Saudações amigos,
Estou tendo problemas na configuração do meu servidor para utilizar load
balance e fail safe.
Minha configuração é a seguinte:
3 conexões DSL 3 Mbs
/etc/mygate
68.74.34.124
/etc/hostname.re0
inet 10.25.1.2 255.255.255.0 NONE
/etc/hostname.re1
inet 68.74.34.125 255.255.255.248 NONE
/etc/hostname.re2
inet 76.248.141.130 255.255.255.248 NONE
/etc/hostname.re3
inet 76.248.141.135 255.255.255.248 NONE
Minha primeira tentativa foi utilizar o round-robin no pf.conf o pf.conf
carrega porem apenas a interface re1 que sai pelo gateway que foi
especificado no mygate recebe trafego, que pode ser verificado pelo tcpdump
-i re1..3
Em um outro grupo de discussão me foi sugerido o uso de trunks mais não
encontrei nenhuma documentação a respeito.
Qualquer ajuda é bem vinda.
Segue a copia do pf.conf
# macros
int_if = "re0"
ext_if_1 = "re1"
ext_if_2 = "re2"
ext_if_3 = "re3"
ext_gw_1 = "68.74.34.124"
ext_gw_2 = "76.248.141.129"
ext_gw_3 = "76.248.141.134"
dmz_if = ""
vpn_if = ""
loop = "lo0"
# blocked Attack
blocked = "{ 207.46.1.3/32 }"
# ports
tcp_services = "{ 20, 21, 50, 80, 222, 443, 500 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12 }"
# redirect Computer
comp1 = ""
# options
set block-policy return
set loginterface $ext_if_1
set loginterface $ext_if_2
set loginterface $ext_if_3
set optimization normal
set skip on $loop
# scrub
scrub in all
# nat
nat on $ext_if_1 from $int_if:network to any -> ($ext_if_1) static-port
nat on $ext_if_2 from $int_if:network to any -> ($ext_if_2) static-port
nat on $ext_if_3 from $int_if:network to any -> ($ext_if_3) static-port
# Proxy
#rdr pass on $int_if proto tcp to port http -> 127.0.0.1 port 3128
rdr pass on $int_if proto tcp to !10.25.1.2/32 port http -> 127.0.0.1 port
3128 round-robin sticky-address
# filter rules
block in log on $ext_if_1 all
block in log on $ext_if_2 all
block in log on $ext_if_3 all
block out log on $ext_if_1 all
block out log on $ext_if_2 all
block out log on $ext_if_3 all
# loopback
pass quick on lo0 all
pass in on $ext_if_1 inet proto icmp from any to $ext_if_1 icmp-type
$icmp_types keep state
pass in on $ext_if_2 inet proto icmp from any to $ext_if_2 icmp-type
$icmp_types keep state
pass in on $ext_if_3 inet proto icmp from any to $ext_if_3 icmp-type
$icmp_types keep state
# Block
block drop in quick on $ext_if_1 from $priv_nets to any
block drop in quick on $ext_if_2 from $priv_nets to any
block drop in quick on $ext_if_3 from $priv_nets to any
block drop in quick on $ext_if_1 from $blocked to any
block drop in quick on $ext_if_2 from $blocked to any
block drop in quick on $ext_if_3 from $blocked to any
block drop out quick on $ext_if_1 from any to $priv_nets
block drop out quick on $ext_if_2 from any to $priv_nets
block drop out quick on $ext_if_3 from any to $priv_nets
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
{ ($ext_if_1 $ext_gw_1), ($ext_if_2 $ext_gw_2), ($ext_if_3
$ext_gw_3) } round-robin \
proto tcp from $int_if:network to any flags S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
{ ($ext_if_1 $ext_gw_1), ($ext_if_2 $ext_gw_2), ($ext_if_3
$ext_gw_3) } round-robin \
proto { udp, icmp } from $int_if:network to any keep state
# general "pass out" rules for external interfaces
pass in on $ext_if_1 inet proto tcp from any to ($ext_if_1) port
$tcp_services flags S/SA keep state
pass in on $ext_if_2 inet proto tcp from any to ($ext_if_2) port
$tcp_services flags S/SA keep state
pass in on $ext_if_3 inet proto tcp from any to ($ext_if_3) port
$tcp_services flags S/SA keep state
pass in on $ext_if_1 inet proto udp from any to ($ext_if_1) port 4500 keep
state
pass in on $ext_if_2 inet proto udp from any to ($ext_if_2) port 4500 keep
state
pass in on $ext_if_3 inet proto udp from any to ($ext_if_3) port 4500 keep
state
pass in on $ext_if_1 inet proto tcp from port 20 to ($ext_if_1) user proxy
flags S/SA keep state
pass in on $ext_if_2 inet proto tcp from port 20 to ($ext_if_2) user proxy
flags S/SA keep state
pass in on $ext_if_3 inet proto tcp from port 20 to ($ext_if_3) user proxy
flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if_1 proto tcp all modulate state flags S/SA
pass out on $ext_if_2 proto tcp all modulate state flags S/SA
pass out on $ext_if_3 proto tcp all modulate state flags S/SA
pass out on $ext_if_1 proto { udp, icmp } all keep state
pass out on $ext_if_2 proto { udp, icmp } all keep state
pass out on $ext_if_3 proto { udp, icmp } all keep state
# VPN
pass in quick on $ext_if_1 proto esp from any to any
pass in quick on $ext_if_2 proto esp from any to any
pass in quick on $ext_if_3 proto esp from any to any
pass out quick on $ext_if_1 proto esp from any to any
pass out quick on $ext_if_2 proto esp from any to any
pass out quick on $ext_if_3 proto esp from any to any
pass in quick on enc0 proto ipencap all
pass in quick on enc0 from any to any
pass out quick on enc0 from any to any
pass in quick on $ext_if_1 proto udp from any to any port isakmp
pass in quick on $ext_if_2 proto udp from any to any port isakmp
pass in quick on $ext_if_3 proto udp from any to any port isakmp
pass out quick on $ext_if_1 proto udp from any to any port isakmp
pass out quick on $ext_if_2 proto udp from any to any port isakmp
pass out quick on $ext_if_3 proto udp from any to any port isakmp
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.openbsd-br.org/pipermail/openbsd/attachments/20071028/0e85aeb1/attachment-0001.html
Mais detalhes sobre a lista de discussão OpenBSD