Re: Load Balancing

[Manpreet Singh Nehra]

I have been through the FAQS and manuals trying to configure load
balancing on my 4 DSL connections. The connections are all same from the
same ISP, each connection terminates into a ADSL router, which gets the
IP from the ISP server, the ADSL routers have the following internal
addresses

1. 172.31.1.1
2. 172.31.2.1
3. 172.31.3.1
4. 172.31.4.1

The routers cannot be configured in bridge mode. so its not an option to
get the IP address on the machine. behind the 5th card is my internal
network 192.168.1.0/24. Now I want to configure the 4 connections to
load balance.
DHCP         ____________________
------R1----|172.31.1.2         |
  rl0       |                   |
            |                   |
DHCP        |                   |
------R2----|172.31.2.2         |
rl1         |                   |LAN
            |        192.168.1.3|---------------
DHCP        |                   |
------R3----|172.31.3.2         |
rl2         |                   |
            |                   |
DHCP        |                   |
------R4----|172.31.4.2         |
rl3         |___________________|


The routers are getting Dynamic IPs from the ISP the firewall also gets
dynamic IPs from the ADSL routers (can be changed to static) the local
lan is connected at 192.168.1.3 at rl4.

Here is my pf.conf
##################################################
#Macros
##################################################
ext_if1="rl0"
ext_if2="rl1"
ext_if3='rl2'
#ext_if4="rl3"
int_if="rl4"
ext_gw1="172.31.1.1"
ext_gw2="172.31.2.1"
ext_gw3="172.31.3.1"
#ext_gw4="172.31.4.1"
lan_ip="192.168.1.3"
lan_net = "192.168.1.0/24"

####################################################
#NAT Rules
####################################################
#Local Lan to Internet
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)
nat on $ext_if4 from $lan_net to any -> ($ext_if4)

#DMZ To Internet
#nat on $ext_if1 from $dmz_net to any -> ($ext_if1)

#Local Lan to DMZ
#nat on $dmz_if from $lan_net to $dmz_net -> ($dmz_if)

#############################################################
#Redirection Rules
#############################################################
#rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1
port 8080


#############################################################
#Load Balancing
#############################################################
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3), ($ext_if4 $ext_gw4) } round-robin from $lan_net to
any keep state


pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 reply-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if1 reply-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if1 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if1 reply-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 reply-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 reply-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if2 reply-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 reply-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if3 reply-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if3 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if3 reply-to ($ext_if4 $ext_gw4) from $ext_if4 to any
pass out on $ext_if4 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if4 reply-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if4 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if4 reply-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if4 route-to ($ext_if4 $ext_gw3) from $ext_if3 to any
pass out on $ext_if4 reply-to ($ext_if4 $ext_gw3) from $ext_if3 to any

#############################################################
#Firewall Rules
#############################################################
#SSH Rules
pass in on $int_if proto tcp to ($int_if) port ssh keep state
pass in on $ext_if1 proto tcp to ($ext_if1) port ssh keep state
pass in on $ext_if2 proto tcp to ($ext_if2) port ssh keep state
pass in on $ext_if3 proto tcp to ($ext_if3) port ssh keep state
pass out on $int_if proto tcp to ($int_if) port ssh keep state
pass out on $ext_if1 proto tcp to ($ext_if1) port ssh keep state
pass out on $ext_if2 proto tcp to ($ext_if2) port ssh keep state
pass out on $ext_if3 proto tcp to ($ext_if3) port ssh keep state

#ICMP Rules
pass quick on $int_if proto icmp
pass out on $ext_if1 proto icmp
pass out on $ext_if2 proto icmp
pass out on $ext_if3 proto icmp
pass out on $ext_if4 proto icmp

#Allow all
pass in quick on lo0 all
pass in quick on $int_if all
pass in all
pass out all

The problem : All connections still occur from the gateway mentioned in
/etc/mygate. I have tried going over the docs a couple of time, can't
figure where I am loosing it.

Thanks in Advance

Manpreet

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]