On 2019-03-23, Thomas Huber <miracu...@gmail.com> wrote:
> I would like to achieve the following:
> 1. almost even usage of the 4 ADSL-Uplinks
> 2. prefer VoIP-traffic over vlan32-traffic over vlan64 traffic
> 3. ssh should be always available through the static IP on pppoe0
> 4. vlan32 (internal) should not be reachable from vlan64 (hotel-guests)
> 1. Somtimes the traffic is not even distributed between the uplinks.
> My guess is this is due to the source-hash method which
> - when I understand correctly - distributes traffic per IP and not per
> connection.
> When I use [round-robin | least-state] sticky-address i´ve problems with my
> VoIP.
> An maybe some guests have problems with "secure" web apps* too.
> Anybody an Idea how to do prober loadbalancing with almost only https
> traffic?
The only way you're likely to do better is to tunnel the traffic
to another machine on decent bandwidth using a multilink protocol
that knows how to deal with this - mlvpn comes to mind (it's in
packages).
> 2. I tried to custumize this rules to also include vlan[3|4] to the
> load-balancing.
> 2.1. use egress-group instead of the pppoe-group for nat-to:
>
> match out on egress from $int_lan nat-to (egress) source-hash
>
> 2.2. add vlan[3|4] to the route-to rule:
>
> pass in on $int_if route-to { (pppoe0 pppoe0:network), (pppoe1
> pppoe1:network),\
> (vlan3 vlan3:network), (vlan4 vlan4:network) } source-hash
>
> But it didn´t work: No internet connection from vlan32 and vlan64
It's been a long time since I had to do this but at least you'll need to
nat on each pppoe interface individually to the correct address for that
interface. e.g. "match out on pppoe0 from ... nat-to (pppoe0)"
What you are doing now will rewrite the address to *one* of the egress
interface addresses. Which will only be correct if the packet is being
sent out of the interface with that address.
> 3. ping with the -I flag is strange.
> To see if my uplinks are working I used to:
> # ping -I [assigend or static IP] 8.8.8.8
> somtimes it works for an IP and doens´t for another like:
> #ping -I [my static IP] 8.8.8.8 works
> #ping -I [my static IP] 1.1.1.1 doesn´t work
> #ping 1.1.1.1 works
>
> #ping -I [dynamic IP] 8.8.8.8 doesn´t work
> #ping -I [dynamic IP] 1.1.1.1 works
> #ping 8.8.8.8 works
I never came up with a satisfying way to do this. Dirty method is to
find some specific "always on" addresses and direct one to one isp,
another to another isp, etc, and ping those ..
There's another method of diverting traffic over multiple ISPs,
using multiple route tables + rdomains, but the selector in PF is a
bit simpler, to achieve balancing you can use the "probability"
modifier, but there's no stickiness so you are likely to have the
problem with voip and banks etc.
