Re: load balance outgoing ftp connections

Mon, 29 May 2006 10:48:07 -0700 

Hi,

On 5/29/06, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:

> But I'm unable to load balance ftp-proxy traffic, and FTP only goes
> through my default gateway on my OpenBSD router.  I can understand
> why this is not working with the pools faq ruleset, but I don't know how
> to make it work.
>
As all traffic is nated to the firewall address, you can load balance
traffic with source ip address of the firewall.



I have adopted a different approach.  I'm unable to test for the next 2 days
so this has gone through limited testing on my laptop (vmware + obsd 3.9).
Here it is:

   $ext_if1 holds default gateway

   ifconfig lo0 alias 127.0.0.2

pf.conf
   nat on $ext_if1 from 127.0.0.2 to any -> $ext_if2

   pass all
   pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) \
       from $ext_if2 to any keep state

Note: I'm not NATing from $local_net or any other.


The idea is to NAT on $ext_if1 which holds default gateway, but use $ext_if2
IP during NAT.  The final pass out rule (from the pf pools faq) ensures
packets with source address of $ext_if2 are always routed to $ext_gw2.


If daemons on the firewall bind their sockets to 127.0.0.2 before
calling connect(), that connection should go through $ext_if2/gw2.
The pseudo-code would go like:

   fd = socket(...)
   bind(fd, "127.0.0.2")
   connect(fd, "www.google.com")


This actually works for me (but I don't trust my vmware setup).  I tested
with this perl code:

========== i manually re-typed this so please excuse typos ====
#!/usr/bin/perl
use warnings; use strict;
use Socket;

socket(SOCK, AF_INET, SOCK_STREAM, getprotobyname('tcp')) or die "socket: $!";

bind(SOCK, sockaddr_in(0, inet_aton('127.0.0.2'))) or die "bind: $!";
my ($port, $laddr) = sockaddr_in(getsockname(SOCK));
print "local ip:port = $laddr:$port\n";

my $remote = sockaddr_in(25, inet_aton('smtp.mail.yahoo.com'));
connect(SOCK, $remote) or die "connect: $!";

print while defined ($_ = <SOCK>);
# press Ctrl + C to exit
==========


This produces the following output:
==========
local ip:port = 127.0.0.2:26082
220 smtp105.plus.mail.re2.yahoo.com ESMTP
==========

Hooray!


I'm not exactly sure how ftp-proxy can be made to use this.  My
guess is to run multiple instances each with "-a 127.0.0.1 -p 8021",
"-a 127.0.0.2 -p 8022", etc.  This should cause each ftp-proxy
instance to use a different gateway.  pf will need to rdr ftp connections
to the various ftp-proxy-ies on round-robin.


What do you guys think?

- Raja















    











					Reply via email to