Hi, I have two internet connections connected to my firewall now. Both are from the same ISPs with IP addresses "IP1" and "IP2" Both have the same gateway "GWIP"
$ext_if="IP1" $ext_if2="IP2" Now to load balance squid what I am doing is to tag half of the packets comming to squid using the rules =================================================================== pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \ keep state tag squid probability 50% label squid pass in quick on $int_if inet proto tcp from $int_if:network to any port { 21, 8080 } keep state pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway) } round-robin \ from $int_if:network to any keep state =================================================================== This gets half of the traffic that comes to squid tagged and labeled as 'squid' then I have the following NAT rule for the $ext_if which is the default route to NAT the tagged rules ( i.e half of squid traffic ) to "IP2" on $ext_if2 ================================================= nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2) nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if2 from $int_if:network to any -> ($ext_if2) ================================================= and finally for the filter rules to route the tagged packets through the second interface. ============================================================== pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \ all modulate state flags S/SA tagged squid pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \ all modulate state flags S/SA pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \ all modulate state flags S/SA pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp } all keep state pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp } all keep state =============================================================== derived this Idea from http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html after searching the archives. Just wondering if there is a better way to do it :-) Thank you so much especially Danny for the post :-))))))) Kind Regards Siju