Re: Is this load balancing Idea for squid ok while using route-to or is there a better one?

Wed, 21 Nov 2007 08:39:56 -0800 

Hi Siju,

Are you running the squid on the same box where the firewall is?
If so, tags will not be preserved on the outgoing connections from squid to the internet. 

Regards,

Rosen

Siju George wrote:

Hi,

QUITE UNFORTUNATELY THIS DOES NOT SEEM TO WORK :-(

Could some one please let me see the flaw in logic or implementation?

Thank you so much :-)

Kind Regards

Siju


On Nov 21, 2007 10:46 AM, Siju George <[EMAIL PROTECTED]> wrote:

  

Hi,

I have two internet connections connected to my firewall now.
Both are from the same ISPs with IP addresses "IP1" and "IP2"
Both have the same gateway "GWIP"

$ext_if="IP1"
$ext_if2="IP2"

Now to load balance squid what I am doing is to tag half of the
packets comming to squid using the rules

===================================================================
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
        keep state tag squid probability 50% label squid

pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state

pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
         from $int_if:network to any keep state

===================================================================

This gets half of the traffic that comes to squid tagged and labeled as 'squid'

then I have the following NAT rule for the $ext_if which is the
default route to  NAT the tagged rules ( i.e half of squid traffic )
to "IP2" on $ext_if2

=================================================

nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2)

nat on $ext_if from $int_if:network to any -> ($ext_if)

nat on $ext_if2 from $int_if:network to any -> ($ext_if2)

=================================================

and finally for the filter rules to route the tagged packets through
the second interface.

==============================================================

pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
        all modulate state flags S/SA tagged squid

pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
        all modulate state flags S/SA

pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
        all modulate state flags S/SA

pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
all keep state

pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
} all keep state

===============================================================

derived this Idea from

http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html

after searching the archives.

Just wondering if there is a better way to do it :-)

Thank you so much especially Danny for the post :-)))))))

Kind Regards

Siju
























					Reply via email to