Fratiman Vladut wrote: > Everything work well (except ftp), but i see with tcpdump, > packets that > outgoing on $ext_if1 from $ext_if2 and vice versa. Generally this are > icmp request's. I don't understand why this happening because have > last two > rules (from > web explanation), that prevent this situation. > Even if i try to log packets for this rules, i don't see any packet. > To be more clear, rules that prevent packet to outgoing on wrong > interface are: > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > ...
'route-to' needs to be used before the packet is routed, like on the 'pass in' rule. I have not noticed any problems load balancing ICMP. As for ftp-proxy, the _only_ way I can think of to LB proxied services (squid, ftp-proxy...) is to: A) Use -mpath (see man route) B) Run two proxies. Bind each to the different external IPs and different internal ports. Load balance incoming connections to the two different proxies. -Steve S.
