I'm in the process of setting up a redundant reverse proxy cluster for
someone.
Currently the setup is working in a single box non redundant setup and
everything is perfect and purring nicely.
What I want it to ultimately do:
I want to load balance the 2 boxes with carp and each box in their own
right is a separate load balancer (PF) to separate services residing
locally on the 2 boxes.
Something like this (super basic illustration)
TRAFFIC=> CARP0 VIP HOSTA => PF-round robin=>{ HOST A XYY , HOST B XYZ }
=> CARP0 VIP HOSTB => PF-round robin=>{ HOST B ABC , HOST A ABC }
Back to reality:
BEFORE:
This box is configured to accept SMTP (smarthosting) , HTTP and HTTPS
(pound SSL termination) on multiple alias addresses.
AFTER:
I have now added a second physical box and have converted all the IP
Aliases into carp interfaces in ip-stealth balancing mode. ie carp0 ,
carp1 carp2 etc..
The two boxes are linked with X-over cable using pfsync0 and all is dandy.
NB:I must add that these 2X OpenBSD boxes are behind 2X pix firewalls in
fail-over which in turn is behind (inline) 2X Nokia FW-1 firewalls in
fail-over (I know its a bad setup, but I cannot control that bit of the
equation)
Question => What is the best way to load balance incoming services into
these OpenBSD boxes. Do I do carp balancing and PF round robin? Also how
do I handle my source address (return traffic) trough these other crappy
firewalls?
Because if I NAT my source as carp0 then which MAC is the return traffic
going to go to ? Or do each OpenBSD host need its own SRC IP that in
turn has rules in the Pix's and Nokia's to allow the trafic to flow
instead on 1 nat'd carp VIP address ?
Hope all this makes sense.
