[SDBUG] Load Balancing with PF (bridged)

Dave Smith dsmith at n2.net
Mon Oct 17 09:36:17 PDT 2005


Mike,

Yeah, duplicate IP won't work.  But, since you have checked
the packet DST is being rewritten, then that is not the
problem.

I was not suggesting putting 183 on both.  Redirect 183 to
159 and 189 instead of using 189 as the public known address.

I agree it probably is a layer 2 problem.  When it tries to
ARP for the MAC address of 159, it is probably finding 189's
MAC address and forwarding the packet to 189 with a destination
IP of 159 so 189 just throws the packet away.

Dave


On Mon, Oct 17, 2005 at 07:25:30AM -0700, Michael J McCafferty wrote:
> Dave,
>          Using tcpdump I see the packet at the internal interface of 
> the firewall, headed to 159. The packet is dst to 159 and src my 
> house. No problems there. But, I do not see the packet arrive at the 
> host 159.... which is on the same LAN.
>          If I put an alias address then host 159 would arp for the 
> 189 address too, and then, there would be duplicate IPs on the 
> network. If I used a third address (say host 183) as the aliased 
> address and put it on both 159 and 189, then I'd also have duplicate 
> IPs on the network.
>          I get a funny feeling this whole thing is a layer 2 
> problem.... but it's only a hunch.
> 
>          Any other thoughts ?
> 
> Thanks !
> Mike
> 
> At 09:17 PM 10/16/2005, you wrote:
> 
> >Mike,
> >
> >Does the redirected packet still have the IP address of 189
> >in the destination address?  If it does, then 159 may not
> >recognize it as a packet for it to process.  You might have
> >to add an alias address to the incoming interface to get it
> >to receive packets for the alternate address.
> >
> >Maybe you should try using another address that is not the actual
> >address of one of the servers as the public address to be redirected.
> >This might shed some light on the confusion.
> >
> >Dave
> >
> >
> >
> >On Sun, Oct 16, 2005 at 06:45:58PM -0700, Michael J McCafferty wrote:
> > >
> > > Help !
> > >
> > >       I am trying to load-balance two web servers using a bridging
> > > firewall using PF.
> > >
> > > Relevant Rules:
> > > table <webservers> { 172.16.30.159, 172.16.30.189 }
> > > rdr on $public proto tcp from any to 172.16.30.189 port 8080 ->
> > > <webservers> port 80 round-robin sticky-address
> > >
> > >       Interestingly, when I tried to redirect another address that is not
> > > in use at all (172.16.30.183 for example), the redirects did not
> > > work. So, I just redirected one of the two web servers.
> > >       The above works the first time. It redirects the request to host 189
> > > on port 8080 to host 189 on port 80. I can see the state in PF, which
> > > sows the translation. I can see the packets in the network and I get
> > > the web page. This is kind of curious because host 159 is listed
> > > first in the table, but no matter it works.
> > >       Once the state disappears from the state table in PF, and I try
> > > again, it does NOT work. This time I can see the state, it shows the
> > > redirect from host 189 port 8080 to host 159 on port 80. I even see
> > > the SYN packets coming out of the internal interface of the PF
> > > bridge. A tcpdump on host 159 shows those SYN packets never make it
> > > there. Obviously, since host 159 doesn't see the SYN packets, it
> > > never ACKs and doesn't deliver the web page.
> > >       If I point my browser at host 159 from a system on the outside of
> > > the firewall, no problem, I get the web pages. I can surf the web
> > > pages on host 159 from the PF firewall system.
> > >
> > >
> > > Any thoughts on how to load balance two web servers on the inside of
> > > a bridging PF firewall or what I am doing wrong ?
> > >
> > > Thanks,
> > > Mike
> > >
> > > _______________________________________________
> > > SDBUG mailing list
> > > SDBUG at sdbug.org
> > > http://lists.sdbug.org/mailman/listinfo/sdbug
> > >
> >
> >_______________________________________________
> >SDBUG mailing list
> >SDBUG at sdbug.org
> >http://lists.sdbug.org/mailman/listinfo/sdbug
> 
> _______________________________________________
> SDBUG mailing list
> SDBUG at sdbug.org
> http://lists.sdbug.org/mailman/listinfo/sdbug
> 

-- 
----------------------------------------------------
Dave Smith			Voice:  858-271-1557 		
dsmith at n2.net 			Cell:	858-229-3662
----------------------------------------------------


More information about the SDBUG mailing list