Help: Load Balancing 2 external connections

Mon Nov 8 10:45:13 PST 2004

Hi there,

I'm setting up a FreeBSD gateway at work to replace 2 [RH9] gateways 
that serve 2 separate external connections through 2 different isp's. 
Only the cable is currently utilised by most - and there's no 
redundancy in place without fiddling with individual machines. The 2nd 
gateway, however, does currently allow VPN connectivity for external 
users.

The external connections:
1) Cable (dynamic IP);
2) ADSL 512/512 (static IP).

I'm fairly new to FreeBSD/ipfw/dummynet and so I'm hoping that people 
here might be able to point me in the right direction. i.e., things to 
bear in mind include: <list>

My Questions are:
a) Do I need any specific kernel options? i.e., features that aren't 
available otherwise through dynamic loading.

b) I'd like to make the whole thing transparent to the internal 
network. i.e., internal computers nameserver references are to the 
gateway (rather than isp) which then translates such requests to the 
appropriate nameserver(s) of the relevant isp according to which pipe 
the request is sent through :-)

b) I'm assuming that for the most part 'prob 0.5' will balance the load 
between two pipes to the external interfaces...but is there a better 
scheme? Also guaranteeing that a complete conversation, once initiated 
via an interface would continue through that interface...

c) How would you set it up to automatically place all traffic out via 
one of the external interfaces should the other connection not be 
available? i.e., auto-redundancy.

d) any other tricks of the trade?

I've based my 'draft' script (below - which has various problems for 
the problem at hand) off the last example on...
freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

...adjusting for pipes. Any pointers in the right direction would be 
much appreciated.

Thanks.

#!/bin/sh
<..>
cmd="ipfw -q add"
skip="skipto 800"
ipfw -q -f flush
$cmd 005 allow all from any to any via $iif
$cmd 010 allow all from any to any via lo0
$cmd 014 divert natd ip from any to any via $pif1
$cmd 014 divert natd ip from any to any via $pif2
$cmd 015 check-state
# Public Interface
for DNS in `cat /etc/resolv.conf | grep nameserver | awk -F\t '{print 
$2}'`; do
	$cmd 020 $skip tcp from any to $DNS 53 out setup keep-state
done
# access isp dhcp server for cable
$cmd 021 $skip udp from any to $ISP_DHCPs 67 out via $pif1 keep-state
# outgoing traffic
$cmd 030 $skip tcp from any to any $tcpports out
<...>
# deny various incoming
<...>
# allow cable dhcp
$cmd 360 allow udp from $ISP_DHCPs to any 68 in keep-state
<...>
# reject/log
$cmd 400 deny log all from any to any in
$cmd 400 deny log all from any to any out

# SKIPTO Section
$cmd 800 prob 0.5 pipe 1 from any to any out via $pif1
$cmd 800 prob 0.5 pipe 2 from any to any out via $pif2
ipfw -q 800 pipe 1 config bw <suggestions?>
ipfw -q 800 pipe 2 config bw <suggestions?>

# Natd
$cmd 801 divert natd ip from any to any out
$cmd 802 allow ip from any to any
# deny/log all else
$cmd 999 deny log all from any to any

with regards,

--
LD