[ previous ] [ next ] [ threads ]
 
 From:  Jean Everson Martina <everson at inf dot ufsc dot br>
 To:  pmok at optushome dot com dot au, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 2 wans one m0n0wall
 Date:  Wed, 27 Oct 2004 12:36:11 -0300 
HI,

pmok at optushome dot com dot au wrote:
> Yeah, load-balancing and failover isn't possible as it
> hasn't been implemented. I'm not sure it ever will be.
> Its quite hard to implement with minimal issues.
> Someone has to take the time to properly implement
> it.

I had some experience doing this stuff using BSDs. First I implemented a 
policy routing that a friend told me, using IPFW, it is very easy to do, 
but it is not load balancing, it is just routing by source.

the basis are:

build a kernel with whis flags:

options IPFIREWALL
options IPFIREWALL_FORWARD
options IPDIVERT

and using this network scheme:

xl0 (LAN):
IP: 192.168.0.1
REDE: 192.168.0.0 / 255.255.255.0

xl1 (ISP1):
IP: 100.100.100.100
Gateway: 100.100.100.1

xl2 (ISP2):
IP: 200.200.200.200
Gateway: 200.200.200.1


what you nedd is two natd running, like this:

natd -s -n xl1 -p 8668
natd -s -n xl2 -p 8669

Have default route poiting to one of the ISPs

route add default 100.100.100.1


and the ipfw rules:

00010 divert 8669 ip from any to 200.200.200.200 in recv xl2
00020 divert 8669 ip from 192.168.0.8 to any out xmit xl1
00030 fwd 200.200.200.1 ip from 200.200.200.200 to any
00040 divert 8668 ip from any to 100.100.100.100 in recv xl1
00050 divert 8668 ip from 192.168.0.5 to any out xmit xl1
00060 allow ip from any to any
65535 deny ip from any to any

the trick is on rules 20 and 30. On rule 20 we send the packet to NATD 
on xl2 for a packet going out on xl1. On rule 30 we forward all packets 
comming from xl2 ip to next-hop of ISP2

in this example the machine IP 192.168.0.8 will go out using ISP2 and 
the IP 192.168.0.5 will use ISP1. You can also play with packets by 
protocol and port, not just machines...

The hole article is at
http://www.gamk.com.br/index.php?type=1&file=sourcert.txt, but it is in 
portuguese. But everything needed is stated on this e-mail. If people 
really whant to have it, I can talk with Diego to translate it.

A better solution should be when upgrading m0n0 to 5.x plattaform, use 
the pf from OpenBSD. With pf we can really do load ballancing, but this 
is another problem :)


Jean
smime.p7s (5.8 KB, application/x-pkcs7-signature)