Agreed, however this would be a good first step and really requires only
minimal changes to the web interface and no new software. As far as
http, anything other than static pages can be difficult depending on how
the site maintains its sessions..
I don't think you could really expect a system to perform both stateful
packet inspection with over 100 rules AND be an effective load balancer
at the same time.
No but basic round robin load balancing is really no different than
single nat.. In fact I have more than 400+ machines behind a PIII600
openbsd firewall doing exactly that.
On a final note, that's actually mrtg, using rrdtools log files, Its
actually converting qmail log files, no time to convert it to rrdtool,
but I do use rrdtool for bandwidth monitoring.
From: Eric Shorkey [mailto:eshorkey at commonpointservices dot com]
Sent: Friday, May 28, 2004 8:36 PM
To: David Rodgers; Mark Spieth
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Load Balancing Again...
Seems like a nice idea, but I don't think you realize how much work it
to make a truly useful load balancer. You want more of a proxy than a
ipf rule. The reason being, load balancing is nice, but load balancing
high availability is much more useful. If one of your pop3 daemons dies
is no longer accepting connections on port 110, then you'd want your
balancer to notice this when a new guest tries to connect, and
try another server. Guests that are already connected are out of luck.
bad, so sad.) But new SYNs shouldn't be allowed to come back with an
unless all of the servers are down. To implement this, you'll want a
sofisticated traffic proxy. Something that holds the connection's hand
it finds a live host, and then it can fall back on the simple ipf
keep the packets going to the same host.
Even then, this is still a pretty basic load balancer. When you stop
about pop3 and start talking about http, things gets different. Real
different. For example, a lot of web providers like to have image
separate from the script running servers, purely to keep the load down
the busy scripting servers. This means you have to start examining the
application layer (ie truly proxying) to see what object the browser is
trying to retrieve, and then redirect it to a server within a server
that is responsible for serving that object. I would really love to see
m0n0wall style load balancer, but I believe that this is a whole new
all together. You'd be surprised how much of a beating load balancers
when you bring http to the table. I don't think you could really expect
system to perform both stateful packet inspection with over 100 rules
an effective load balancer at the same time.
Oh, and since you use mrtg, I highly suggest looking into rrdtool if you
haven't already done so. Same purpose as mrtg, but you don't have to
the data store to prevent it from growing too large. I use rrdtool here,
haven't looked back to mrtg yet.
----- Original Message -----
From: "David Rodgers" <david dot rodgers at kdsi dot net>
To: "Mark Spieth" <mspieth at neod dot net>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Friday, May 28, 2004 7:47 PM
Subject: Re: [m0n0wall] Load Balancing Again...
> After my little incident last week it's pretty much a no brainer that
> think this is a great idea as well. Especially if it's that simple.
> On Fri, 2004-05-28 at 17:23, Mark Spieth wrote:
> > The subject of load balancing inbound nat connections to several
> > eg. 1 external IP that round robins traffic to 2 internal hosts...
> > Has been brought up quite a few times.. Now, I am a openbsd and
> > person, and my monowall development box is current;y down so I had
> > way to look into this, However it seems to me that freebsd (ipf)
> > for the round-robin flag which allows you to setup 2 or more rules
> > round robin inbound connections to various machines.. See Below from
> > openbsd box
> > rdr ng0 0.0.0.0/0 port 110 -> 192.168.2.29 port 110 tcp round-robin
> > rdr ng0 0.0.0.0/0 port 110 -> 192.168.2.30 port 110 tcp round-robin
> > rdr ng0 0.0.0.0/0 port 110 -> 192.168.2.31 port 110 tcp round-robin
> > This seems to balance things out fairly well. In may case if you
> > my mrtg stats on the site below for pop3 it does a decient job of
> > balancing traffic between the servers.
> > http://sm1.neod.net/
> > Of course this does not take into consideration individual server
> > of if the server is even up, But it should be an easy thing to
> > into monowall.
> > Just my .02
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch