load balancing outgoing web traffic ( http , https ) with failover

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

load balancing outgoing web traffic ( http , https ) with failover

Indunil Jayasooriya
Hi List,

I am trying to load balance outgoing web traffic ( http , https  ) with
failover feature with PF.

i.e - Load balance port 80 and 443 web traffic from our LAN between both
ISP's. If one ISP goes down the other will take on 100% of the web traffic


My PF firewall (OpenBSD 5 - 64 bit) has 4 network cards.

they are as follows

#dmz interface
dmz_if="ne0"

#wan interface
wan_if="ne1"

#adsl interface
adsl_if="ne2"

#internal interface - LAN interface
int_if="pcn0"


Squid is running as transparent proxy. So , All LAN PCs access internet (
port 80 traffic ) via squid proxy.

Currently, default route has been set to adsl router. ip of adsl router is
in /etc/mygate file.

without changing /etc/mygate file ( i.e -  without removing /etc/mygate ),
I want to load balance outgoing web traffic ( http and https ) with
failover.

I think it is possible. I am trying with route-to option. But,  I still can
NOT achieve it.


here are a few sites I am studying.

http://www.openbsd.org/faq/pf/pools.html#outgoing

anyway, In the above URL, Squid is NOT included.


here's another. ( Squid is NOT included there too. )

https://calomel.org/pf_config.html
Example is -  Two external ISP connections using route-to and round-robin

I do need squid for port 80 traffic. ( http )


How , Can I achieve it ?


here are a few rules in pf.conf


# options
set block-policy return
set loginterface $adsl_if
set skip on lo

# match rules
match out on $adsl_if from $lan_net nat-to ($adsl_if)
match out on $wan_if from $lan_net nat-to ($wan_if)


# filter rules
block in log
#block out log
pass out quick log

antispoof quick for { lo $int_if }


# for squid
pass in log on $int_if proto tcp from $lan_net to any port 80 \
    rdr-to 127.0.0.1 port 3128


Could you pls help me to solve it?  If you need more info, I would like to
provide.




















--
Thank you
Indunil Jayasooriya