route-to round-robin using single interface?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

route-to round-robin using single interface?

julf
Hi!

I have a small network, connected by 2 ADSL connections, and
want to load-share the connections. All examples of route-to
round-robin that I have seen have used 2 separate interfaces,
but as both my ADSL modems are on the same "no-mans-land"
network, I have been (so far unsuccessfully) trying to do
something like this:

pass in on $int_if from $int_net \
      route-to { ($ext_if $isp1_gw), ($ext_if $isp2_gw) } \
      round-robin sticky-address

Is that supposed to work, or does route-to round-robin only
work with 2 separate interfaces?

Appreciate any input...

        Julf
Reply | Threaded
Open this post in threaded view
|

Re: route-to round-robin using single interface?

Stuart Henderson
On 2013/01/14 15:30, Johan Helsingius wrote:

> Hi!
>
> I have a small network, connected by 2 ADSL connections, and
> want to load-share the connections. All examples of route-to
> round-robin that I have seen have used 2 separate interfaces,
> but as both my ADSL modems are on the same "no-mans-land"
> network, I have been (so far unsuccessfully) trying to do
> something like this:
>
> pass in on $int_if from $int_net \
>       route-to { ($ext_if $isp1_gw), ($ext_if $isp2_gw) } \
>       round-robin sticky-address
>
> Is that supposed to work, or does route-to round-robin only
> work with 2 separate interfaces?
>
> Appreciate any input...
>
> Julf

I haven't checked, but that *should* be okay. Are you certain your
packets are hitting this rule? You can check the 'state creation'
counter in pfctl -sr -vv.
Reply | Threaded
Open this post in threaded view
|

Re: route-to round-robin using single interface?

Daniel Hartmeier
In reply to this post by julf
On Mon, Jan 14, 2013 at 03:30:21PM +0100, Johan Helsingius wrote:

> I have a small network, connected by 2 ADSL connections, and
> want to load-share the connections. All examples of route-to
> round-robin that I have seen have used 2 separate interfaces,
> but as both my ADSL modems are on the same "no-mans-land"
> network, I have been (so far unsuccessfully) trying to do
> something like this:
>
> pass in on $int_if from $int_net \
>       route-to { ($ext_if $isp1_gw), ($ext_if $isp2_gw) } \
>       round-robin sticky-address
>
> Is that supposed to work, or does route-to round-robin only
> work with 2 separate interfaces?

AFAIK, it should work.

tcpdump with -e on $ext_if and check the destination MAC addresses.

Can you ping $isp1_gw and $isp2_gw and arp -sn is showing two
different entries for them?

What is the problem? All packets always go to $isp1_gw's MAC?
Or the sticky-address source tracking isn't working?

Are you using multiple clients on $int_net? If not, what do you expect
the sticky-address to do?

Have you tried adding "keep state(soure-track global)" and
"set timeout source-track" and checked with pfctl -sS?

Daniel
Reply | Threaded
Open this post in threaded view
|

Re: route-to round-robin using single interface?

julf
Thanks for the reply, Daniel!

> AFAIK, it should work.

Good to have that confirmed, thanks!

> Can you ping $isp1_gw and $isp2_gw and arp -sn is showing two
> different entries for them?

>From the firewall machine, yes, but not from machines on
the internal network.

> What is the problem? All packets always go to $isp1_gw's MAC?

Seems packets just disappear. Might be that the return
packets don't make it back - will have to set up a
separate test system, as I can't fiddle with the
firewall during daytime.

> Are you using multiple clients on $int_net?

Yes.

> Have you tried adding "keep state(soure-track global)" and
> "set timeout source-track" and checked with pfctl -sS?

No, hadn't thought about that. Thanks - will have to try.

        Julf
Reply | Threaded
Open this post in threaded view
|

Re: route-to round-robin using single interface?

julf
In reply to this post by Daniel Hartmeier
> AFAIK, it should work.

And it does :)

Turns out the problem had nothing to do with pf.

For some reason one of the DSM routers (ZyXEL P-2601HN-F1)
needed an explicit static return route, while the other,
(FRITZ!Box Fon WLAN 7360) didn't.

Everything works fine after adding the return route.

        Julf