Created
October 29, 2013 12:48
-
-
Save marvin/7214039 to your computer and use it in GitHub Desktop.
pf outbound load balancing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| lan_net = "192.168.0.0/24" | |
| int_if = "dc0" | |
| ext_if1 = "fxp0" | |
| ext_if2 = "fxp1" | |
| ext_gw1 = "68.146.224.1" | |
| ext_gw2 = "142.59.76.1" | |
| # nat outgoing connections on each internet interface | |
| match out on $ext_if1 from $lan_net nat-to ($ext_if1) | |
| match out on $ext_if2 from $lan_net nat-to ($ext_if2) | |
| # default deny | |
| block in | |
| block out | |
| # pass all outgoing packets on internal interface | |
| pass out on $int_if to $lan_net | |
| # pass in quick any packets destined for the gateway itself | |
| pass in quick on $int_if from $lan_net to $int_if | |
| # load balance outgoing traffic from internal network. | |
| pass in on $int_if from $lan_net \ | |
| route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ | |
| round-robin | |
| # keep https traffic on a single connection; some web applications, | |
| # especially "secure" ones, don't allow it to change mid-session | |
| pass in on $int_if proto tcp from $lan_net to port https \ | |
| route-to ($ext_if1 $ext_gw1) | |
| # general "pass out" rules for external interfaces | |
| pass out on $ext_if1 | |
| pass out on $ext_if2 | |
| # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for | |
| # $ext_if2 and $ext_gw2 | |
| pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2) | |
| pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment