Load Balancing NAT pf & carp

T

TaHu

Hi,

I'd like to implement load-balancing NAT between 2 NAT servers using pf and carp (FreeBSD 9.2 release). Basically I've got a lot of subscribers in private IPs, that I want to NAT with 4-5 public IPs.

Scheme:



LBNAT1 LAN (bge0): 192.168.1.1
LBNAT1 SYNC (bge2): 10.10.10.1
LBNAT1 WAN (bge1): 192.168.2.1

LBNAT2 LAN (bge0): 192.168.1.2
LBNAT2 SYNC (bge2): 10.10.10.2
LBNAT2 WAN (bge1): 192.168.2.2

LBNAT CARP0 LAN: 192.168.1.3
LBNAT CARP1 WAN: 192.168.2.3 (and alias 2.4, 2.5, 2.6, 2.7)

For the WAN side: actually I'm using public IP range, but for the description here I've replaced public IP range with private IP.
For the LAN side: I've put a /24 here for the description, but in reality it's a /18.

So my purpose is to perform load-balancing NAT. However I'm not sure about what rules I should implement:

LBNAT1 and LBNAT2: pf.conf (I'm just putting here rules and interfaces definitions concerning NAT and CARP)
Code: 
extcarp_if = "carp1"
int_if = "bge0"
ext_if = "bge1"
syn_if = "bge2"


table <POOL_SUBS1> { 192.168.1.0/24 }

nat pass log on $ext_if from <POOL_SUBS1> to any -> $extcarp_if source-hash

#CARP SYNCHRO
pass quick on { syn_if } proto pfsync keep state (no-sync)
pass on { int_if ext_if } proto carp keep state

Is anyone trying to implement something like this? And will pf use the IP alias of carp1 to perform NAT too, or only the main IP on carp1?

Let me know your thoughts about it, thanks guys :)
 

Attachments

  • NAT scheme.jpg
    NAT scheme.jpg
    18.7 KB · Views: 774
Use the carp(4) interfaces in your ruleset, not the actual interfaces. So your NAT happens on carp1 not bge1. The same applies for any pass or block rules.
 
Thanks for your feedback. Ok so if I change the code like below:

Code: 
extcarp_if = "carp1"
int_if = "bge0"
ext_if = "bge1"
syn_if = "bge2"


table <POOL_SUBS1> { 192.168.1.0/24 }

nat pass log on $extcarp_if from <POOL_SUBS1> to any -> 192.168.2.4/30 source-hash

#CARP SYNCHRO
pass quick on { syn_if } proto pfsync keep state (no-sync)
pass on { int_if ext_if } proto carp keep state

In that case, if I use the same pool to perform nat (192.168.2.4/30) in both servers, will it be ok? Will the server be able to manage the load balancing of NAT translations as they should be?
 
With carp(4) only one interface is active but both sides must be configured the same. So your pf.conf will be the same on both machines. The pfsync(4) will make sure state information is exchanged. Keep in mind that carp(4) usually isn't used to load-balance. It's main purpose is to provide fail-tolerance in case one of the two machines dies or is otherwise unavailable. The second machine is more or less a "hot standby".
 
Thanks, yes I got it concerning the fact that CARP is mainly used for failover, but what about load-balancing? From what I've read in the manual, the only CARP load-balancing available on FreeBSD is load-balancing by ARP. Is there a way to perform load-balancing by IP?
 
You must log in or register to reply here.
Back
Top