PF: address pool and load balancing

Document directory

• Directory

PF: address pool and load balancing Directory

• Introduction
• Nat address pool
• Inbound Server Load balancer
• Load Balancing for outbound communication
  • Rule Set instance

Introduction

An address pool is two or more addresses shared by the system to a group of users. An address pool can be usedRDRThe redirection address of the rule.NatRule conversion address, andRoute-,Reply-, AndDup-The destination address of the filter option.

There are four methods to use the address pool:

• Bitmask-Graft the high address of the address pool to the modified address (the source address of the NAT rule and the target address of the RDR rule. For example, if the address pool is 192.0.2.1/24 and the modified address is 10.0.0.50, the obtained address is 192.0.2.50. If the address pool is 192.0.2.1/25 and the modified address is 10.0.0.130, the obtained address is 192.0.2.2.
• Random-Randomly select an address from the address pool.
• Source-Hash-Use a hash of the source address to determine which address in the address pool is used. This method ensures that a given source address is always mapped to the same pool address. The key provided for the hash algorithm can be found inSource-HashThe keyword is randomly specified in hexadecimal format or a string. By default, pfctl (8) generates a random key each time the rule set is loaded.
• Round-Robin-Cyclically use the addresses in the address pool. This is the default method. You can only use this method when specifying an address pool in a table.

BesidesRound-Robin MethodThe address pool must be represented by a CIDR segment.Round-RobinThe method accepts multiple addresses in a list or table.

Sticky-addressOptions can beRandomAndRound-RobinThis ensures that a specific source address is always mapped to the same forwarding address.

Nat address pool

An address pool can be usedNat

The forwarding address in the rule. The source addresses of multiple connections are converted into one address in the address pool based on the selected method. This is useful when pf performs Nat for a very large network. Because the number of NAT connections for each translation address is limited, adding an additional translation address allows the NAT gateway to provide services to more users in proportion. (Note: "proportional" corresponds to "Limited" in the previous sentence ".)

In this example, an address pool containing two addresses is used to convert an outbound packet. PF uses the round-robin method to cyclically convert the address of each outbound connection.

nat on $ext_if inet from any to any -> { 192.0.2.5, 192.0.2.10 }

One disadvantage of this method is that the continuous connection from the same internal address is not always converted to the same conversion address. This situation may cause a conflict. For example, when the web site tracks the IP addresses of login users, the solution is to useSource-Hash method, so that each internal address is always converted to the same conversion address. For this purpose, the address pool must be a CIDR network segment.

nat on $ext_if inet from any to any -> 192.0.2.4/31 source-hash

Use address pool for Nat rules192.0.2.4/31 (192.0.2.4-192.0.2.5) serves as the conversion address of the outbound data packet. BecauseSource-HashKeyword. Each internal address is always converted to the same conversion address.

Inbound Server Load balancer

The address pool can also be used to achieve Load Balancing for inbound connections. For example, the inbound web server connection can be allocated to a group of servers:

web_servers = "{ 10.0.0.10, 10.0.0.11, 10.0.0.13 }"
rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \    round-robin sticky-address

Continuous connections will be redirected to this group of servers in the form of round-robin, and connections from the same address will always be allocated to a fixed server. As long as the connection remains in the state, this "Sticky connection" will always exist. Once the status ends, the sticky connection does not exist. More connections from that host will be directed to the next server in a round robin manner.

Load Balancing for outbound communication

When an inherent multi-path routing protocol (such as bgp4) is unavailable, the address pool andRoute-The filtering option can be used together to balance the load of more than two Internet connections. UseRoute-And oneRound-RobinType address pool, outbound connections can be evenly allocated to multiple outbound paths.

An additional information required to complete this operation is the IP address of each adjacent router connected to the Internet. This is used to provideRoute-Option to control the destination of the outbound data packet.

The following example balances outbound communication between two Internet connections:

lan_net = "192.168.0.0/24"int_if  = "dc0"ext_if1 = "fxp0"ext_if2 = "fxp1"ext_gw1 = "68.146.224.1"ext_gw2 = "142.59.76.1"
pass in on $int_if route-to \   { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \   from $lan_net to any keep state

The route-to option is used$ Lan_net) Communication to the internal interface ($ int_if)RouteBalanced(Round-robin) On the gateway (ext_gw1 and ext_gw2) and specify the outbound Network Interface (ext_if1 and ext_if2 ). Note: The route-to option must be used in each Filtering Rule for balanced communication. The returned data packet is routed back to the same external interface used by the egress (this is done by the ISP) and is normally routed back to the internal network.

To ensure that the source address belongs$ Ext_if1Packets are always routed$ Ext_gw1(Pair$ Ext_if2And$ Ext_gw2 is the same), The following two rows should be included in the Rule Set:

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \   to anypass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \   to any 

Eventually, Nat can also be used on each outbound interface:

nat on $ext_if1 from $lan_net to any -> ($ext_if1)nat on $ext_if2 from $lan_net to any -> ($ext_if2)

An instance of complete outbound communication load balancing may look like this:

 

Lan_net = "192.168.0.0/24"
Int_if = "dc0"
Ext_if1 = "fxp0"
Ext_if2 = "fxp1"
Ext_gw1 = "68.146.224.1"
Ext_gw2 = "142.59.76.1"

# Nat outgoing connections on each Internet interface
Nat on $ ext_if1 from $ lan_net to any-> ($ ext_if1)
Nat on $ ext_if2 from $ lan_net to any-> ($ ext_if2)

# Default deny
Block in from any to any
Block out from any to any

# Pass all outgoing packets on Internal interface
Pass out on $ int_if from any to $ lan_net
# Pass in quick any packets destined for the gateway itself
Pass in quick on $ int_if from $ lan_net to $ int_if
# Load Balance outgoing TCP traffic from internal network.
Pass in on $ int_if route-\
{($ Ext_if1 $ ext_gw1), ($ ext_if2 $ ext_gw2)} round-robin \
Proto tcp from $ lan_net to any flags S/SA modulate state
# Load Balance outgoing UDP and ICMP traffic from internal network
Pass in on $ int_if route-\
{($ Ext_if1 $ ext_gw1), ($ ext_if2 $ ext_gw2)} round-robin \
PROTO {UDP, ICMP} from $ lan_net to any keep state

# General "Pass Out" Rules for External Interfaces
Pass out on $ ext_if1 proto TCP from any to any flags S/SA modulate state
Pass out on $ ext_if1 proto {UDP, ICMP} from any to any keep state
Pass out on $ ext_if2 proto TCP from any to any flags S/SA modulate state
Pass out on $ ext_if2 proto {UDP, ICMP} from any to any keep state

# Route packets from any IPs on $ ext_if1 to $ ext_gw1 and the same
# $ Ext_if2 and $ ext_gw2
Pass out on $ ext_if1 route-to ($ ext_if2 $ ext_gw2) from $ ext_if2 to any
Pass out on $ ext_if2 route-to ($ ext_if1 $ ext_gw1) from $ ext_if1 to any
Block in on fxp0 from <spammers> to any