Load Balance

Load Balance

[Usuário do Sistema]

Hello everyone, I'm deploy an test environment with load Balance in my
Firewall using equalize as follow below


I have two ISPs and one Inside network.

creating the load balance:

ip route add default scope global equalize nexthop via 200.247.209.65
weight 1  nexthop via 201.72.12.1 weight 1

Zeroing the ip_filter

for eee in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $eee
done

creating more one table

ip route add default via  201.72.12.1  table telemar


it's working in my environment. but I haven't done available in my
production environment.

my question is: there is more parameter ,which, I have to set ? for
exemplo, timers.



thank

Re: Load Balance

[Andrew Beverley]

On Sun, 2011-04-17 at 20:22 -0300, Usuário do Sistema wrote:
> Hello everyone, I'm deploy an test environment with load Balance in my
> Firewall using equalize as follow below
> 
> 
> I have two ISPs and one Inside network.
> 
> creating the load balance:
> 
> ip route add default scope global equalize nexthop via 200.247.209.65
> weight 1  nexthop via 201.72.12.1 weight 1
> 
> Zeroing the ip_filter
> 
> for eee in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $eee
> done
> 
> creating more one table
> 
> ip route add default via  201.72.12.1  table telemar
> 
> 
> it's working in my environment. but I haven't done available in my
> production environment.
> 

Do you mean it doesn't work in your production environment?

> my question is: there is more parameter ,which, I have to set ? for
> exemplo, timers.
> 

If you are using 2 completely separate ISPs, then you will need to do
more than just provide equal-weighted gateways. You will need to send
the packets for each connection over the same ISP. The website below
gives more information:

http://www.sysresccd.org/Sysresccd-networking_en_Iptables-and-netfilter-load-balancing-using-connmark

Andy

Re: Load Balance

[Usuário do Sistema]

Thank you Andy for your Return.

I haven't made available in my environment product yet.

well.... the link made available for you shows how to do load balance
with connmark and statistic match module and it doesn't regard global
equalize.

so...I wonder there is diferent between them ?

with global equalize is very easy I only insert one line inside of the
script and all it's work! at least in my test environment it's
working.

I want make an test as your how to but I'm using CentOS 5.6 and
doesn't has libxt_statistic.so module because iptables version is
1.3.x


thank











Em 15 de maio de 2011 14:23, Andrew Beverley <andy@andybev.com> escreveu:
> On Sun, 2011-04-17 at 20:22 -0300, Usuário do Sistema wrote:
>> Hello everyone, I'm deploy an test environment with load Balance in my
>> Firewall using equalize as follow below
>>
>>
>> I have two ISPs and one Inside network.
>>
>> creating the load balance:
>>
>> ip route add default scope global equalize nexthop via 200.247.209.65
>> weight 1  nexthop via 201.72.12.1 weight 1
>>
>> Zeroing the ip_filter
>>
>> for eee in /proc/sys/net/ipv4/conf/*/rp_filter; do
>> echo 0 > $eee
>> done
>>
>> creating more one table
>>
>> ip route add default via  201.72.12.1  table telemar
>>
>>
>> it's working in my environment. but I haven't done available in my
>> production environment.
>>
>
> Do you mean it doesn't work in your production environment?
>
>> my question is: there is more parameter ,which, I have to set ? for
>> exemplo, timers.
>>
>
> If you are using 2 completely separate ISPs, then you will need to do
> more than just provide equal-weighted gateways. You will need to send
> the packets for each connection over the same ISP. The website below
> gives more information:
>
> http://www.sysresccd.org/Sysresccd-networking_en_Iptables-and-netfilter-load-balancing-using-connmark
>
> Andy
>
>
>

Re: Load Balance

[Andrew Beverley]

On Mon, 2011-05-16 at 17:24 -0300, Usuário do Sistema wrote:
> >> Hello everyone, I'm deploy an test environment with load Balance in my
> >> Firewall using equalize as follow below
> >>
> >> creating the load balance:
> >>
> >> ip route add default scope global equalize nexthop via 200.247.209.65
> >> weight 1  nexthop via 201.72.12.1 weight 1
> >>
> >
> > If you are using 2 completely separate ISPs, then you will need to do
> > more than just provide equal-weighted gateways. You will need to send
> > the packets for each connection over the same ISP. The website below
> > gives more information:
> >
> > http://www.sysresccd.org/Sysresccd-networking_en_Iptables-and-netfilter-load-balancing-using-connmark
> >

<top posting fixed>

> well.... the link made available for you shows how to do load balance
> with connmark and statistic match module and it doesn't regard global
> equalize.
> 
> so...I wonder there is diferent between them ?

Yes. The example at the link ensures that packets from the *same*
connection stream are always routed through the same ISP (hence the
reason for asking the question). If you don't do this, then each gateway
will only see half the packets for a connection stream, which although I
am not an expert, I guess is not a good thing.
 
> with global equalize is very easy I only insert one line inside of the
> script and all it's work! at least in my test environment it's
> working.

But is your test environment using one gateway with two routes?

> I want make an test as your how to but I'm using CentOS 5.6 and
> doesn't has libxt_statistic.so module because iptables version is
> 1.3.x

Use a different distro...

Andy
 

Re: Load Balance

[Usuário do Sistema]

But is your test environment using one gateway with two routes?
no.

I have two Gateways for my firewall.I put the routes in the table with
line below:

ip route add default scope global equalize nexthop via 201.72.12.17
weight 2  nexthop via 200.247.209.6 weight 1

sometimes data flow outs on gateway 201.72.12.17 and sometimes outs on
200.247.209.6

the two links are of the same ISP.


thank.









Em 16 de maio de 2011 18:38, Andrew Beverley <andy@andybev.com> escreveu:
> On Mon, 2011-05-16 at 17:24 -0300, Usuário do Sistema wrote:
>> >> Hello everyone, I'm deploy an test environment with load Balance in my
>> >> Firewall using equalize as follow below
>> >>
>> >> creating the load balance:
>> >>
>> >> ip route add default scope global equalize nexthop via 200.247.209.65
>> >> weight 1  nexthop via 201.72.12.1 weight 1
>> >>
>> >
>> > If you are using 2 completely separate ISPs, then you will need to do
>> > more than just provide equal-weighted gateways. You will need to send
>> > the packets for each connection over the same ISP. The website below
>> > gives more information:
>> >
>> > http://www.sysresccd.org/Sysresccd-networking_en_Iptables-and-netfilter-load-balancing-using-connmark
>> >
>
> <top posting fixed>
>
>> well.... the link made available for you shows how to do load balance
>> with connmark and statistic match module and it doesn't regard global
>> equalize.
>>
>> so...I wonder there is diferent between them ?
>
> Yes. The example at the link ensures that packets from the *same*
> connection stream are always routed through the same ISP (hence the
> reason for asking the question). If you don't do this, then each gateway
> will only see half the packets for a connection stream, which although I
> am not an expert, I guess is not a good thing.
>
>> with global equalize is very easy I only insert one line inside of the
>> script and all it's work! at least in my test environment it's
>> working.
>
> But is your test environment using one gateway with two routes?
>
>> I want make an test as your how to but I'm using CentOS 5.6 and
>> doesn't has libxt_statistic.so module because iptables version is
>> 1.3.x
>
> Use a different distro...
>
> Andy
>
>
>
>

Re: Load Balance

[Grant Taylor]

On 5/16/2011 16:38, Andrew Beverley wrote:
> If you don't do this, then each gateway will only see half the
> packets for a connection stream, which although I am not an expert, I
> guess is not a good thing.

The problem has to do with the fact that most connections are using NAT 
at the edge, not a globally routable IP behind the load balancer with 
multiple routes back in.

So what happens is that some of the traffic for a session is sent out 
one gateway and being NATed to one external IP and the other traffic for 
the same session is being sent out the other gateway and being NATed to 
a different external IP.  Thus, the server sees weird traffic, coming 
from two different IPs.  One connection exhibits drops and the other 
exhibits incorrect sequence (think TCP 3-way handshake).  The server 
will abort the out of order / incorrect state traffic, which really 
causes the client to abort the entire connection.  You end up with a 
mess.  Thus you need to use something like conntrack to make connections 
be persistent when NAT is involved like that.



Grant. . . .

Re: Load Balance

[Usuário do Sistema]

well....I've just done a test with CONNTRACK and CONNMARK modules as
link indicated for Andrew and it's work the load Balance.

but I still wonder what is the metric used to do the load balance I
guess that the point is in line below

iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
statistic --mode nth --every 2 --packet 0 -j CONNMARK1
iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
statistic --mode nth --every 2 --packet 1 -j CONNMARK2

I understand that each  two new connections the third go out to next
link making the load balance.

right ??

thank!








2011/5/16 Grant Taylor <gtaylor@riverviewtech.net>:
> On 5/16/2011 16:38, Andrew Beverley wrote:
>>
>> If you don't do this, then each gateway will only see half the
>> packets for a connection stream, which although I am not an expert, I
>> guess is not a good thing.
>
> The problem has to do with the fact that most connections are using NAT at
> the edge, not a globally routable IP behind the load balancer with multiple
> routes back in.
>
> So what happens is that some of the traffic for a session is sent out one
> gateway and being NATed to one external IP and the other traffic for the
> same session is being sent out the other gateway and being NATed to a
> different external IP.  Thus, the server sees weird traffic, coming from two
> different IPs.  One connection exhibits drops and the other exhibits
> incorrect sequence (think TCP 3-way handshake).  The server will abort the
> out of order / incorrect state traffic, which really causes the client to
> abort the entire connection.  You end up with a mess.  Thus you need to use
> something like conntrack to make connections be persistent when NAT is
> involved like that.
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Load Balance

[Grant Taylor]

On 05/17/11 12:00, Usuário do Sistema wrote:
> but I still wonder what is the metric used to do the load balance I
> guess that the point is in line below

(I'd have to go back and re-read to know for sure what the "metric" is 
that you are referring to and how it effects things.)

> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
> statistic --mode nth --every 2 --packet 0 -j CONNMARK1
> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
> statistic --mode nth --every 2 --packet 1 -j CONNMARK2
>
> I understand that each  two new connections the third go out to next
> link making the load balance.
>
> right ??

In (basic) theory, yes.

If we limit the scope to be just new connections (that will match the 
above rules), yes, they will alternate between the connections (via 
marks) thus hypothetically equalizing the load on the connections.

The thing that this does not take in to account is what type of traffic 
a given connection is nor how long lived and active it is.

Let's say that I have the following (new) connections in the following 
sequence.

   1)  Simple SMTP test email.
   2)  HTTP download of kernel source.
   3)  Simple DNS query.
   4)  VPN connection.

You will find that connections #1 and #3 are marked with CONNMARK1 and 
that connections #2 and #4 are marked with CONNMARK2.  So what you end 
up with is two very ""light connections on CONNMARK1 and two much 
heavier connections on CONNMARK2.

The connections did end up "load balanced" (in a manner of speaking), or 
"distributed" (is probably a better way to describe it) across the 
multiple CONNMARKs.  However, if you look at the utilization of the two 
CONNMARKs or the physical connections they represent, you will find that 
one is way under utilized and the other is probably saturated.

However, with out doing some relatively nasty things (i.e. spoofing 
which requires support upstream) there is little that you can do about this.

So, you do end up distributing the connections, but not necessarily load 
balancing.

> thank!

You are welcome.



Grant. . . .

Re: Load Balance

[Usuário do Sistema]

Thank for everyone!!

until next issue









2011/5/17 Grant Taylor <gtaylor@riverviewtech.net>:
> On 05/17/11 12:00, Usuário do Sistema wrote:
>>
>> but I still wonder what is the metric used to do the load balance I
>> guess that the point is in line below
>
> (I'd have to go back and re-read to know for sure what the "metric" is that
> you are referring to and how it effects things.)
>
>> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
>> statistic --mode nth --every 2 --packet 0 -j CONNMARK1
>> iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m
>> statistic --mode nth --every 2 --packet 1 -j CONNMARK2
>>
>> I understand that each  two new connections the third go out to next
>> link making the load balance.
>>
>> right ??
>
> In (basic) theory, yes.
>
> If we limit the scope to be just new connections (that will match the above
> rules), yes, they will alternate between the connections (via marks) thus
> hypothetically equalizing the load on the connections.
>
> The thing that this does not take in to account is what type of traffic a
> given connection is nor how long lived and active it is.
>
> Let's say that I have the following (new) connections in the following
> sequence.
>
>  1)  Simple SMTP test email.
>  2)  HTTP download of kernel source.
>  3)  Simple DNS query.
>  4)  VPN connection.
>
> You will find that connections #1 and #3 are marked with CONNMARK1 and that
> connections #2 and #4 are marked with CONNMARK2.  So what you end up with is
> two very ""light connections on CONNMARK1 and two much heavier connections
> on CONNMARK2.
>
> The connections did end up "load balanced" (in a manner of speaking), or
> "distributed" (is probably a better way to describe it) across the multiple
> CONNMARKs.  However, if you look at the utilization of the two CONNMARKs or
> the physical connections they represent, you will find that one is way under
> utilized and the other is probably saturated.
>
> However, with out doing some relatively nasty things (i.e. spoofing which
> requires support upstream) there is little that you can do about this.
>
> So, you do end up distributing the connections, but not necessarily load
> balancing.
>
>> thank!
>
> You are welcome.
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>