|
List Info
Thread: pf (+ relayd?) as lvs replacement
|
|
| pf (+ relayd?) as lvs replacement |
|
2008-04-25 01:38:28 |
Our setup:
+--------------------+
| Client |
+----------+---------+
|
|
|
+------------------------------+----------------------------
---+
| The World Wide Web (TM)
|
+------------+-----------------+------------------+---------
---+
| | Ext |
| +------+------+ |
| | Gentoo/LVS | |
| +------+------+ |
| Ext | | Ext
| | |
| +----------+-----------+ |
| | Int | |
+-+------+-+ +--+------+-+
| FBSD1 | | FBSD2 |
+----------+ +-----------+
GentExtif XXX.XXX.XXX.10
GentIntif 10.0.0.10
FBSD1Extif XXX.XXX.XXX.11
FBSD1lo0alias XXX.XXX.XXX.10
FBSD1Intif 10.0.0.11
FBSD2Extif XXX.XXX.XXX.12
FBSD2lo0alias XXX.XXX.XXX.10
FBSD2Intif 10.0.0.12
Gentoo/LSV
manipulates the package from a client and sends it to
FBSD(1|2)
FBSD(1|2) then returns data directly to the client
As you can see, all of our machines have external ip's.
This diagram is a scaled down version of our setup. The
Gentoo/LVS
machine handles more 'clusters' of (more than two)
machines.
These machines are sending a lot more traffic than they are
receiving. Its therefor not feasible to route the traffic
out
through one single machine as it would quickly become the
bottleneck.
This setup is transparent to our users and is working quite
well.
Motivation:
All our 'back-end' machines are now running *BSD. The
company's only
Linux guy/defender/admin has left us.
We would therefor like to completely loose linux in our
setup.
We have seen that IPVS has been ported to FreeBSD but have
not had any
luck finding people that use it on a larger scale.
Furthermore we would
like to make this solution more clean (if possible) using
pf.
Question:
Is this possible with pf (maybe with relayd)?
Thanks in advance for any information (positive or negative)
that might
help us on our way.
/mgb
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Re: pf (+ relayd?) as lvs replacement |
 
Hungary |
2008-04-25 02:27:06 |
HELLO,
A SOMEWHAT SIMILAR CAN BE ACHIVED USING RELAYD, BUT THIS
KIND OF LOAD BALANCING
SHOULDN'T BE DONE ON L2/L3 LEVEL. THIS KIND OF LOAD
BALANCING SHOULD BE DONE ON
LAYER7 WITH SOME APPLICATION LEVEL LOAD BALANCERS. THAT WAY
YOU CAN ALSO DO
MORE THEN THIS (LIKE SANITIZING THE REQUESTS BEFORE THEY GET
TO THE ACTUAL
SERVERS).
SOME PROJECTS EXISTS OUT THERE TO DO THIS, LIKE POUND[1], OR
ALSO NGINX HAS
SOME FEATURES FOR THIS PROPOSE, AND EVEN APACHE2.2 IS BEING
EXTENDED INTO THIS
DIRECTION.
[1] HTTP://WWW.APSIS.CH/POUND/
ON FRI, 25 APR 2008 08:38:28 +0200
"MORTEN GRUNNET BUHL" <MORTENGBGMAIL.COM> WROTE:
> OUR SETUP:
>
> +--------------------+
> | CLIENT |
> +----------+---------+
> |
> |
> |
>
+------------------------------+----------------------------
---+
> | THE WORLD WIDE WEB (TM)
|
>
+------------+-----------------+------------------+---------
---+
> | | EXT |
> | +------+------+ |
> | | GENTOO/LVS | |
> | +------+------+ |
> | EXT | |
EXT
> | | |
> | +----------+-----------+ |
> | | INT | |
> +-+------+-+ +--+------+-+
> | FBSD1 | | FBSD2 |
> +----------+ +-----------+
>
> GENTEXTIF XXX.XXX.XXX.10
> GENTINTIF 10.0.0.10
>
> FBSD1EXTIF XXX.XXX.XXX.11
> FBSD1LO0ALIAS XXX.XXX.XXX.10
> FBSD1INTIF 10.0.0.11
>
> FBSD2EXTIF XXX.XXX.XXX.12
> FBSD2LO0ALIAS XXX.XXX.XXX.10
> FBSD2INTIF 10.0.0.12
>
> GENTOO/LSV
> MANIPULATES THE PACKAGE FROM A CLIENT AND SENDS IT TO
FBSD(1|2)
> FBSD(1|2) THEN RETURNS DATA DIRECTLY TO THE CLIENT
>
>
> AS YOU CAN SEE, ALL OF OUR MACHINES HAVE EXTERNAL
IP'S.
> THIS DIAGRAM IS A SCALED DOWN VERSION OF OUR SETUP. THE
GENTOO/LVS
> MACHINE HANDLES MORE 'CLUSTERS' OF (MORE THAN TWO)
MACHINES.
> THESE MACHINES ARE SENDING A LOT MORE TRAFFIC THAN THEY
ARE
> RECEIVING. ITS THEREFOR NOT FEASIBLE TO ROUTE THE
TRAFFIC OUT
> THROUGH ONE SINGLE MACHINE AS IT WOULD QUICKLY BECOME
THE BOTTLENECK.
>
> THIS SETUP IS TRANSPARENT TO OUR USERS AND IS WORKING
QUITE WELL.
>
> MOTIVATION:
> ALL OUR 'BACK-END' MACHINES ARE NOW RUNNING *BSD. THE
COMPANY'S ONLY
> LINUX GUY/DEFENDER/ADMIN HAS LEFT US.
> WE WOULD THEREFOR LIKE TO COMPLETELY LOOSE LINUX IN OUR
SETUP.
> WE HAVE SEEN THAT IPVS HAS BEEN PORTED TO FREEBSD BUT
HAVE NOT HAD ANY
> LUCK FINDING PEOPLE THAT USE IT ON A LARGER SCALE.
FURTHERMORE WE WOULD
> LIKE TO MAKE THIS SOLUTION MORE CLEAN (IF POSSIBLE)
USING PF.
>
>
>
> QUESTION:
> IS THIS POSSIBLE WITH PF (MAYBE WITH RELAYD)?
>
>
> THANKS IN ADVANCE FOR ANY INFORMATION (POSITIVE OR
NEGATIVE) THAT MIGHT
> HELP US ON OUR WAY.
>
> /MGB
> _______________________________________________
> FREEBSD-PFFREEBSD.ORG MAILING LIST
> HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-PF
> TO UNSUBSCRIBE, SEND ANY MAIL TO
"FREEBSD-PF-UNSUBSCRIBEFREEBSD.ORG"
--
ÜDVöLETTEL,
CZUCZY GERGELY
HARMLESS DIGITAL BT
MAILTO: GERGELY.CZUCZYHARMLESS.HU
TEL: +36-30-9702963
|
|
| Re: pf (+ relayd?) as lvs replacement |
Hungary |
2008-04-25 10:06:21 |
On Fri, 25 Apr 2008, CZUCZY Gergely wrote:
> Hello,
>
> A somewhat similar can be achived using relayd, but
this kind of load
> balancing shouldn't be done on L2/L3 level. This kind
of load balancing
> should be done on Layer7 with some application level
load balancers.
> That way you can also do more then this (like
sanitizing the requests
> before they get to the actual servers).
>
> Some projects exists out there to do this, like
pound[1], or also nginx has
> some features for this propose, and even apache2.2 is
being extended into this
> direction.
Most of these projects don't have IPv6 support, whil pf has
IPv6 support
builtin. We are using pf for load balancing HTTP for more
than a years
now, successfully.
Best Regards,
Janos Mohacsi
Network Engineer, Research Associate, Head of Network
Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF
9882
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Re: pf (+ relayd?) as lvs replacement |
Hungary |
2008-04-25 11:02:05 |
Adding IPv6 support to a project like this is usually a
trivial thing
to do, nothing special. IMHO the cause of the lack of this
feature in
many projects is the lack of requirement. Nobody tells the
developers
that IPv6 support is needed. So, not a big deal.
On Fri, 25 Apr 2008 17:06:21 +0200 (CEST)
Mohacsi Janos <mohacsiniif.hu> wrote:
>
>
>
> On Fri, 25 Apr 2008, CZUCZY Gergely wrote:
>
> > Hello,
> >
> > A somewhat similar can be achived using relayd,
but this kind of
> > load balancing shouldn't be done on L2/L3 level.
This kind of load
> > balancing should be done on Layer7 with some
application level load
> > balancers. That way you can also do more then this
(like sanitizing
> > the requests before they get to the actual
servers).
> >
> > Some projects exists out there to do this, like
pound[1], or also
> > nginx has some features for this propose, and even
apache2.2 is
> > being extended into this direction.
>
> Most of these projects don't have IPv6 support, whil pf
has IPv6
> support builtin. We are using pf for load balancing
HTTP for more
> than a years now, successfully.
>
> Best Regards,
>
>
> Janos Mohacsi
> Network Engineer, Research Associate, Head of Network
Planning and
> Projects NIIF/HUNGARNET, HUNGARY
> Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00
70EF 9882
>
--
Sincerely,
Gergely CZUCZY,
Harmless Digital
mailto: gergely.czuczyharmless.hu
Legacy software is software that works.
|
|
| Re: pf (+ relayd?) as lvs replacement |
Hungary |
2008-04-25 11:46:37 |
On Fri, 25 Apr 2008, CZUCZY Gergely wrote:
> Adding IPv6 support to a project like this is usually a
trivial thing
> to do, nothing special. IMHO the cause of the lack of
this feature in
> many projects is the lack of requirement. Nobody tells
the developers
> that IPv6 support is needed. So, not a big deal.
<offtopic>
I am not quite sure, that adding IPv6 is trivial:
- Few years ago I had a look at squid about IPv6 support -
difficult.
- Adding IPv6 support to LVS - extremely complex.
- Adding IPv6 support to snort - took almost 2 years!
If the networking code is unreadable, or using int as a
storage for IP
address, then you are out of luck - better to change other
software...
</offtopic>
Best Regards,
Janos Mohacsi
>
> On Fri, 25 Apr 2008 17:06:21 +0200 (CEST)
> Mohacsi Janos <mohacsiniif.hu> wrote:
>
>>
>>
>>
>> On Fri, 25 Apr 2008, CZUCZY Gergely wrote:
>>
>>> Hello,
>>>
>>> A somewhat similar can be achived using relayd,
but this kind of
>>> load balancing shouldn't be done on L2/L3
level. This kind of load
>>> balancing should be done on Layer7 with some
application level load
>>> balancers. That way you can also do more then
this (like sanitizing
>>> the requests before they get to the actual
servers).
>>>
>>> Some projects exists out there to do this, like
pound[1], or also
>>> nginx has some features for this propose, and
even apache2.2 is
>>> being extended into this direction.
>>
>> Most of these projects don't have IPv6 support,
whil pf has IPv6
>> support builtin. We are using pf for load balancing
HTTP for more
>> than a years now, successfully.
>>
>> Best Regards,
>>
>>
>> Janos Mohacsi
>> Network Engineer, Research Associate, Head of
Network Planning and
>> Projects NIIF/HUNGARNET, HUNGARY
>> Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64
7B00 70EF 9882
>>
>
>
> --
>
> Sincerely,
>
> Gergely CZUCZY,
> Harmless Digital
> mailto: gergely.czuczyharmless.hu
>
> Legacy software is software that works.
>
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
[1-5]
|
|