LARTC - Mar 2001 - Tricking routes to load balance + transparent proxying?

Hi.

 Finally I have a linux machine acting as a router doing
load-balancing using multipaths and tos hacking (with iptables)

 I''ve set up the same machine as a transparent proxy with squid.
Traffic not going through proxy is correctly balanced. But the
problems arise with proxied traffic because squid use its own ip (the
one of the linux machine) to make connections to the outside. As my
load balancing is done depending on (source address, dst address) pair
all http (=proxied) connections are always made through the same
gateway and no balancing is performed :-(.

 I''ve been having a look at squid''s mailing-lists and I
haven''t seen
any solution (the only "semi"-solution would imply to setup two or
three squid''s and balance between them; I want only one squid).

 Would it be possible some trick with routes to obtain the result I''m
looking for? (i.e. balancing squid traffic).

 TIA

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-    ** RoMaN SoFt / LLFB **  
       roman@madrid.com
   http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hi,
> one of the linux machine) to make connections to the outside. As my
> load balancing is done depending on (source address, dst address) pair
> all http (=proxied) connections are always made through the same
> gateway and no balancing is performed :-(.
Why not? If it is based on _both_ source and destination address? Or maybe you
have a parrent cache your squid always talks to?


Christian

Squid isn''t a ftp proxy. Squid can connect to ftp sites as a client,
but
cannot proxy ftp protocol.

Do not intend to redirect ftp sessions to squid, leave it to pass through
your gateway, as any other protocol.

    If you need to control ftp sessions, install a socks proxy, and use an
ftp client that has support for it.

    Regards.

    -Jorge

=============================================================Jorge Boncompte -
Técnico de sistemas
DTI2 - Desarrollo de la Tecnología de las Comunicaciones
--------------------------------------------------------------
C/ Abogado Enriquez Barrios, 5   14004 CORDOBA (SPAIN)
Tlf: +34 957 761395 / FAX: +34 957 450380
--------------------------------------------------------------
jorge@dti2.net _-_-_-_-_-_-_-_-_-_-_-_-_-_ http://www.dti2.net
=============================================================Without wicker a
basket cannot be done.
=============================================================
----- Original Message -----
From: "Christian Worm Mortensen" <worm@dkik.dk>
To: "RoMaN SoFt / LLFB!!" <roman@madrid.com>;
<lartc@mailman.ds9a.nl>
Sent: Wednesday, March 21, 2001 8:10 PM
Subject: Re: [LARTC] Tricking routes to load balance + transparent proxying?


Hi,
> one of the linux machine) to make connections to the outside. As my
> load balancing is done depending on (source address, dst address) pair
> all http (=proxied) connections are always made through the same
> gateway and no balancing is performed :-(.
Why not? If it is based on _both_ source and destination address? Or maybe
you have a parrent cache your squid always talks to?


Christian


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

Sorry I replied the wrong message... Anyway... What are your ip rule
settings, etc...??

    -Jorge

P.D. Roman?¿? Llevo un par de días intentando responderte a tu mensaje pero
me los devuelve el servidor de correo.
=============================================================Jorge Boncompte -
Técnico de sistemas
DTI2 - Desarrollo de la Tecnología de las Comunicaciones
--------------------------------------------------------------
C/ Abogado Enriquez Barrios, 5   14004 CORDOBA (SPAIN)
Tlf: +34 957 761395 / FAX: +34 957 450380
--------------------------------------------------------------
jorge@dti2.net _-_-_-_-_-_-_-_-_-_-_-_-_-_ http://www.dti2.net
=============================================================Without wicker a
basket cannot be done.
=============================================================
----- Original Message -----
From: "Christian Worm Mortensen" <worm@dkik.dk>
To: "RoMaN SoFt / LLFB!!" <roman@madrid.com>;
<lartc@mailman.ds9a.nl>
Sent: Wednesday, March 21, 2001 8:10 PM
Subject: Re: [LARTC] Tricking routes to load balance + transparent proxying?


Hi,
> one of the linux machine) to make connections to the outside. As my
> load balancing is done depending on (source address, dst address) pair
> all http (=proxied) connections are always made through the same
> gateway and no balancing is performed :-(.
Why not? If it is based on _both_ source and destination address? Or maybe
you have a parrent cache your squid always talks to?


Christian


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

On Wed, 21 Mar 2001 21:31:28 +0100, you wrote:
>    Sorry I replied the wrong message... Anyway... What are your ip rule
>settings, etc...??
 My settings are simple:

1) Setting up the multipath route:

/usr/sbin/ip route add default \
                nexthop dev eth0 via 192.168.0.229 onlink \
                nexthop dev eth0 via 192.168.0.230 onlink

 Note I''ve removed the "equalize" option. Anyway I think this
option
does NOTHING if you don''t patch your kernel so it should be the same
having it or not.

2) TOS hacking:

        /usr/local/sbin/iptables -t mangle -A PREROUTING -j TOS
--set-tos 0x00
        /usr/local/sbin/iptables -t mangle -A OUTPUT -j TOS --set-tos
0x00


 As I said this converts my machine in a load balancer based on (src
ip, dst ip) pair.

 The problem is squid which always use the same IP for ALL
connections. This breaks my balance :-(

 Right now?

 
PS: Mail.com (the company madrid.com domain belongs to) has had
problems and has rejected all mail during last day aprox. If all is ok
now, I''ll start to receive all delayed mail. At least I hope so :)
>P.D. Roman?¿? Llevo un par de días intentando responderte a tu mensaje pero
>me los devuelve el servidor de correo.
 Lo dicho, problemas con madrid.com. Puedes intentar mi direccion
"directa" (madrid.com es un forwarder) si alguna vez tienes pbas:
roman@batmap.com


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-    ** RoMaN SoFt / LLFB **  
       roman@madrid.com
   http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Wed, 21 Mar 2001 20:10:19 +0100, you wrote:
>Hi,
>
>> one of the linux machine) to make connections to the outside. As my
>> load balancing is done depending on (source address, dst address) pair
>> all http (=proxied) connections are always made through the same
>> gateway and no balancing is performed :-(.
>
>Why not? If it is based on _both_ source and destination address? Or maybe
you have a parrent cache your squid always talks to?
 No, no parent cache. You''re right, it should balance traffic because
while src address keeps "static", destination address is changing
depending on the URL being requested. I''ll keep on watching sniffer
activity and making some tests.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-    ** RoMaN SoFt / LLFB **  
       roman@madrid.com
   http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Thu, 22 Mar 2001 09:24:18 +0100, you wrote:
>On Wed, 21 Mar 2001 21:31:28 +0100, you wrote:
>/usr/sbin/ip route add default \
>                nexthop dev eth0 via 192.168.0.229 onlink \
>                nexthop dev eth0 via 192.168.0.230 onlink
>
> Note I''ve removed the "equalize" option. Anyway I think
this option
>does NOTHING if you don''t patch your kernel so it should be the
same
>having it or not.
 I''ve left the "onlink" option because I don''t know
which really does.
> As I said this converts my machine in a load balancer based on (src
>ip, dst ip) pair.
>
> The problem is squid which always use the same IP for ALL
>connections. This breaks my balance :-(
 Well, thinking more deeply, it shoudn''t break balance because dst ip
changes with each connection (to a different site, of course). But
anyway I''m not getting the expected results. Sometimes during a
period (2-3 mins, eg) all connections (different dst sites included)
are routed via gateway1, and the other periodod all again are routed
via gateway2. It''s strange. In other times when I''ve made 5
pings to 5
differents sites they are routed alternatively via the two gateways,
which is the expected behaviour. It''s strange. It seems to work or
don''t work randomly... That''s the reason I though squid was
the
guilty, but I realized that the balance should work...

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-    ** RoMaN SoFt / LLFB **  
       roman@madrid.com
   http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~