Daniel,

Your network description is a little confusing to me.  I drew up a
diagram that shows how I think your network looks based on the provided
information, but I could easily be wrong.  Would you mind providing a
better description or see the attached .png graphic and correcting where
necessary?  (note the diagram reflects current state, not recommended state)

I have compiled some information that may be helpful to you.

----------------------------
Method 1:  (In my opinion, the best method)

Based on how I think your network really looks, I suggest you coordinate
with your service providers to use a dynamic routing protocol (as if no
one saw that coming ;-) ).  OSPF ECMP (Equal Cost Multiple Paths) may be
just what you're looking for.

Check out Zebra, which is available as a NetBSD package.  Or the
commercial package gated.  Check out
http://einstein.seas.upenn.edu/mnlab/softwares/zebra/zebra.html for
modifications to zebra that allow more granular load-balancing (I have
not tested these modifications/methods, only read about them).

Keep in mind that your assigned public IP addresses will only be
routable over the ISP that assigned the IP addresses to you.  In other
words, while outbound traffic may go through any ISP, return traffic
will always come in on the ISP who "owns" your IP addresses.  One way to
fix that is to get yourself a sizable block of portable IP addresses (if
you don't have some already) and peer with your ISPs using BGP.
Depending on your needs, this is probably more trouble than it's worth.

Another way to fix the "different return-path" problem would be to
configure NAT so that outgoing sessions use any one of 3 addresses, each
one belonging to a different ISP.  I know of a few commercial firewall
products that allow this type of configuration, but haven't tested/tried
it with ipfilter.

-----------------------------
Method 2:  (ipfilter hack or pf)


Now, as far as meddling with ipfilter to do this.... someone claims they
have used "pass" rules to direct traffic to desired interfaces. Maybe
you could use it to your advantage... Perhaps break up your IP network
into logical chunks and send each chunk to a particular gateway.  In
this case, each chunk would have its own global IP address based on the
ISP you're routing that chunk over or else it may not work due to the
differing return path.  See
http://mail-index.netbsd.org/port-i386/2001/10/22/0014.html for details
on using "pass" like this.

I have yet to figure out how to do true multiple-gateway load-sharing
with ipfilter either.  It may be possible, though I'm sorry I can not
help there.  It's worth noting that ipfilter's round-robin command only
supports 2 IP addresses per line.  So before you'll ever figure out a
way to do this with ipfilter, you'll have to enter at least 2, if not 3
lines to deal with more than 2 addresses.  (See the ipfilter FAQ)

While ipfilter's load-balancing wasn't intended for this purpose, pf has
features built in specifically for this purpose.  See "route-to",
"reply-to", and "round-robin" in
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=i386&apropos=0&manpath=OpenBSD+Current

I'd hate to see OpenBSD win over NetBSD simply because of pf, but they
have the feature you want.  However, I do not know if it supports more
than two gateways.  The pf.conf line(s) would look like this:

route-to { ($ext_if1 $gw1_ip), ($ext_if2 $gw2_ip) } round-robin from
$lan keep state
(taken from http://www.openbsd.de/flyer/pf.ps)

You may also need "reply-to" lines in the config so that the session
state is applied to all the interfaces that may see traffic for those
load-balanced sessions after they've been created.

--------------------------------

I hope you find a solution to your problem.

Regards,

Michael Hertrick
Neovera, Inc.
http://www.neovera.com



Daniel Tams wrote:

> Hi,
>
> I have the following setup:
>
> Internet ---- ext_if1 - [                   ]
> Internet ---- ext_if2 - [ NetBSD NAT router ] - int_if ---- Intranet
> Internet ---- ext_if3 - [                   ]
>
> ext_if1: 123.456.789.1/24
> ext_if2: 123.456.789.2/24
> ext_if3: 123.456.789.3/24
> int_if:  10.0.0.1/24
>
> My /etc/ipnat.conf looks like this:
> ----begin-quote----
> map ext_if1 10.0.0.0/24 -> 123.456.789.1/32 proxy port ftp ftp/tcp
> map ext_if1 10.0.0.0/24 -> 123.456.789.1/32 portmap tcp/udp 1025:65000
> map ext_if1 10.0.0.0/24 -> 123.456.789.1/32
> ----end-quote----
>
> I.e. I am only using Internet line #1.  I would however like to
> load-balance all outgoing traffic over all 3 Internet lines.  How would I
> do this?  I thought maybe I could simply add a
> ----begin-quote----
> rdr ext_if1 123.456.789.1/32 -> 123.456.789.1,123.456.789.2,123.456.789.3
> round-robin
> ----end-quote----
> after the aforementioned 3 lines, but I was told on the ipf mailing 
> list that that would not work.  Do you have any ideas?  By the way, 
> the NetBSD version I use is fdgw.
>
> TIA,
> - Daniel
>
>