We migrated our load balancing configuration from pf to iptables.
pf:
rdr on $ext_int proto tcp from any to 85.114.2.170 port 25 -> $smtp_servers round-robin
iptables:
iptables -A PREROUTING -t nat -p tcp -d IPADDRESS --dport PORT -j DNAT --to-destination SERVER_1:PORT -m statistic --mode random --probability 0.33 iptables -A PREROUTING -t nat -p tcp -d IPADDRESS --dport PORT -j DNAT --to-destination SERVER_2:PORT -m statistic --mode random --probability 0.5 iptables -A PREROUTING -t nat -p tcp -d IPADDRESS --dport PORT -j DNAT --to-destination SERVER_3:PORT -m statistic --mode random --probability 1
Though this works, the configuration process is clumsy. We have to define custom rules in /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script, and then we must be very careful when changing filewall via VyOS CLI.
It would be awesome to have the ability to do something along these lines:
set firewall group address-group SERVERS address SERVER_1 set firewall group address-group SERVERS address SERVER_2 set firewall group address-group SERVERS address SERVER_3 set nat destination rule 10 destination port 'PORT' set nat destination rule 10 inbound-interface 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address SERVERS round-robin # to round-robin redirects