From owner-freebsd-hackers@FreeBSD.ORG Sun Feb 5 07:58:36 2012 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FEF81065687; Sun, 5 Feb 2012 07:58:36 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 53BF38FC1A; Sun, 5 Feb 2012 07:58:36 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id q157Pg9o032775 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 4 Feb 2012 23:25:43 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4F2E2F44.6040007@freebsd.org> Date: Sat, 04 Feb 2012 23:27:00 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.25) Gecko/20111213 Thunderbird/3.1.17 MIME-Version: 1.0 To: Poul-Henning Kamp References: <12192.1328375145@critter.freebsd.dk> In-Reply-To: <12192.1328375145@critter.freebsd.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hackers@freebsd.org Subject: Re: A dual-ISP hack with jail/vnet and ipfw X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2012 07:58:36 -0000 On 2/4/12 9:05 AM, Poul-Henning Kamp wrote: > Natd(8) knows how to deal with multiple NAT instances for different > interfaces, which is useful when you have multiple ISPs. > > The problem with it, is that it becomes incredibly hairy to configure > your IPFW rules, in particular if you have other policy to implement > too. this is sort of what I did when I switched ISPs recently, and had a transition period.. I had a jail/vnet for each ISP. and just switched at the top level an unexpected advantage was that sessions from the main machine were 'one hop' away from the disruption when I screwed things so instead of getting terminated when teh rules/routes were screwed, they just 'hung' until I fixed things. Much like they do when there is internet disruption between sites. I've meant to do something cleaner like this for a while.. good move. > I spent some quality time with a 9.0-Stable nanobsd image today, > and the script below is my proof of concept of a simpler way to > do that. > > The idea is to let a jail deal with the two ISPs and use an epair > to deliver a "normal default route interface" to the rest of the > firewall, making its configuration simpler and easier to understand. > [...]