From owner-freebsd-questions@FreeBSD.ORG Sat Jun 14 15:59:50 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A176223 for ; Sat, 14 Jun 2014 15:59:50 +0000 (UTC) Received: from mail.mgedv.net (mail.mgedv.net [83.64.34.254]) by mx1.freebsd.org (Postfix) with ESMTP id 2F5022A50 for ; Sat, 14 Jun 2014 15:59:49 +0000 (UTC) Received: from my.loop (client.my.loop [255.255.255.255]) Message-ID: <539C6975.3040404@mgedv.net> Date: Sat, 14 Jun 2014 17:25:41 +0200 From: "no@spam@mgedv.net" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: BSD as routing device for 2 ISPs Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2014 15:59:50 -0000 hi, although i had a look on pfsense, openbgpd, setfib(1) ideas and such, googlin' around and discussing with nw-admins for hours, i still don't really see a clear path for setting up a proper solution which is not sort of "tinkering" but still based on free OS's. situation: we have 2 independent ISPs, each running it's own router/ext-ip-block. e.g. ISP A: IP 1.1.1.10-1.1.1.20, ISP B: IP 2.2.2.50-2.2.2.60. goal 1: inside->outside: - NAT and spread traffic load-based across ISPs to use both wires - switch to "living" ISP in case the other goes down (loosing active connections is ok and will of course happen) - have 1 smart default gateway for all internal devices (no use gw A for boxes A...N solutions... as they need to switch) goal 2: outside->inside: - NAT different external IPs to the SAME service inside (eg. smtp: NAT 1.1.1.11:25 and 2.2.2.51:25 to 192.168.10.10:25) - allow connecting to the same service via different routes simultaneously eg: ssh from 8.8.8.8->1.1.1.12:22 while ssh from 9.9.9.9->2.2.2.12:22, both end up NAT'd at 192.168.10.20:22. goal 3: firewalling: either this box is the firewall, or any other idea welcome. (currently, there's a separate hw-firewall running which does NAT, too) NOT a goal: - switch over ("HA") of external services, this of course will only work out if we have our own ASN's, which is (& will be) not the case. oh, and the box will be run as virtual machine's guest OS. any perferences on what to end up with?