Date: Sat, 04 Feb 2012 23:27:00 -0800 From: Julian Elischer <julian@freebsd.org> To: Poul-Henning Kamp <phk@freebsd.org> Cc: hackers@freebsd.org Subject: Re: A dual-ISP hack with jail/vnet and ipfw Message-ID: <4F2E2F44.6040007@freebsd.org> In-Reply-To: <12192.1328375145@critter.freebsd.dk> References: <12192.1328375145@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/4/12 9:05 AM, Poul-Henning Kamp wrote: > Natd(8) knows how to deal with multiple NAT instances for different > interfaces, which is useful when you have multiple ISPs. > > The problem with it, is that it becomes incredibly hairy to configure > your IPFW rules, in particular if you have other policy to implement > too. this is sort of what I did when I switched ISPs recently, and had a transition period.. I had a jail/vnet for each ISP. and just switched at the top level an unexpected advantage was that sessions from the main machine were 'one hop' away from the disruption when I screwed things so instead of getting terminated when teh rules/routes were screwed, they just 'hung' until I fixed things. Much like they do when there is internet disruption between sites. I've meant to do something cleaner like this for a while.. good move. > I spent some quality time with a 9.0-Stable nanobsd image today, > and the script below is my proof of concept of a simpler way to > do that. > > The idea is to let a jail deal with the two ISPs and use an epair > to deliver a "normal default route interface" to the rest of the > firewall, making its configuration simpler and easier to understand. > [...]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F2E2F44.6040007>