Date: Thu, 18 Mar 2004 05:40:46 -0800 From: "J.T. Davies" <jtd@hostthecoast.org> To: <freebsd-ipfw@freebsd.org> Subject: Re: Internal routing to different gateway Message-ID: <003601c40cee$9decfb40$3301020a@hostthecaost.org> References: <1078597745.1981.15.camel@w1-par1-fr.corp.ndsoftware.com><20040317021928.GA26065@scylla.towardex.com><002701c40be5$43298f70$3301020a@hostthecaost.org> <20040318103200.GA49704@marvin.home.local>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi there, > > On Tue, Mar 16, 2004 at 10:01:17PM -0800, J.T. Davies wrote: > > I have an internal mail server running qmail on FreeBSD (ip of 10.2.1.52). > > > > I have two gateway/routers:: > > Internal IP's of 10.2.1.1 and 10.2.1.2, each has their own external IP's. > > > > The mail server (10.2.1.52) has a default_router set as 10.2.1.1. > > > > However, traffic coming in from 10.2.1.2 is answered via 10.2.1.1 (and not > > going back out the original route of 10.2.1.2). > > > > Of course this doesn't work because the NAT tables don't sync up between the > > two, so 10.2.1.1 doesn't know where to route the reply traffic. > > > > Incoming traffic on 10.2.1.1 works very well. > > > > Here's my potential solution...please tell me if there's a better way > > (through another port) or if I'm on a good track. > > > > ========== > > I create an IP alias on the mail server (10.2.1.53) and create routes in > > natd on 10.2.1.2 to route SMTP and POP3 traffic to the new alias IP. > > > > I enable IPFW on the mail server (defaults to allow connections because it's > > internal). > > > > I'll add two rules: > > ipfw add fwd 10.2.1.2 from 10.2.1.53 to any out via vr0 > > ipfw add fwd 10.2.1.1 from 10.2.1.52 to any out via vr0 > > (I think the syntax of the rules are right...if not, I'll experiment to > > perfect them) > > ========== > > > > Thoughts? > > I just (last week or so) posted a reply (on -net or -isp I think) that did > this kind of things for a webserver setup with alternate upstream sources. > The setup was a bit different to what you describe in that there was one > 'router' with two uplinks rather than two separate routers. > In that case I needed to use the natd redirection feature to proxy traffic > to the alias address. > Your routers will need to be able to rewrite the traffic in some way to do this > (ie change the destination IP to 10.2.1.53) > As it is application layer, a regular IP route is probably not sufficient. > > Another option is to 'reverse NAT' on the routers so the traffic to 10.2.1.52 > appears to originate from 10.2.1.1 or 10.2.1.2. > Then your server will reply to the appropriate address and the NAT on the router > should send the result to the original client. > I guess this will depend a little on the application and how well it can handle > NAT; SMTP and POP3 should be fine as long as you're not trying to do source-ip > based filtering. (unless you do that on the routers before they nat/proxy the > traffic) > > Hope it helps, > > Tony Hi Tony, I saw your post (and a few people forwarded it to me). I did try to implement, but for some reason could not get it to work. Instead, I did this (which may not be the best option, but it works). Create an alias on the mail server of (10.2.1.53). Configure IPFW and create a rule to forward any traffic coming from 10.2.1.53 to the gateway at 10.2.1.2. Voila! It amazingly worked! Although, not too keen on having firewall rules on an internal box (the default is to accept, so any traffic coming in from internal networked machines would be able to communicate with it). Thanks! J.T.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003601c40cee$9decfb40$3301020a>