From owner-freebsd-questions@FreeBSD.ORG Sat Jun 14 17:25:45 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4FA644CC for ; Sat, 14 Jun 2014 17:25:45 +0000 (UTC) Received: from mail-vc0-x235.google.com (mail-vc0-x235.google.com [IPv6:2607:f8b0:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 061E43000 for ; Sat, 14 Jun 2014 17:25:44 +0000 (UTC) Received: by mail-vc0-f181.google.com with SMTP id il7so3533531vcb.12 for ; Sat, 14 Jun 2014 10:25:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsd.com.br; s=capeta; h=date:from:to:subject:message-id:in-reply-to:references:organization :mime-version:content-type:content-transfer-encoding; bh=aBAGk9bEAd40YmWjOWFPjbGsYcloaKebKSrBw8uHTbQ=; b=TtjEx9yg7cW018SWFGqIE4n0QYxFgipjvd+PAxcQLDZQeK3WVafApAqLNFq7n38Q3o pBehLq30A0hyFVFIBN1mSQZHY0SYLg29JATrvEYUQMWi7rcNYODzbUTViLxOHzcAKogY fCg5MoGKnClEjMsqSPkt86muh1DRZCK2TDfBU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:organization:mime-version:content-type :content-transfer-encoding; bh=aBAGk9bEAd40YmWjOWFPjbGsYcloaKebKSrBw8uHTbQ=; b=AAqEoIVyiORwGutQ7SIqdxBBqYpsyLv5JGdf3dGqqYye56O5HWo40WHsKHmjD1PJ/E ELYARgYSF7bQDBLW2q3gFOgg8EbZ+BUOjh2CeCZiqtKgM/wR/hTL6hnNm/2HCYS9NazO uJOE5CdusQyXx/0MT8eMQuXiIxPhVnyy/l7I7hYKlEWXSK0Xq3nO3sly6jK21+u1YzWZ dU8XIMFoSD1P5E/tdwzYGHtBkP+zUXAHcALmye2gsvAUpnX8kbify6odLaBZ1agb2nZI 7TTl4c8E3R90Hi/OQUez6YaY0jvGEfGmwN+G5tXt9FZW7+FsLlwyD0Qng0qa7COJ/Bw4 zI4Q== X-Gm-Message-State: ALoCoQlG4LNO4+NjK6RCY7uB2z6jH4t0CQdEOlu/txCr8edJpYDNCmUnGP2zaAo6sMEZ5v+v67fJ X-Received: by 10.52.138.232 with SMTP id qt8mr535437vdb.44.1402766743993; Sat, 14 Jun 2014 10:25:43 -0700 (PDT) Received: from Papi (177.206.255.108.dynamic.adsl.gvt.net.br. [177.206.255.108]) by mx.google.com with ESMTPSA id j8sm7341807vet.7.2014.06.14.10.25.43 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sat, 14 Jun 2014 10:25:43 -0700 (PDT) Date: Sat, 14 Jun 2014 14:25:39 -0300 From: Mario Lobo To: freebsd-questions@freebsd.org Subject: Re: BSD as routing device for 2 ISPs Message-ID: <20140614142539.7dc1aa97@Papi> In-Reply-To: <539C6975.3040404@mgedv.net> References: <539C6975.3040404@mgedv.net> Organization: BSD X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd9.2) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2014 17:25:45 -0000 Hi; I have a FreeBSD 8 STABLE doing just that! On Sat, 14 Jun 2014 17:25:41 +0200 "no@spam@mgedv.net" wrote: > hi, > > although i had a look on pfsense, openbgpd, setfib(1) ideas and such, > googlin' around and discussing with nw-admins for hours, i still don't > really see a clear path for setting up a proper solution which is not > sort of "tinkering" but still based on free OS's. Not possible! You will have to tinker it, starting by recompiling the kernel with options ROUTETABLES=whatever. > > situation: > we have 2 independent ISPs, each running it's own router/ext-ip-block. > e.g. ISP A: IP 1.1.1.10-1.1.1.20, ISP B: IP 2.2.2.50-2.2.2.60. > Almost exactly my situation. > goal 1: inside->outside: > - NAT and spread traffic load-based across ISPs to use both wires I've done it like this: nat on $ext_if1 from ! ($ext_if1) to any -> ($ext_if1) port 1024:65535 nat on $ext_if2 from ! ($ext_if2) to any -> ($ext_if2) port 1024:65535 [snip..] pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin sticky-address inet proto { tcp, udp } from any to ! $int_if:network. This balances the traffic beautifully between both ISPs > - switch to "living" ISP in case the other goes down > (loosing active connections is ok and will of course happen) Ahh ! heavy tinkering here. I've developed a daemon that keeps testing both links for connectivity, that acts together with a series of scripts, that re-writes/reapplies the whole pf.conf, directing everything to the link that is working. I also have two squids running, one for each ISP. Traffic is round-robin redirected from the inside to them. > goal 2: outside->inside: > - NAT different external IPs to the SAME service inside > (eg. smtp: NAT 1.1.1.11:25 and 2.2.2.51:25 to 192.168.10.10:25) > - allow connecting to the same service via different routes > simultaneously eg: ssh from 8.8.8.8->1.1.1.12:22 > while ssh from 9.9.9.9->2.2.2.12:22, > both end up NAT'd at 192.168.10.20:22. That's even simpler. Redirect the traffic on each ext_if to the ssh daemon. rdr pass on $ext_if1 inet proto tcp to port 22 -> 192.168.10.20 port 22 rdr pass on $ext_if2 inet proto tcp to port 22 -> 192.168.10.20 port 22 You will know your external IPs so you choose the link. > > goal 3: firewalling: > either this box is the firewall, or any other idea welcome. > (currently, there's a separate hw-firewall running which does NAT, > too) In my case, it is THE firewall. > oh, and the box will be run as virtual machine's guest OS. > That shouldn't be a problem but test, test and test. Depending on the hypervisor, results could be different. In my case, it is a physical machine. I hope this helps. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) "UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things."