From owner-freebsd-net@FreeBSD.ORG Fri Dec 17 07:15:21 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 280AE106564A for ; Fri, 17 Dec 2010 07:15:21 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from out-0.mx.aerioconnect.net (oute.internet-mail-service.net [216.240.47.228]) by mx1.freebsd.org (Postfix) with ESMTP id 06DF08FC13 for ; Fri, 17 Dec 2010 07:15:20 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id oBH7FJAY012467; Thu, 16 Dec 2010 23:15:19 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 950CE2D6013; Thu, 16 Dec 2010 23:15:17 -0800 (PST) Message-ID: <4D0B0E03.2020707@freebsd.org> Date: Thu, 16 Dec 2010 23:15:15 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6 MIME-Version: 1.0 To: Jayster References: <17835728.248313.1292567569116.JavaMail.root@sz0077a.emeryville.ca.mail.comcast.net> In-Reply-To: <17835728.248313.1292567569116.JavaMail.root@sz0077a.emeryville.ca.mail.comcast.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-net@freebsd.org Subject: Re: Web Server supporting up to 4 WANs/Interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2010 07:15:21 -0000 On 12/16/10 10:32 PM, Jayster wrote: > I am in need of immediate help and while I rarely post on boards or lis= ts (I promise I'll start sharing more of my own wisdom in the future), th= is issue has me stumped like no other. First of all, I need multiple gate= ways. Yes, I understand there is no such thing as multiple "default" gate= ways and I have a solid grasp of networking in general... . I also have a= reasonable grasp of FreeBSD, though I am no where near the expert of man= y. I actually come from the world of programming and I've only used Linux= and Windows in the past. > > I am currently working on a big project that involves many sites and a = custom appliance with multiple applications designed in-house. In fact, I= might be the ONLY person in snowy Michigan hiring right now... . After a= n exhaustive investigation, I chose FreeBSD over all other OSs. It was no= t a light choice, but I've been very pleased despite having zero knowledg= e at the start of it. The main reasons were flexibility, licensing and mo= st important, I'm still shocked how open the community is to answering qu= estions in posts, instead of putting people down for having less knowledg= e than a rude poster. I have found an answer to the most obscure question= s through very quick google searches...until now. Kudos to those who take= the time...FreeBSD far outnumbers other OS communities. Please help me a= void this issue being the big letdown, possibly forcing us to leave FreeB= SD. I like the OS way too much already. > > Now the issue. Without too much detail, my device has 4 GigE ports on i= t. Each will be attached to a routed network. There is NO routing require= d between networks inside the box (not a router or firewall) and in fact,= it CANNOT be allowed to happen because of security. Instead, each WAN po= rt needs access to this box, but nothing beyond. The access consists of a= Web Server, though several other Ports are required, such as SNMP Traps,= Syslog, etc. Getting to the box is easy, routers do all the work. The is= sue is getting traffic back through the same interface it came in on and = through the same router gateway. As we all know, only 1 gateway can be as= signed in FreeBSD, unlike other flavors of Linux. Even the ones who don't= offer single line gateway support can use IPTables to accomplish this ta= sk. But IPTables is not supported in FreeBSD. Not a bad thing as long as = comparable solutions exist. > > Setting up static routes is not the solution. The problem with it is th= at multiple sites which will have this box will not have access to the ne= xt hop info from the gateway (the next hop gateway and subnet on the othe= r side of the router). So I cannot use static routes. > > PFSense appears to support this (though not tested by me). I REALLY do = not want to go that route. We have invested 3 months into adding many app= s to the FreeBSD we have. PFSense is a custom FreeBSD kernel with many ch= anges. Many message boards claim it breaks many Ports and changes other b= ehaviors. Even if it didn't, we are under deadline and moving everything = over to a new FreeBSD Version and then extensively testing everything rep= eatedly again would be a nightmare. I am interested in experiences with i= t if it becomes the last resort, though. > > I have tried both PF and IPFW. Different posts around the web claim Mul= tiple Gateway solutions using both of them. I have tried each of the reco= mmended setups, but had no luck. If you read the last responses to each o= f those posts, others also state they could not duplicate what is claimed= , as well. PF looks the most promising. It has "if-bound", which is suppo= sed to keep interface traffic on the same interface. That is a good first= step. But pointing it to the gateway on that interface is still an issue= =2E Please HELP!!! I haven't slept in days and I've been stuck for a week= now!!! This is our last showstopper. > if you are running on freeBSD 8 or newer you have two solutions open=20 to you (maybe 3). * Firstly, you can assign a completely different routing table to each=20 socket so that packets from one socket only see things through the perspective of one=20 routing table but packets from another socket behave according to the rules of=20 a completely different routing table. alternatively you can assign a different=20 routing table to a process and its descendants. you can also use ipfw fwd to remap ports and addresses, in conjunction=20 with the different routing tables. Routing tables are sometimes called FIBs=20 (Forwarding Information Bases) man setfib(1) and setfib(2) for more details. Also see the setfib socket option in setsockopt(2). There are details that are still open for development (like IPV6=20 support) but it sounds like it will do what you want. * The second option is the new jail support. while setfib and friends can easily allow a single process to act=20 differently on a socket by socket basis the new jail facilities allow you to take multiple interfaces and=20 assign them to different jails, and each jail can be given a completely different routing table or in=20 fact a completely different SET of routing tables. man jail and man ifconfig (ifconfig vnet) * As a poor third contender you can do really funky things with the=20 ipfw 'fwd' command. julian (let me know offline a bit more about what you want and maybe I can be=20 a bit more specific about how to do it.) > Jay > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >