From owner-freebsd-net@FreeBSD.ORG Fri Dec 17 07:21:46 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F7F4106564A for ; Fri, 17 Dec 2010 07:21:46 +0000 (UTC) (envelope-from freebsd-net@dino.sk) Received: from loki.netlab.sk (ns3.netlab.sk [84.245.65.11]) by mx1.freebsd.org (Postfix) with ESMTP id 97FF78FC0A for ; Fri, 17 Dec 2010 07:21:45 +0000 (UTC) Received: from door.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: PLAIN milan, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by loki.netlab.sk with esmtp; Fri, 17 Dec 2010 08:11:46 +0100 id 00033C05.4D0B0D32.0000164C From: Milan Obuch To: freebsd-net@freebsd.org Date: Fri, 17 Dec 2010 08:11:29 +0100 User-Agent: KMail/1.13.5 (FreeBSD/8.2-PRERELEASE; KDE/4.5.4; i386; ; ) References: <17835728.248313.1292567569116.JavaMail.root@sz0077a.emeryville.ca.mail.comcast.net> In-Reply-To: <17835728.248313.1292567569116.JavaMail.root@sz0077a.emeryville.ca.mail.comcast.net> MIME-Version: 1.0 Message-Id: <201012170811.30957.freebsd-net@dino.sk> Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cc: Jayster Subject: Re: Web Server supporting up to 4 WANs/Interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2010 07:21:46 -0000 On Friday 17 December 2010 07:32:49 Jayster wrote: [ fine comments on our OS trimmed ] > Now the issue. Without too much detail, my device has 4 GigE ports on it. > Each will be attached to a routed network. There is NO routing required > between networks inside the box (not a router or firewall) and in fact, it > CANNOT be allowed to happen because of security. Instead, each WAN port > needs access to this box, but nothing beyond. The access consists of a Web > Server, though several other Ports are required, such as SNMP Traps, > Syslog, etc. Getting to the box is easy, routers do all the work. The > issue is getting traffic back through the same interface it came in on and > through the same router gateway. As we all know, only 1 gateway can be > assigned in FreeBSD, unlike other flavors of Linux. Even the ones who > don't offer single line gateway support can use IPTables to accomplish > this task. But IPTables is not supported in FreeBSD. Not a bad thing as > long as comparable solutions exist. >=20 =46rom this short description it looks like you are using standard internet= =20 apps. Question is whether you need one instance of web server to serve=20 requests from all four ports (or in better words IMHO four networks if they= =20 should not communicate here on box) or you could use four separate instance= s.=20 =46or the former you can use PF (I tested something similar with two networ= k in=20 past) while for the later either multiple fibs or vimage solution is=20 available. [ snip ] > I have tried both PF and IPFW. Different posts around the web claim > Multiple Gateway solutions using both of them. I have tried each of the > recommended setups, but had no luck. If you read the last responses to > each of those posts, others also state they could not duplicate what is > claimed, as well. PF looks the most promising. It has "if-bound", which is > supposed to keep interface traffic on the same interface. That is a good > first step. But pointing it to the gateway on that interface is still an > issue. Please HELP!!! I haven't slept in days and I've been stuck for a > week now!!! This is our last showstopper. >=20 There are some guides on net - but you should be able to find the basic in= =20 'man pf.conf' - look for route-to and reply-to. I am not going to give you = now=20 more details, sorry - writing just what I remember now could be misleading,= I=20 did forget probably some details, but manual page has all basic info=20 necessary. This way you could do some 'source routing policy', which could = be=20 a solution to your problem. Hope this helps a bit, at least. Regards, Milan