From owner-freebsd-stable@FreeBSD.ORG Wed May 12 18:21:16 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C5B216A4CE for ; Wed, 12 May 2004 18:21:16 -0700 (PDT) Received: from saruman.bolingbroke.com (mail.bolingbroke.com [64.62.145.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0FFF43D41 for ; Wed, 12 May 2004 18:21:13 -0700 (PDT) (envelope-from freebsd@bolingbroke.com) Received: from localhost (localhost.bolingbroke.com [127.0.0.1]) i4D1Kx4B025484 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 May 2004 18:21:13 -0700 (PDT) (envelope-from freebsd@bolingbroke.com) Date: Wed, 12 May 2004 18:20:59 -0700 (PDT) From: Ken Bolingbroke X-X-Sender: ken@saruman.bolingbroke.com To: "Eli K. Breen" In-Reply-To: <40A2A5C7.4030801@gopostal.ca> Message-ID: <20040512180711.X67683@saruman.bolingbroke.com> References: <40A2A5C7.4030801@gopostal.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanned-By: MIMEDefang 2.39 cc: freebsd-stable@freebsd.org Subject: Re: Multiple Internet feeds to a single machine. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 01:21:16 -0000 On Wed, 12 May 2004, Eli K. Breen wrote: > Has anyone successfully used two different Internet connections to feed > a single BSD machine, without BGP? Yes, I've done this. > Also, it is possible to have two copies of natd running on different > ports in order to accomplish this (each with their own config file)? > natd-a : 8668, > natd-b: 8669 and have the following rules in ipfw: Yes, this works, and this is almost just what I did myself. I have a DSL line and a cable connection. I wanted to be able to easily switch my default route from one to the other as needed (they go offline occasionally), and I also wanted to be able to access my server from outside via either connection. I used 'ipfw' to sort things out correctly. The main key for me was to apply a 'fwd' rule to make sure things went out the right line. That is, the main problem was that if my default route pointed at DSL, if a connection came in on cable, then the response would try to go out on the default route through DSL. But the DSL provider would reject anything not coming from my DSL IP. And I couldn't NAT it as coming from my DSL IP, because then the original client wouldn't recognize my response. So 'fwd' would set the next-hop to the correct gateway. That created a new problem, though...a match on a 'fwd' rule aborts further processing of the ruleset, and this broke my rules, including NAT. I could have perhaps worked around that by replacing all my 'accept' rules with 'fwd' rules, but that was just too ugly. Instead, I hacked the ipfw.c source code to make any 'fwd' matches continue with the rest of the rules. That way the next-hop would be set as I wanted it, but I could still apply all my firewall and NAT rules. This worked beautifully for quite a long time and I was able to easily access either Internet connection from both inside and outside. Recently though, the gateway machine burned out and I lost both hard disks on it, including the copies of the source code modification and my rule sets. I haven't yet recreated it, and I'm hoping to find a better solution that doesn't require hacking ipfw.c. But if you come up short on any other solution, modifying the 'fwd' behavior can do the trick decently. Ken Bolingbroke