Date: Fri, 7 Nov 2003 06:51:56 -0800 From: "Drew Tomlinson" <drew@mykitchentable.net> To: "Milan Obuch" <milan.obuch@bluegrass.sk> Cc: freebsd-net@freebsd.org Subject: Re: Routing With Two ISPs? Message-ID: <011601c3a53e$b0d3c5d0$0301a8c0@bigdaddy> References: <022501c3a491$e46bf780$6e2a6ba5@lc.ca.gov> <200311070833.36482.milan.obuch@bluegrass.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Milan Obuch" <milan.obuch@bluegrass.sk> Sent: Thursday, November 06, 2003 11:33 PM > On Thursday 06 November 2003 19:14, Drew Tomlinson wrote: > > I have a 4.8 box serving as a gateway with two connections to the > > Internet. Is there some way to set the box up so that packets are > > routed out through the same interface from which they arrived? For > > example, if a connection is initiated on port 80 from a packet arriving > > on one interface, is there a way to make the outgoing packets from my > > web server use that same interface as a gateway instead of the default > > interface? > > > > Hi, Drew, > there is no standard way to do this, hovewer, if your box is just a multihomed > host, then it is possible with ipfw. Anyway, one connection is preferred > being default gateway, the second one could be routed with > > ipfw add fwd <ip of the other side> ip from <ip of my side> to any > > which works this way: > My second connection is from world to my ip, and if packet is locally > generated with my ip, send it to the other side regardless whether routing > table shows there or not. Thank you for your reply. I have tried using the 'fwd' option of ipfw but it doesn't work in my situation. I suspect it has something to do with NAT. Maybe you can see what I'm missing or a better way to do it? My situation is this: I have a DSL connection to my home and my neighbor has a cable connection in his. His cable modem is connected to a Linksys Wireless AP/Router and he has graciously allowed me to use his link. So here is a diagram of our networks: Internet | Public IP | ADSL Modem/Router 192.168.10.1 | dc0 192.168.10.2 | FBSD 4.8 --------- rl0 | 192.168.100.2 dc1 | | 192.168.100.1 192.168.1.2 Neighbor's AP | | Internal LAN Public IP | Internet A limitation of the Linksys AP NAT implementation is that it will only forward packets to nodes on it's own subnet. So in this case it will only forward packets from the Internet to 192.168.100.0/24. However I would like to have packets forwarded to nodes on 192.168.1.0/24, specifically traffic on port 8080 forwarded to 192.168.1.3. So I tell the Linksys AP to forward to 192.168.100.2. At first I tried a 'ipfw fwd' rule to then forward that traffic to 192.168.1.3. The rule worked but the traffic arrived with a destination address of 192.168.100.2 and thus the 192.168.1.3 node ignored the traffic. Next, I started natd with a 'redirect' rule on 192.168.100.2. This rewrites the destination address to 192.168.1.3 and initiates the connection. However, the connection doesn't complete because the default route on the FBSD gateway is 192.168.10.1 (my DSL connection) so the acks never reached the client. To solve this, I tried adding a 'ipfw fwd' rule to send the traffic out 192.168.100.1 but that didn't work. I could see the packets going out 192.168.100.2 but I have no way to know what the Linksys did with them. I suspect this has to do with NAT being performed twice, once on my gateway and again on the Linksys? I tried forwarding the packet to 192.168.100.2 but that didn't work either. As a further test, if I define the IP address (1.2.3.4 for example) of the machine requesting service on port 8080 to the route table (route add 1.2.3.4 192.168.100.1), then the connection gets established and traffic flows between the machines. Unfortunately it is not practical to make static routes for each machine that may connect, especially with dynamic IPs. > Nut I know no way how to distiguish packets coming from internal net if they > should go one way or the other, if requests can come from both links. If you > know exactly netblocks which could send request one or the other side, then > you can just use routing entries, but I feel this to be cumbersome to > maintain if possible ever to track changes... Agreed. So do you have any ideas on how I could get things working the way I'd like? Thanks, Drew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011601c3a53e$b0d3c5d0$0301a8c0>