Date: Wed, 14 Mar 2001 02:51:02 -0800 From: Julian Elischer <julian@elischer.org> To: Mike Nowlin <mike@argos.org> Cc: freebsd-net@freebsd.org Subject: Re: questions re: multiple internet conn routing Message-ID: <3AAF4D16.6AEFD026@elischer.org> References: <20010304025518.A1844@argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Nowlin wrote:
>
> (Looking for some general pointers to solutions here...)
>
> Just had a second DSL connection installed, and have several questions
> regarding how to map it into the FBSD router we use...
I assume this is DSL without PPPoE..
>
> The basic setup here (with just the single DSL line, 32 IPs on that line) is
the ISP allocated you 32 addresses? (a /27 or something?)
> DSL->Router->hosts, where DSL->Router is on dc0, and Router->hosts is on
> fxp0. Basically, I added dc1 for the 2nd DSL connection. Local traffic is
> split between fxp0 and dc2, depending on the subnet it's for. (10.193.x.x
> or 10.98.x.x, and those subnets go to a pair of BSD routers that break
> things down further, going to several ethernet segs and Cisco 804s for various
> ISDN links, plus another router that has a cable connection on it for outgoing
> FTP/HTTP requests from certain machines, not to mention the 200+ "ppp -auto"
> links - kinda fun to figure out how a packet gets from point A to point
> B..:) ) Ah, the joys of having a network supporting a lot of physical
> locations that has to be cost-effective..
so you really nead the equivalent of two 'default' routes with some sort of load
sharing..
You are correct in that you will need two natds running.
I would use a random bit (say bit23) of the destination IP address
to decide which to send the packet too (a simple ipfw rule)
basically the simpler the better.
#excempt lo0 from ant further processing. We trust it.
ipfw add 50 accept ip from any to any via lo0
# separate the incoming from the outgoing packets on the machine.
ipfw add 100 skipto 6000 ip from any to any out
# Send any incoming packets from the outside world to be examined by natd
ipfw add 100 skipto 150 ip from any to any rcv dc0
ipfw add 100 skipto 150 ip from any to any rcv dc1
# do no more processing on other incoming packets on the internal side.
# we'll get them on the outgoing side.
ipfw add 105 deny ip from any to 127.0.0.0/8
ipfw add 110 accept ip from any to any in
#Incoming packets that need to be nat'd should be sent to the right natd
ipfw add 150 skipto 300 ip to 0.0.1.0:0.0.1.0
ipfw add 200 divert 8998 ip from any to any
ipfw add skipto 350 ip from any to any
ipfw add 300 divert 8999 ip from any to any
# Any incoming packets that get here have been translated
# NATD will have culled any bad packets but yu might add your own
# local further rules here if you don't trust it.
# Addresses are now 10.x.x.x on the local end. (destination)
# e.g. here I only allow outgoing session startups (natd duplicates this but...)
ipfw add 350 reject tcp from any to any setup
ipfw add 350 accept ip from any to any
##################### EXIT processing ##############
# Only packets leaving the machine get here.
# Only stuff destined to the outside world should be translated.
# others are just passed to further processing
ipfw add 900 skipto 7000 ip from any to any out xmit fxp0
ipfw add 900 skipto 7000 ip from any to any out xmit dc2
# Anything coming here should be translated.
ipfw add 1500 skipto 2500 ip to 0.0.1.0:0.0.1.0
ipfw add 2000 divert 8998 ip from any to any
ipfw add skipto 3000 ip from any to any
ipfw add 2500 divert 8999 ip from any to any
# put any general outgoing filters here
ipfw add 3000 .......(next rule)
ipfw add 3500 accept ip from any to any
# filters for internal routing go here.
ipfw add 7000
this will need tweeking to handle services on the gateway properly.
You probably want to keep them through one or the other of your
interfaces.
>
> All of our machines are assigned a 10.x.x.x address, and I use ipfw and natd
> to do translation between the DSL1 and net-10 addresses - works beautifully.
>
> First question: after playing with this a bit, I've come to the decision
> that I probably need to send NAT packets to two different divert sockets -
> one for each DSL IP block. With /etc/natd.conf holding the NAT rules, is it
> possible to have two "port" or "alias_address" lines:
>
> alias_address 1.2.3.4
> port 8668
> redirect_address 10.1.1.7 1.2.3.7
> redirect_address 10.1.1.8 1.2.3.8
> alias_address 5.6.7.1
> port 8669
> redirect_address 10.1.1.7 5.6.7.7
> redirect_address 10.1.1.8 5.6.7.8
>
> ...or do I need to run two copies of natd for this to work correctly?
>
> Second question: I could probably do this blindfolded on a Cisco router, but
> is there some way to accomplish the Cisco idea of "policy-based routing" on
> a FBSD box? I basically need to look at the source address of a packet and
> send it to the appropriate ethernet interface for the DSL IP block that
> matches that source address. I'm guessing that netgraph might be involved,
> but I haven't ever looked at it much more than the examples provided... (If
> netgraph is involved, I may need a little more help than "Yes, it can be
> done." :) )
>
> Third question: I vaguely remember that netgraph packets don't go through
> ipfw, possibly under certain circumstances. True?
>
> Thanks - Mike
>
> --------------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
--
__--_|\ Julian Elischer
/ \ julian@elischer.org
( OZ ) World tour 2000-2001
---> X_.---._/
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAF4D16.6AEFD026>