From owner-freebsd-net@FreeBSD.ORG Mon Jan 30 08:37:49 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81D3616A420 for ; Mon, 30 Jan 2006 08:37:49 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE95A43D49 for ; Mon, 30 Jan 2006 08:37:48 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id EDDEB41B3D; Mon, 30 Jan 2006 03:37:47 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id ADAF612E7D; Mon, 30 Jan 2006 03:37:46 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1F3UXg-000IMG-J4; Mon, 30 Jan 2006 08:37:44 +0000 Date: Mon, 30 Jan 2006 08:37:44 +0000 From: Brian Candler To: Unix-Solutions - Steven Message-ID: <20060130083744.GA70515@uk.tiscali.com> References: <001501c62402$a1bd4c70$05000100@cloe> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001501c62402$a1bd4c70$05000100@cloe> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: multiple natd + ipfw, with 2 internal ip's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 08:37:49 -0000 On Sat, Jan 28, 2006 at 01:01:53PM +0100, Unix-Solutions - Steven wrote: > Hi you guy's, > > I have a little problem with my natd or ipfw configuration. This may not be what you want to hear, but in my experience if you have a configuration with multiple external interfaces and multiple NAT instances, ipfw + natd becomes almost impossible to configure correctly. You need multiple running instances of natd, which isn't a problem, but making a set of ipfw rules which correctly passes the right packets to the right natd instances, both inbound and outbound, is pretty hard. If I were you, I'd switch to pf. Having two NAT interfaces in pf.conf is trivial. So then the only thing you need to do is to swing your defaultroute from ISP1 to ISP2, to change the traffic flow. > Now I want to add 192.168.2.253 as alias on the FXP0 > and when a PC on my internal network sets his gateway to 192.168.2.253 > I want that this PC takes the versatel route. > How is this possible ? Unfortunately, it's not possible at all. When your PC sends a packet from X.X.X.X to Y.Y.Y.Y, and decides that 192.168.2.254 is the next hop router, it uses ARP to find the MAC address of this router. It then encapsulates the IP datagram in an ethernet frame using this as the destination MAC address. If it decided to use 192.168.2.253 as the next hop, and this is an alias on the same machine, then it would still get the same MAC address. So when the packet arrives at the router, it would be impossible to tell whether the originator had used 192.168.2.254 or 192.168.2.253 as the next-hop address. (That's unless you do something very nasty, like assigning multiple MAC addresses to the same interface and writing your own ARP daemon to respond with different MAC addresses, but even then you would still have to somehow make a forwarding decision based on the MAC address of the incoming frame. You could put two different NICs on the same LAN segment, which would automatically give you two MAC addresses and let you forward based on the source interface, but I think that FreeBSD still has a problem when running two NICs on the same LAN segment, because it mixes the ARP table into the forwarding table) If you want to selectively have some clients using ISP1 and other clients using ISP2, then I think you could implement that using pf 'route-to' or ipfw 'fwd' rules, matching the source IP address, which is a lot simpler. In any case, if all you're concerned about is failover, then you probably don't want to reconfigure every client PC when ISP1 goes down in order to point to ISP2. Rather, you could run a script on the gateway PC which monitors the link status, and changes its own defaultroute to point to the other ISP. HTH, Brian.