From owner-freebsd-net Thu Oct 26 16:41:10 2000 Delivered-To: freebsd-net@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 46C6E37B4C5 for ; Thu, 26 Oct 2000 16:41:05 -0700 (PDT) Received: from johnny5 ([64.229.51.108]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001026234056.JYKJ18376.tomts5-srv.bellnexxia.net@johnny5>; Thu, 26 Oct 2000 19:40:56 -0400 Message-ID: <002601c03fa5$a760da30$0100000a@johnny5> Reply-To: "John Telford" From: "John Telford" To: Cc: Subject: Multihomed natd, nics and default gateways continued. Date: Thu, 26 Oct 2000 19:37:07 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01C03F84.20308EA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0023_01C03F84.20308EA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Nick, You are wise in the ways of FreeBSD and routing. Could you take a moment = and provide some tips on how I could expand on your help to John Prince = ? I have a similar setup but would like it to behave slightly differently. = My setup: 1 internal interface. 1 external interface doing natd, default gateway routing for the = internal to an isp. We have now brought in a second ISP and put a 3rd interface into the = Freebsd box. I'd like to have a setup like this: ISPA-----------interface A_fxp0 fxp2_NATD--interface C---------internal = network 10.130.x.x ISPB-----------interface b_fxp1 =20 I would like to have all internal -> external traffic route through = ISPA. In the event that ISPA goes down then the ISPB connection should = take over automatically with out the users noticing except that things = are slower because ISPB is a slower connection. This means the default = gateway would have to change on the fly and I can't seem to locate much = information on how this can work. Thanks in advance, John=20 =20 Nick wrote: DATE: 10/25/2000 19:58:00 SUBJECT: RE: Multipath natd n Wed, 25 Oct 2000, John Prince wrote: > Hello.. > Is it possible (I have been trying).... > I have noticed other requests, however there does not seem to be any = answers.. >=20 > I have a firewall setup, IPFW and Natd, with 2 external interfaces, = and a=20 > single internal. > Each external interface is connected to a provider. > Setup is as follows.. > External Internal. > bbb.bbb.bbb.bbb --------------- > |--------------- ccc.ccc.ccc.ccc > aaa.aaa.aaa.aaa --------------- > The internal network consists of 2 nets, 10.0.1.0 and 10.0.2.0 > What I want to do is route any traffic from the 10.0.1.0 network to = the=20 > (bbb) external > interface, and traffic from the 10.0.2.0 to the the (aaa) interface.. > Ipfw and Natd appear to function, as long as I specify a default = route.. > I would like to do this all on a single machine, if possible.. > Any help would be greatly appreciated.. It`s possible. Run 2 differnet natd`s. Setup ipfw like so: #Don;t Divert local traffic ipfw add 50 allow ip from 10.0.1.0/24 to 10.0.2.0/24 ipfw add 51 allow ip from 10.0.2.0/24 to 10.0.1.0/24 #Dvert traffic from 1.0/24 out and in interface B ipfw add 100 divert natd ip from 10.0.1.0/24 to any ipfw add 101 divert natd ip from any to any in via $INTERFACE_B #Divert traffic from 2.0/24 network in and out int a ipfw add 200 divert natd2 ip from 10.0.2.0/24 to any ipfw add 201 divert natd2 ip from any to any in via $INTERFACE_A #Add routing for these natd`d addresses ipfw add 1000 fwd $INTERFACE_B_NEXT_HOP ip from=20 $INTERFACE_B_ADDRESS to any ipfw add 2000 fwd $INTERFACE_A_NEXT_HOP ip from=20 $INTERFACE_A_ADDRESS to any #Leave on for testing until it works ipfw add 3000 allow ip from any to any Then after you do that setup the 2 different natd`s to listen on different ports (default 8668) and another entry int /etc/services: natd2 8669/divert # Network Address Translation Then run the nat`s seperately: root# natd -p 8668 -a $INTERFACE_B_ADDRESS root# natd -p 8669 -a $INTERFACE_A_ADDRESS Nick Rogness - Drive defensively. Buy a tank. ------=_NextPart_000_0023_01C03F84.20308EA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Nick,
You are wise in the ways of FreeBSD and = routing.=20 Could you take a moment and provide some tips on how I could expand on = your help=20 to John Prince ?
I have a similar setup but would like it to = behave=20 slightly differently. My setup:
1 internal interface.
1 external interface doing = natd, default gateway=20 routing for the internal to an isp.
We have now brought in a second ISP and put a = 3rd=20 interface into the Freebsd box. I'd like to have a setup like = this:
 
ISPA-----------interface = A_fxp0
          &nbs= p;            = ;         fxp2_NATD--interfa= ce=20 C---------internal network 10.130.x.x
ISPB-----------interface=20 b_fxp1  
 
I would like to have all internal -> = external=20 traffic route through ISPA. In the event that ISPA goes down then the = ISPB=20 connection should take over automatically with out the users noticing = except=20 that things are slower because ISPB is a slower connection. This means = the=20 default gateway would have to change on the fly and I can't seem to = locate much=20 information on how this can work.
 
Thanks in = advance, John 
 
Nick wrote:
DATE:=20 10/25/2000 19:58:00
SUBJECT: RE:  Multipath=20 natd
 n Wed, 25 = Oct 2000, John=20 Prince wrote:

> Hello..
> Is it possible (I have been=20 trying)....
> I have noticed other requests, however there does = not seem=20 to be any answers..
>
> I have a firewall setup, IPFW and = Natd,=20 with 2 external interfaces, and a
> single internal.
> Each = external interface is connected to a provider.
> Setup is as=20 follows..
> External Internal.
> bbb.bbb.bbb.bbb=20 ---------------
> |--------------- ccc.ccc.ccc.ccc
> = aaa.aaa.aaa.aaa=20 ---------------
> The internal network consists of 2 nets, = 10.0.1.0 and=20 10.0.2.0
> What I want to do is route any traffic from the = 10.0.1.0=20 network to the
> (bbb) external
> interface, and traffic = from the=20 10.0.2.0 to the the (aaa) interface..
> Ipfw and Natd appear to = function,=20 as long as I specify a default route..
> I would like to do this = all on a=20 single machine, if possible..
> Any help would be greatly=20 appreciated..

It`s possible.  Run 2 differnet natd`s.  = Setup=20 ipfw like so:

#Don;t Divert local traffic
ipfw add 50 allow = ip from=20 10.0.1.0/24 to 10.0.2.0/24
ipfw add 51 allow ip from 10.0.2.0/24 to=20 10.0.1.0/24

#Dvert traffic from 1.0/24 out and in interface = B
ipfw=20 add 100 divert natd ip from 10.0.1.0/24 to any
ipfw add 101 divert = natd ip=20 from any to any in via $INTERFACE_B

#Divert traffic from 2.0/24 = network=20 in and out int a
ipfw add 200 divert natd2 ip from 10.0.2.0/24 to=20 any
ipfw add 201 divert natd2 ip from any to any in via=20 $INTERFACE_A


#Add routing for these natd`d addresses
= ipfw add=20 1000 fwd $INTERFACE_B_NEXT_HOP ip from
$INTERFACE_B_ADDRESS to=20 any

ipfw add 2000 fwd $INTERFACE_A_NEXT_HOP ip from=20
$INTERFACE_A_ADDRESS to any

#Leave on for testing until it=20 works
ipfw add 3000 allow ip from any to any

Then after you = do that=20 setup the 2 different natd`s to listen on
different ports (default = 8668) and=20 another entry=20 int
/etc/services:

= natd2          =20 8669/divert # Network Address Translation

Then run the nat`s=20 seperately:

root# natd -p 8668 -a $INTERFACE_B_ADDRESS
= root# natd=20 -p 8669 -a $INTERFACE_A_ADDRESS



Nick Rogness
- Drive=20 defensively.  Buy a tank.
------=_NextPart_000_0023_01C03F84.20308EA0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message