From owner-freebsd-net@freebsd.org Mon Sep 21 06:59:29 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ACCC53E7C42 for ; Mon, 21 Sep 2020 06:59:29 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BvwKX3MzLz3Z49 for ; Mon, 21 Sep 2020 06:59:28 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 08L6x00s048966 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 21 Sep 2020 06:59:05 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: list1@gjunka.com Received: from [10.58.0.10] (dadv@dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 08L6wiaU015205 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 21 Sep 2020 13:58:44 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: sshd on two fibs To: Grzegorz Junka , freebsd-net@freebsd.org References: <48e3aa5d-3123-45f2-5c46-6851ad90110a@gjunka.com> From: Eugene Grosbein Message-ID: <4d78a442-147f-db32-72ae-487d3e0197cc@grosbein.net> Date: Mon, 21 Sep 2020 13:58:41 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <48e3aa5d-3123-45f2-5c46-6851ad90110a@gjunka.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * -0.0 SPF_PASS SPF: sender matches SPF record * 2.6 LOCAL_FROM From my domains * -0.0 NICE_REPLY_A Looks like a legit reply (A) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 4BvwKX3MzLz3Z49 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-1.88 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[eugen]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.95)[-0.952]; NEURAL_HAM_LONG(-1.03)[-1.026]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; NEURAL_SPAM_SHORT(0.20)[0.195]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[empty SPF record]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2020 06:59:29 -0000 21.09.2020 6:20, Grzegorz Junka wrote: > I have two WANs and a server with two interfaces, each interface reaching different WAN. The server is configured with two routing tables, fib0 and fib1, one per the corresponding interface. > > I would like sshd to listen on both interfaces but on different fibs, so that returning packets are sent to the proper gateway. Can I do it with one sshd? Do I need to run two separate sshd's? Can I run two separate sshd's on the same box? sshd listens for all IPs by default. Also, sshd runs over TCP and this guarantees that it responds from same IP address which was used by initial client's request, too. You need not worry about that. Also, you already have static link between source IP address of sshd response, corresponding WAN interface and gateway IP address of that WAN interface. All you need is telling kernel to use right gateway based on source IP address despite of default route, this is called policy-based routing and you can achieve that with single ipfw rule: ipfw add 2000 fwd $gateway2 ip from $wan2ip to any out xmit $wan1 That is: redirect IP packets with source of second WAN interface ($wan2ip) to right gateway of that WAN ($gateway2) if they are going using (wrong) route to WAN1. That's all.