From owner-freebsd-net@freebsd.org Mon Sep 21 07:21:05 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 160743E8464 for ; Mon, 21 Sep 2020 07:21:05 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa2.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "msa2.yoonka.com", Issuer "msa2.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BvwpR5ZP2z3Zyf for ; Mon, 21 Sep 2020 07:21:03 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from venus.yoonka.com (venus.yoonka.com [10.70.7.24]) by msa2.yoonka.com (8.15.2/8.15.2) with ESMTPS id 08L7L2iu031529 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Mon, 21 Sep 2020 07:21:02 GMT (envelope-from list1@gjunka.com) Subject: Re: sshd on two fibs To: freebsd-net@freebsd.org References: <48e3aa5d-3123-45f2-5c46-6851ad90110a@gjunka.com> <4d78a442-147f-db32-72ae-487d3e0197cc@grosbein.net> From: Grzegorz Junka Message-ID: <9ff48087-b24e-263c-b1c2-030318722ec1@gjunka.com> Date: Mon, 21 Sep 2020 07:21:02 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <4d78a442-147f-db32-72ae-487d3e0197cc@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 4BvwpR5ZP2z3Zyf X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of list1@gjunka.com designates 88.98.225.149 as permitted sender) smtp.mailfrom=list1@gjunka.com X-Spamd-Result: default: False [-1.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.94)[-0.939]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:88.98.225.149:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.003]; DMARC_NA(0.00)[gjunka.com]; NEURAL_SPAM_SHORT(0.33)[0.334]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:56478, ipnet:88.98.192.0/18, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2020 07:21:05 -0000 On 21/09/2020 06:58, Eugene Grosbein wrote: > 21.09.2020 6:20, Grzegorz Junka wrote: > >> I have two WANs and a server with two interfaces, each interface reaching different WAN. The server is configured with two routing tables, fib0 and fib1, one per the corresponding interface. >> >> I would like sshd to listen on both interfaces but on different fibs, so that returning packets are sent to the proper gateway. Can I do it with one sshd? Do I need to run two separate sshd's? Can I run two separate sshd's on the same box? > sshd listens for all IPs by default. Also, sshd runs over TCP and this guarantees that it responds > from same IP address which was used by initial client's request, too. You need not worry about that. > > Also, you already have static link between source IP address of sshd response, > corresponding WAN interface and gateway IP address of that WAN interface. > > All you need is telling kernel to use right gateway based on source IP address despite of default route, > this is called policy-based routing and you can achieve that with single ipfw rule: > > ipfw add 2000 fwd $gateway2 ip from $wan2ip to any out xmit $wan1 > > That is: redirect IP packets with source of second WAN interface ($wan2ip) to right gateway of that WAN ($gateway2) > if they are going using (wrong) route to WAN1. That's all. Thanks Eugene. I am reluctant to add firewall rules because the second interface is configured as being in fib 1. This is so that jails, which are also started with fib 1, can use the proper routing table. I don't want to add complexity where it isn't necessary, unless there is no other option. Is it possible to somehow configure sshd to use the proper routing table?