From owner-freebsd-net@FreeBSD.ORG Thu Jul 12 11:01:23 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E26B516A400 for ; Thu, 12 Jul 2007 11:01:23 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from snipe.secure-computing.net (snipe.secure-computing.net [209.240.66.149]) by mx1.freebsd.org (Postfix) with ESMTP id 7754713C483 for ; Thu, 12 Jul 2007 11:01:23 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from [192.168.1.2] (unknown [209.240.66.157]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ecrist@secure-computing.net) by snipe.secure-computing.net (Postfix) with ESMTP id 0096917021; Thu, 12 Jul 2007 06:01:22 -0500 (CDT) In-Reply-To: <4695FEF4.4030708@netfence.it> References: <4695FEF4.4030708@netfence.it> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Eric F Crist Date: Thu, 12 Jul 2007 06:01:21 -0500 To: Andrea Venturoli X-Mailer: Apple Mail (2.752.3) Cc: freebsd-net@freebsd.org Subject: Re: Again two ADSL lines, routing problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 11:01:24 -0000 On Jul 12, 2007, at 5:14 AMJul 12, 2007, Andrea Venturoli wrote: > Hello. > I have a setup where a FreeBSD box is connected to two ADSL > routers: default gateway is set to the first and, in case of > failure, is moved to the other one. This works perfectly for > outgoing connections: in the event of the switch, I'll have to > reconnect, but that's acceptable. > > The problem is in the incoming connections: if I get one on the > "backup" router, this will reach the server, which will however > answer through its "default" router. Thus the remote client will > see packets coming back from a different host and things won't work. > Just to be clear, the packets travel as follows (with source and > dest IP in brackets): > Client (x.x.x.x) -> Backup router (y.y.y.y) > Backup router (x.x.x.x) -> Server (z.z.z.z) > Server (z.z.z.z) -> Default router (x.x.x.x) > Default router (v.v.v.v) -> Client (x.x.x.x) > > So the client (x.x.x.x) connects to y.y.y.y (the backup ADSL public > IP), but gets answers from v.v.v.v (the master ADSL public IP). > > > AFAIK there is no solution to this, but I tought I'd ask before > giving my official opinion to my customer. > Perhaps there's some sort of hack we could use, that through ipfw/ > natd/other diverting daemon/whatever delivers answers based on the > MAC address of the incoming connections (if the MAC address belongs > to the backup router, use that for answers)... does anyone know? > > bye & Thanks > av. > The biggest problem one would have with this sort of setup, is the upstream provider support. I don't know of any ISP's that are going to be willing or even able to propagate routes for your static IPs through their DSL systems. If you want that sort of redundancy and support, you'll probably have to go to a higher-end business class solution, such as a T1 or even possibly an ISDN line. HTH ----- Eric F Crist Secure Computing Networks