From owner-freebsd-net@FreeBSD.ORG Thu Jul 12 11:55:32 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E9CE416A46D for ; Thu, 12 Jul 2007 11:55:32 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from alf.aws-net.org.ua (alf.aws-net.org.ua [85.90.196.192]) by mx1.freebsd.org (Postfix) with ESMTP id 16F8413C4CB for ; Thu, 12 Jul 2007 11:55:31 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from [10.100.0.23] (vl-office.vl.net.ua [194.44.81.189]) by alf.aws-net.org.ua (8.13.8/8.13.8) with ESMTP id l6CBtRLX029743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 12 Jul 2007 14:55:28 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Message-ID: <469616B2.2020803@aws-net.org.ua> Date: Thu, 12 Jul 2007 14:55:30 +0300 From: Artyom Viklenko Organization: Art&Co. User-Agent: Thunderbird 2.0.0.4 (Windows/20070604) MIME-Version: 1.0 To: Andrea Venturoli References: <4695FEF4.4030708@netfence.it> In-Reply-To: <4695FEF4.4030708@netfence.it> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded STARTTLS authentication, not delayed by milter-greylist-3.0 (alf.aws-net.org.ua [192.168.32.253]); Thu, 12 Jul 2007 14:55:29 +0300 (EEST) X-Virus-Scanned: ClamAV version 0.90.3, clamav-milter version 0.90.3 on localhost X-Virus-Status: Clean Cc: freebsd-net@freebsd.org Subject: Re: Again two ADSL lines, routing problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 11:55:33 -0000 Andrea Venturoli wrote: > Hello. > I have a setup where a FreeBSD box is connected to two ADSL routers: > default gateway is set to the first and, in case of failure, is moved to > the other one. This works perfectly for outgoing connections: in the > event of the switch, I'll have to reconnect, but that's acceptable. > > The problem is in the incoming connections: if I get one on the "backup" > router, this will reach the server, which will however answer through > its "default" router. Thus the remote client will see packets coming > back from a different host and things won't work. > Just to be clear, the packets travel as follows (with source and dest IP > in brackets): > Client (x.x.x.x) -> Backup router (y.y.y.y) > Backup router (x.x.x.x) -> Server (z.z.z.z) > Server (z.z.z.z) -> Default router (x.x.x.x) > Default router (v.v.v.v) -> Client (x.x.x.x) > > So the client (x.x.x.x) connects to y.y.y.y (the backup ADSL public IP), > but gets answers from v.v.v.v (the master ADSL public IP). > > > AFAIK there is no solution to this, but I tought I'd ask before giving > my official opinion to my customer. > Perhaps there's some sort of hack we could use, that through > ipfw/natd/other diverting daemon/whatever delivers answers based on the > MAC address of the incoming connections (if the MAC address belongs to > the backup router, use that for answers)... does anyone know? You have to enforce simmetrical routing on your FreeBSD box. You can use, for example, PF firewall Using such options and features as labels and route-to/reply-to statemens. Also it is possible with ipfw, but I prefer PF. :) -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org