From owner-freebsd-hackers@FreeBSD.ORG Sun Oct 5 13:43:05 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F08016A4B3; Sun, 5 Oct 2003 13:43:05 -0700 (PDT) Received: from smtp.omnis.com (smtp.omnis.com [216.239.128.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DD7D43FDD; Sun, 5 Oct 2003 13:43:03 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from foogate.softweyr.com (66-91-236-204.san.rr.com [66.91.236.204]) by smtp-relay.omnis.com (Postfix) with ESMTP id 2417B5B6AB; Sun, 5 Oct 2003 13:41:37 -0700 (PDT) From: Wes Peters Organization: Softweyr LLC To: Nick Rogness , Leo Bicknell Date: Sun, 5 Oct 2003 13:43:01 -0700 User-Agent: KMail/1.5.2 References: <20031005014620.H45148-100000@skywalker.rogness.net> In-Reply-To: <20031005014620.H45148-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200310051343.01251.wes@softweyr.com> cc: darrenr@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: Changing the NAT IP on demand? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2003 20:43:05 -0000 On Sunday 05 October 2003 01:02 am, Nick Rogness wrote: > On Sat, 4 Oct 2003, Leo Bicknell wrote: > > I'm considering options for a new project, and I think I've > > discovered what I think is the best idea, but I don't think current > > software supports the config. I'd like to get some confirmation, > > and comments on if it would be hard to implement. > > > > Consider: > > > > > > ISP #1-------\ > > \ > > FreeBSD Box----LAN > > / > > ISP #2-------/ > > > > In this case the LAN would be 1918 space, the two ISP's would each > > provide a public IP for the FreeBSD box. > > > > Now, NAT would be required. What I want to do is write an external > > application to decide the performance of ISP #1 and ISP#2, and > > somehow tell NAT which outside address to use. > > > > That, by itself, is not hard. Here's the trick. I want the switch > > to be seamless. That is, if NAT is translating to ISP #1 and the > > application says switch to #2 the existing translations to #1 > > (until they go away naturally) should be kept, while new ones go to > > #2. > > > > The only ways I know to change the outside address seem to tear > > down all existing connections. > > > > Is it possible to make this work today? Would it be hard to fix if > > it doesn't work today? > > This can simply not work without resetting connections. The > socket pair on the "outside" would break as your outside traffic > switches from one to the other (src/dst would change). There is > no fix, as this breaks basic IP principals. That's not at all what Leo was asking. Leo, you may be able to do this with ipfilter's ipnat. Nat rules are traditionally processed with 'ipnat -CF', the -C clears the rules and the -F option clears the currently active NAT mappings. You should experiment with rewriting the rules and instantiating them with -C only. This should leave the existing stateful mappings to the formerly preferred interface while creating all new mappings on the newly preferred interface. This might tend to confuse UDP-based services, which might see the next request as a different 'session', but I doubt those are much a problem across the internet. Good luck. If you run into bugs, I've always found Darren Reed to be helpful and interested in improving ipfilter/ipnat. This might even be a feature that intriques him enough to pique his interest in making it a feature of ipnat. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/