From owner-freebsd-net@FreeBSD.ORG Mon Apr 28 09:16:31 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C86AFC00 for ; Mon, 28 Apr 2014 09:16:31 +0000 (UTC) Received: from mail.shmtech.biz (unknown [IPv6:2001:41c8:10:8c::4:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.shmtech.biz", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63F7A1047 for ; Mon, 28 Apr 2014 09:16:30 +0000 (UTC) Received: from fleabag.domlan.talk2dom.com ([46.233.116.122]) (authenticated bits=0) by mail.shmtech.biz (8.14.8/8.14.5) with ESMTP id s3S9GRsK031002 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 28 Apr 2014 10:16:28 +0100 (BST) (envelope-from dom@talk2dom.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=talk2dom.com; s=shmtech1; t=1398676588; bh=oMbibEkR2SKikU//AX5hwYHqM9W+9sce57kpNAU20pU=; h=Date:From:To:Subject:References:In-Reply-To; b=RIyuHYpOJjBHfzlWtD5J5lIhuOhbSXlobwSXTbaq6uHWytFu7niaLwf43Teu9IKBa nAF4HdQJ/vpW71lUG732OVzi0B4HXoA5sZtl9aO9FhoonASh6+UjulbVQKLtKYhOBJ HH44THtDs9z7ctnc6LQwk/a4hpFmjm5pgdr373Tk= X-Authentication-Warning: sendmail: Host [46.233.116.122] claimed to be fleabag.domlan.talk2dom.com Message-ID: <535E1C66.6090004@talk2dom.com> Date: Mon, 28 Apr 2014 10:16:22 +0100 From: Dominic Froud User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Server with multiple public IP References: <535E1842.20905@netfence.it> In-Reply-To: <535E1842.20905@netfence.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 09:16:31 -0000 On 28/04/2014 09:58, Andrea Venturoli wrote: > I've got a server which has two (or more) interfaces with public IPs. > > Let's say, as an example (with fictional IPs): > ifconfig_vlan1="inet 1.0.0.2 netmask 255.255.255.248..." > ifconfig_vlan2="inet 2.0.0.2 netmask 255.255.255.248..." > > Of course, I can only have a default route, let's say 1.0.0.1. > This is fine for outgoing traffic and for incoming connections on vlan1. > However, when someone from the outside connects to 2.0.0.2, reply > packets still go out through 1.0.0.1 (on vlan1), but they should go > through vlan2 to 2.0.0.1 You want source-based routing. I have this situation and I used pf(4) to do it with a rule like: pass out quick route-to ( vlan2 ) from 2.0.0.0/29 to any no state As a variation you can give an optional next-hop address if you have a static router for that vlan, e.g. if your router is 2.0.0.1: pass out quick route-to ( vlan2 2.0.0.1 ) from 2.0.0.0/29 to any no state Also, you can run pf and ipfw at the same time! Hope this helps, Dominic