From owner-freebsd-net@FreeBSD.ORG Mon Apr 28 09:18:51 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 83D78D41 for ; Mon, 28 Apr 2014 09:18:51 +0000 (UTC) Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DFA31067 for ; Mon, 28 Apr 2014 09:18:51 +0000 (UTC) Received: by mail-oa0-f48.google.com with SMTP id m1so6803969oag.7 for ; Mon, 28 Apr 2014 02:18:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=P/xrmX35r1lessBS12iTP0+uOFDeadzvgnAb9yc7kWQ=; b=zxFJIXxu18pYf+63LWXBYQZtYAWGIdSnv/GQej8h054F2PHPpxC+cbnluE+QIOQnx4 6sGvPBU8NdVEoX3T19hD3x7TDpGBegBlsCehsyE2mdzVH99vUzdV7vjIg7sD4QDFwbYY 9pZLHBnvHb20qwdQfov6CaTTB8asNZCR+hbmXQXX6cxKGU6buCvepylURhDTTRaqPWZh lxtFyqefHys64M7ZWdW9Q1SruXoSsz1Q2kO0GRuzfxIy8Zzhwz0cGUCRRjRZx0xTqIN3 li/IXsG3vGrWQHE8B6NemER/U9lCK147v5EqWO6zYreYGA7K2cEX6KjX4kQLcqVHqyDP S4zw== MIME-Version: 1.0 X-Received: by 10.60.144.200 with SMTP id so8mr21134667oeb.31.1398676730425; Mon, 28 Apr 2014 02:18:50 -0700 (PDT) Received: by 10.76.173.229 with HTTP; Mon, 28 Apr 2014 02:18:50 -0700 (PDT) In-Reply-To: <535E1C66.6090004@talk2dom.com> References: <535E1842.20905@netfence.it> <535E1C66.6090004@talk2dom.com> Date: Mon, 28 Apr 2014 11:18:50 +0200 Message-ID: Subject: Re: Server with multiple public IP From: Andreas Nilsson To: Dominic Froud Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 09:18:51 -0000 On Mon, Apr 28, 2014 at 11:16 AM, Dominic Froud wrote: > On 28/04/2014 09:58, Andrea Venturoli wrote: > >> I've got a server which has two (or more) interfaces with public IPs. >> >> Let's say, as an example (with fictional IPs): >> ifconfig_vlan1="inet 1.0.0.2 netmask 255.255.255.248..." >> ifconfig_vlan2="inet 2.0.0.2 netmask 255.255.255.248..." >> >> Of course, I can only have a default route, let's say 1.0.0.1. >> This is fine for outgoing traffic and for incoming connections on vlan1. >> However, when someone from the outside connects to 2.0.0.2, reply packets >> still go out through 1.0.0.1 (on vlan1), but they should go through vlan2 >> to 2.0.0.1 >> > > You want source-based routing. > > I have this situation and I used pf(4) to do it with a rule like: > > pass out quick route-to ( vlan2 ) from 2.0.0.0/29 to any no state > > As a variation you can give an optional next-hop address if you have a > static router for that vlan, e.g. if your router is 2.0.0.1: > > pass out quick route-to ( vlan2 2.0.0.1 ) from 2.0.0.0/29 to any no state > > Also, you can run pf and ipfw at the same time! > > Hope this helps, > > Dominic > > You could put all the services which are on 2.0.0.2 in a separate fib and there have another default-route. Best regards Andreas