From owner-freebsd-net@FreeBSD.ORG Mon Apr 28 11:06:32 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E833A2A1 for ; Mon, 28 Apr 2014 11:06:31 +0000 (UTC) Received: from mail.shmtech.biz (unknown [IPv6:2001:41c8:10:8c::4:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.shmtech.biz", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 842891A75 for ; Mon, 28 Apr 2014 11:06:31 +0000 (UTC) Received: from fleabag.domlan.talk2dom.com ([46.233.116.122]) (authenticated bits=0) by mail.shmtech.biz (8.14.8/8.14.5) with ESMTP id s3SB6QcQ047662 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 28 Apr 2014 12:06:28 +0100 (BST) (envelope-from dom@talk2dom.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=talk2dom.com; s=shmtech1; t=1398683188; bh=o/35bchoNKl3vIx1jrN4Eo52E8lfvr8OZeWRFoLe8BI=; h=Date:From:To:Subject:References:In-Reply-To; b=uO1/UBkLshupDJLaGqqlFClfMohfTBFxRxbNldZ0xfQPto2Xolwt6Qx+3wUXVBUDO naTb9QYj+9lPtFDzkdzG14BvgO2hFeGhh/d6FQsZXva2f71s0I2W1vEoqu6YFZyjYs mK97EUzW4VjpqVI4CGLv5M6RIPGKOfUhBPGrMTYM= X-Authentication-Warning: sendmail: Host [46.233.116.122] claimed to be fleabag.domlan.talk2dom.com Message-ID: <535E362D.1050408@talk2dom.com> Date: Mon, 28 Apr 2014 12:06:21 +0100 From: Dominic Froud User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Server with multiple public IP References: <535E1842.20905@netfence.it> <535E1C66.6090004@talk2dom.com> <535E231A.1050800@netfence.it> <535E293C.5050705@freebsd.org> <535E2A2F.3030505@freebsd.org> In-Reply-To: <535E2A2F.3030505@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 11:06:32 -0000 On 28/04/2014 11:15, Julian Elischer wrote: > replying to myself.. > > On 4/28/14, 6:11 PM, Julian Elischer wrote: >> On 4/28/14, 5:44 PM, Andrea Venturoli wrote: >>> On 04/28/14 11:18, Andreas Nilsson wrote: >>> >>>> You could put all the services which are on 2.0.0.2 in a separate >>>> fib and >>>> there have another default-route. >>> >>> Thanks, but unfortunately I can't, since some services must be able >>> to answer on both addresses. >> >> the answer is to use the ipfw setfib rule for incoming packets on the >> second interface. >> setfib 1 ip from any to any in recv em0 >> In new freebsd kernels you can do this with ifconfig em0 fib 1 (I >> think that's the syntax) without involving ipfw. >> >> then the session will inherit that fib. Outgoing packets from that >> session will use fib 1 while other outgoing packets will use fib0. > from the ifconfig man page. (FreeBSD 11 but I think it's in 10 too.) > > fib fib_number > Specify interface FIB. A FIB fib_number is assigned to all > frames or packets received on that interface. The FIB is > not > inherited, e.g., vlans or other sub-interfaces will use the > default FIB (0) irrespective of the parent interface's > FIB. The > kernel needs to be tuned to support more than the default > FIB > using the ROUTETABLES kernel configuration option, or the > net.fibs tunable. > > this can be simulated using ipfw setfib should you not have it in the > release you are running. > "Outgoing packets from that session will use fib 1 while other outgoing packets will use fib0." I haven't tried this but outgoing packets not associated with any existing fib1 session (e.g. new TCP connections, UDP, etc.) could also be attached to fib1 with a rule like this? setfib 1 ip from 2.0.0.0/29 to any out xmit vlan2 Keeping all the rules in ipfw is one advantage but then you have to maintain 2 sets of routing tables - one for each fib. Doing source-routing with pf means two firewalls to manage but just one routing table. You could argue that the routing table is obscured by rules in pf though so doing "netstat -rnf inet" wouldn't be authorititative. I'd like to do something like this: route add -srcnet 2.0.0.0/29 2.0.0.1 (kernel uses arp to translate 2.0.0.1 to an interface address like vlan2) Dom