From owner-freebsd-net@FreeBSD.ORG Thu Jul 12 12:45:07 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 235D316A41F for ; Thu, 12 Jul 2007 12:45:07 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id EAD9313C46E for ; Thu, 12 Jul 2007 12:45:06 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id F085281E1; Thu, 12 Jul 2007 07:45:05 -0500 (CDT) Received: from [192.168.1.5] (unknown [192.168.2.1]) by mail.tcbug.org (Postfix) with ESMTP id 6F674341C0C; Thu, 12 Jul 2007 07:45:04 -0500 (CDT) From: Josh Paetzel To: freebsd-net@freebsd.org Date: Thu, 12 Jul 2007 07:44:59 -0500 User-Agent: KMail/1.9.6 References: <4695FEF4.4030708@netfence.it> <469616B2.2020803@aws-net.org.ua> <46961C0B.6060004@netfence.it> In-Reply-To: <46961C0B.6060004@netfence.it> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1524610.0FQksEAgMv"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707120745.03102.josh@tcbug.org> Cc: Eric F Crist , Artyom Viklenko Subject: Re: Again two ADSL lines, routing problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 12:45:07 -0000 --nextPart1524610.0FQksEAgMv Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 12 July 2007, Andrea Venturoli wrote: > Artyom Viklenko ha scritto: > > You have to enforce simmetrical routing on your FreeBSD box. > > You can use, for example, PF firewall Using such options and > > features as labels and route-to/reply-to statemens. > > > > Also it is possible with ipfw, but I prefer PF. :) > > Thanks, this is interesting. However I failed to understand what > you mean exactly. > Do you have any pointer to a document that explains this? > I searched in PF's and ipfw's manual, but found nothing that I > could relate to this. > > Also, I'm right now using ipfw... > > bye & Thanks > av. errrm, in pf I can give you a concrete example of how to deal with=20 this. Since you haven't given a concrete example I'll make one up. Say you=20 have a FBSD box with em0 connected to one DSL connection on=20 192.168.1.2 and the default route set to 192.168.1.1 and em1 on the=20 other DSL connection with IP 192.168.2.2 and the router for that=20 connection on 192.168.2.1 Your question seemed to imply that you don't want to load-balance or=20 really even do round-robin NAT and you're fine with manually cutting=20 over the default route in case a link fails, but the problem you are=20 having is that the responses to incoming connections go out the=20 default route, which doesn't work. Here's the fix to that in PF: pass out route-to (em1 192.168.2.1) from 192.168.2.2 to any This will not do load-balancing, fail-over, or round-robin NAT, but it=20 will make replies to incoming connections on the 'other' DSL=20 connection go out the same interface the incoming connection came in=20 on with the proper source address. HTH =2D-=20 Thanks, Josh Paetzel --nextPart1524610.0FQksEAgMv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGliJPJvkB8SevrssRAuPkAKCMw3XgGhJqGS5nS3vFEAlGUVvTQQCcDN10 E8MayelichryIkROHSNyS4g= =kCvZ -----END PGP SIGNATURE----- --nextPart1524610.0FQksEAgMv--