Date: Sat, 17 Mar 2001 13:59:19 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: Julian Elischer <julian@elischer.org> Cc: Alex Pilosov <alex@acecape.com>, freebsd-net@FreeBSD.ORG, Jeroen Ruigrok/Asmodai <asmodai@wxs.nl> Subject: Re: same interface Route Cache Message-ID: <Pine.BSF.4.21.0103171329150.16998-100000@cody.jharris.com> In-Reply-To: <3AB3B171.C89A0177@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 17 Mar 2001, Julian Elischer wrote: > Alex Pilosov wrote: > > > > On Sat, 17 Mar 2001, Nick Rogness wrote: > > > > > There is no way to tell your packet to go back out to ISP #2. That is the > > > point I'm trying to get across. Unless your running a routing > > > daemon. But is that really practical with cable modems, dsl, etc?...I > > > don't think so. > > <flame> > > Is the clue really gone from this list? > > </flame> > > > > > > > > With policy routing, you indeed will be able to multihome, without any > > cooperation of your upstream (assuming strict filters on their ingress > > interfaces) and have things work. > > it should be possible to use IPFW and natd to do this: > IPFW could use Luigi's probability feature to select an interface to > use for each initiating session and ipfw could use a stateful rule > to 'remember the choice made' I would be interested to see what you are talking about with probability. I'll play with it this afternoon. Just to be clear to everyone, the problem I'm seeing is this: 1) Packet comes in with src A.A.A.A dest B.B.B.B in interface A (in from ISP #2) 2) natd-2 (listening on interface A from ISP #2) changes the destination from B.B.B.B to machine X.X.X.X (internal) 3) Packet gets sent to machine X.X.X.X on the internal network. 4) Machine X.X.X.X responds to B.B.B.B, sending the packet back to the BSD machine. 5) The BSD machine looks up in the routing table how to get to B.B.B.B. Oh no! Go out interface B connected to ISP#1...the default gateway. 6) This triggers natd-1 to change the source to C.C.C.C and sends the packet out to B.B.B.B on the default interface B because of the default gateway. 7) Machine B.B.B.B is expecting a response from A.A.A.A, but instead, it is seeing a response from C.C.C.C And Alex, you can't fwd based on source because of the 2 natd's on 2 different interfaces. The firewall does not keep track of INCOMING packets. So the firewall does not know the right interface to forward the packet to, so the wrong natd get's triggered. > > The final step is to select to which divert rule the packets eventually get > sent. > Each divert rule goes to a different natd, each of which is attached to a > different outgoing interface. I am going to look at what you suggested this afternoon to see if it works. Nick Rogness <nick@rogness.net> - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0103171329150.16998-100000>