From owner-freebsd-net Sat Mar 17 11:54:59 2001 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 8609E37B718 for ; Sat, 17 Mar 2001 11:54:54 -0800 (PST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2HJxJj17689; Sat, 17 Mar 2001 13:59:19 -0600 (CST) (envelope-from nick@rogness.net) Date: Sat, 17 Mar 2001 13:59:19 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Julian Elischer Cc: Alex Pilosov , freebsd-net@FreeBSD.ORG, Jeroen Ruigrok/Asmodai Subject: Re: same interface Route Cache In-Reply-To: <3AB3B171.C89A0177@elischer.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Mar 2001, Julian Elischer wrote: > Alex Pilosov wrote: > > > > On Sat, 17 Mar 2001, Nick Rogness wrote: > > > > > There is no way to tell your packet to go back out to ISP #2. That is the > > > point I'm trying to get across. Unless your running a routing > > > daemon. But is that really practical with cable modems, dsl, etc?...I > > > don't think so. > > > > Is the clue really gone from this list? > > > > > > > > > > With policy routing, you indeed will be able to multihome, without any > > cooperation of your upstream (assuming strict filters on their ingress > > interfaces) and have things work. > > it should be possible to use IPFW and natd to do this: > IPFW could use Luigi's probability feature to select an interface to > use for each initiating session and ipfw could use a stateful rule > to 'remember the choice made' I would be interested to see what you are talking about with probability. I'll play with it this afternoon. Just to be clear to everyone, the problem I'm seeing is this: 1) Packet comes in with src A.A.A.A dest B.B.B.B in interface A (in from ISP #2) 2) natd-2 (listening on interface A from ISP #2) changes the destination from B.B.B.B to machine X.X.X.X (internal) 3) Packet gets sent to machine X.X.X.X on the internal network. 4) Machine X.X.X.X responds to B.B.B.B, sending the packet back to the BSD machine. 5) The BSD machine looks up in the routing table how to get to B.B.B.B. Oh no! Go out interface B connected to ISP#1...the default gateway. 6) This triggers natd-1 to change the source to C.C.C.C and sends the packet out to B.B.B.B on the default interface B because of the default gateway. 7) Machine B.B.B.B is expecting a response from A.A.A.A, but instead, it is seeing a response from C.C.C.C And Alex, you can't fwd based on source because of the 2 natd's on 2 different interfaces. The firewall does not keep track of INCOMING packets. So the firewall does not know the right interface to forward the packet to, so the wrong natd get's triggered. > > The final step is to select to which divert rule the packets eventually get > sent. > Each divert rule goes to a different natd, each of which is attached to a > different outgoing interface. I am going to look at what you suggested this afternoon to see if it works. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message