From owner-freebsd-hackers@FreeBSD.ORG Sun Oct 5 17:45:24 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96F3816A4B3 for ; Sun, 5 Oct 2003 17:45:24 -0700 (PDT) Received: from ussenterprise.ufp.org (ussenterprise.ufp.org [208.185.30.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4115A43FA3 for ; Sun, 5 Oct 2003 17:45:23 -0700 (PDT) (envelope-from bicknell@ussenterprise.ufp.org) Received: from ussenterprise.ufp.org (bicknell@localhost [127.0.0.1]) by ussenterprise.ufp.org (8.12.9/8.12.9) with ESMTP id h960jM8i062521 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 5 Oct 2003 20:45:22 -0400 (EDT) Received: (from bicknell@localhost) by ussenterprise.ufp.org (8.12.9/8.12.9/Submit) id h960jMkS062520 for freebsd-hackers@freebsd.org; Sun, 5 Oct 2003 20:45:22 -0400 (EDT) Date: Sun, 5 Oct 2003 20:45:22 -0400 From: Leo Bicknell To: freebsd-hackers@freebsd.org Message-ID: <20031006004522.GA62232@ussenterprise.ufp.org> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20031004235400.GA20943@ussenterprise.ufp.org> <3F801CA7.60201@iconoplex.co.uk> <20031005145431.GA42245@torment.storming.org> <20031004235400.GA20943@ussenterprise.ufp.org> <3F801CA7.60201@iconoplex.co.uk> <20031005014620.H45148-100000@skywalker.rogness.net> <200310051343.01251.wes@softweyr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <20031005145431.GA42245@torment.storming.org> <3F801CA7.60201@iconoplex.co.uk> <200310051343.01251.wes@softweyr.com> Organization: United Federation of Planets X-PGP-Key: http://www.ufp.org/~bicknell/ Subject: Re: Changing the NAT IP on demand? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2003 00:45:24 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In a message written on Sun, Oct 05, 2003 at 01:43:01PM -0700, Wes Peters w= rote: > Leo, you may be able to do this with ipfilter's ipnat. Nat rules are=20 > traditionally processed with 'ipnat -CF', the -C clears the rules and=20 > the -F option clears the currently active NAT mappings. You should=20 > experiment with rewriting the rules and instantiating them with -C=20 > only. This should leave the existing stateful mappings to the formerly= =20 > preferred interface while creating all new mappings on the newly=20 > preferred interface. That's interesting. I've never used ipnat before with ipfilter, but from some quick man page reads that looks good. Save a second problem I just noticed...see below. > This might tend to confuse UDP-based services, which might see the next= =20 > request as a different 'session', but I doubt those are much a problem=20 > across the internet. TCP only is good for my application. In a message written on Sun, Oct 05, 2003 at 02:29:11PM +0100, Paul Robinso= n wrote: > Depends on how much money you have, but had you considered getting your= =20 > own address range and BGP peering with your ISPs? I'd consider talking=20 > to them about it. It'll take some time to setup, but it means your=20 > "switching" is done at the router, not at the NAT box, which is the=20 > wrong place to do it anyway. This application is for cheap + fast redundancy. Think getting 2xDSL line, or DSL + Cable modem for a quick conference / classroom deal and wanting some redundancy. In a message written on Sun, Oct 05, 2003 at 11:54:31AM -0300, Fred Souza w= rote: > If I understood what Leo asked correctly, what's needed is to change > the default route on the FreeBSD gateway whenever an event tells it > to (in this case, the increase/decrease in performance for the ISPs). > The concern here is to keep currently-stablished connections alive, so > the process is carried out seamlessly. Actually, no not exactly, but this brings up a new problem. If you have box with link A, and IP a.a.a.a, and link B, and IP b.b.b.b I want a packet with source address b.b.b.b to have a "default route" out link B, and a packet with source a.a.a.a to route out link A. I then want NAT to be able to switch, on the fly from using a.a.a.a, or b.b.b.b. So, in network speak I want to "policy route", and the do NAT to two different IP's, with only one active at a time. I'd then do some external monitoring to decide which IP to use. Again, think like 2xDSL line, 1 (possibly dynamic) IP from each. Do the policy route (eg if you wrote an application on the box to bind to a.a.a.a or b.b.b.b it would use only that link) thing, and then have NAT pick an IP on the fly. They key is when nat switches not to dump the existing connections so it appears to be a "seamless" switch over. --=20 Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/gLsiNh6mMG5yMTYRAnrQAJ9+mKn9Fjz961e9S4/LVXK8Zu0c6wCcCGxN xhdEqvVUNDLTo/EqtvrPXZw= =WdR1 -----END PGP SIGNATURE----- --liOOAslEiF7prFVr--