From owner-freebsd-net Sat Mar 17 22:46:36 2001 Delivered-To: freebsd-net@freebsd.org Received: from filk.iinet.net.au (syncopation-dns.iinet.net.au [203.59.24.29]) by hub.freebsd.org (Postfix) with SMTP id 504C337B718 for ; Sat, 17 Mar 2001 22:46:30 -0800 (PST) (envelope-from julian@elischer.org) Received: (qmail 5667 invoked by uid 666); 18 Mar 2001 06:47:48 -0000 Received: from i087-050.nv.iinet.net.au (HELO elischer.org) (203.59.87.50) by mail.m.iinet.net.au with SMTP; 18 Mar 2001 06:47:48 -0000 Message-ID: <3AB45997.D82A43B9@elischer.org> Date: Sat, 17 Mar 2001 22:45:43 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Nick Rogness Cc: Alex Pilosov , freebsd-net@FreeBSD.ORG, Jeroen Ruigrok/Asmodai Subject: Re: same interface Route Cache References: Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nick Rogness wrote: > > On Sat, 17 Mar 2001, Julian Elischer wrote: > > > Alex Pilosov wrote: > > > > > > On Sat, 17 Mar 2001, Nick Rogness wrote: > > > > > > > There is no way to tell your packet to go back out to ISP #2. That is the > > > > point I'm trying to get across. Unless your running a routing > > > > daemon. But is that really practical with cable modems, dsl, etc?...I > > > > don't think so. > > > > > > Is the clue really gone from this list? > > > > > > > > > > > > > > > With policy routing, you indeed will be able to multihome, without any > > > cooperation of your upstream (assuming strict filters on their ingress > > > interfaces) and have things work. > > > > it should be possible to use IPFW and natd to do this: > > IPFW could use Luigi's probability feature to select an interface to > > use for each initiating session and ipfw could use a stateful rule > > to 'remember the choice made' > > I would be interested to see what you are talking about with > probability. I'll play with it this afternoon. you could make the selection of interface based upon a single bit in the remote addres but if you were talking to one machine they would all go across the same interface. it may be more 'fair' to use luigi's random selection and make interface independent of destination AND source. > > Just to be clear to everyone, the problem I'm seeing is this: > > 1) Packet comes in with src A.A.A.A dest B.B.B.B in interface A > (in from ISP #2) > > 2) natd-2 (listening on interface A from ISP #2) changes the > destination from B.B.B.B to machine X.X.X.X (internal) > > 3) Packet gets sent to machine X.X.X.X on the internal network. > > 4) Machine X.X.X.X responds to B.B.B.B, sending the packet > back to the BSD machine. > > 5) The BSD machine looks up in the routing table how to get to > B.B.B.B. Oh no! Go out interface B connected to ISP#1...the > default gateway. > > 6) This triggers natd-1 to change the source to C.C.C.C and sends > the packet out to B.B.B.B on the default interface B because of > the default gateway. you should have used a 'dynamic rule' to capture the state of the session. I've never done this, only read the code. > > 7) Machine B.B.B.B is expecting a response from A.A.A.A, but > instead, it is seeing a response from C.C.C.C > > And Alex, you can't fwd based on source because of the 2 natd's > on 2 different interfaces. The firewall does not keep track of > INCOMING packets. So the firewall does not know the right > interface to forward the packet to, so the wrong natd get's > triggered. it's up to teh remote machine to decide who it talks to.. you just have t DNS entries. Once an interface has been selected you used dynamic rules to 'lock it in'. > > > > > > The final step is to select to which divert rule the packets eventually get > > sent. > > Each divert rule goes to a different natd, each of which is attached to a > > different outgoing interface. > > I am going to look at what you suggested this afternoon to see if > it works. > > Nick Rogness > - Keep on routing in a Free World... > "FreeBSD: The Power to Serve!" -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000-2001 ---> X_.---._/ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message