Date: Thu, 12 Jul 2007 22:01:38 +0200 From: Andrea Venturoli <ml@netfence.it> To: Artyom Viklenko <artem@aws-net.org.ua> Cc: freebsd-net@freebsd.org Subject: Re: Again two ADSL lines, routing problems Message-ID: <469688A2.3000708@netfence.it> In-Reply-To: <4696387F.4080404@aws-net.org.ua> References: <4695FEF4.4030708@netfence.it> <469616B2.2020803@aws-net.org.ua> <46961C0B.6060004@netfence.it> <4696387F.4080404@aws-net.org.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Artyom Viklenko ha scritto: > Very brief example (just to show main idea). > Assume you have thre interfaces in router fxp0 - lan, fxp1 - adsl1, fxp2 > - adsl2. > fxp0 - 192.168.0.1, fxp1 - 192.168.1.2, fxp2 - 192.168.2.2 > adsl1 - 192.168.1.1, adsl2 - 192.168.2.1 > > > > $server="192.168.0.2" > $adsl1="192.168.1.1" > $adsl2="192.168.2.1" > > pass in on fxp1 inet from any to $server keep state tag ADSL1 > pass in on fxp2 inet from any to $server keep state tag ADSL2 > > pass out on fxp0 reply-to (fxp1 $adsl1) from any to $server tagged ADSL1 > keep state > pass out on fxp0 reply-to (fxp2 $adsl2) from any to $server tagged ADSL2 > keep state > > This is just part of whole rulebase regarding your problem. > Packets coming in via adsl1 will pass and got tagged by ADSL1 tag. Also, > state will > be created. Then packet will pass out to server, state will be created. > and all replies from server will be frowarded back via adsl1. > > Same for traffic from adsl2. Thank you very much, this might do the trick. However, in your example the two ADSL routers are on separate interfaces, while in the setup I have there's only one external interface (and a switch). Would this work the same, by tagging based on MAC address? Even if the machine is not acting as a bridge? Should I create a bridge0 interface, even if it would actually not bridge anything? Besides, I don't really understand what fxp0 has to do with this: the box which is connected to the two ADSL is running the server, so in the above example $server would be 192.168.0.1 itself. If I understand correctly I should do something on the line of: $adsl1="192.168.0.1" $adsl1mac="aa:bb:cc:dd:ee:ff" $adsl2="192.168.0.2" $adsl2mac="gg:hh:ii:jj:kk:ll" //Tag based on MAC address pass in on fxp0 reply-to (fxp0 $adsl1) inet from any to $server tagged ADSL1 keep state pass in on fxp0 reply-to (fxp0 $adsl2) inet from any to $server tagged ADSL2 keep state One last question: could I use this, while still filtering with ipfw as I do now? Can the two firewalls cooperate? Would this be too much trouble (even if I have a non trivial ruleset working)? Someone can suggest a way with ipfw? I found this: http://archive.netbsd.se/?ml=dfbsd-users&a=2005-10&t=1361976 (the last message). It would involve creating a second net on the same ethernet segment, but I can live with that (altough it is going to be slightly more compilcated since I'm also using CARP). Any opinion on this? bye & Thanks av. bye & Thanks av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?469688A2.3000708>