From owner-freebsd-net@FreeBSD.ORG Thu Jul 12 20:01:51 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E5EFA16A468 for ; Thu, 12 Jul 2007 20:01:51 +0000 (UTC) (envelope-from ml@netfence.it) Received: from parrot.aev.net (parrot.aev.net [212.31.247.179]) by mx1.freebsd.org (Postfix) with ESMTP id 0AA2813C46E for ; Thu, 12 Jul 2007 20:01:50 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.ventu ([151.77.235.121]) (authenticated bits=128) by parrot.aev.net (8.14.1/8.13.8) with ESMTP id l6CKDijA036501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 12 Jul 2007 22:13:50 +0200 (CEST) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.1/8.13.8) with ESMTP id l6CK2TvA018315; Thu, 12 Jul 2007 22:02:30 +0200 (CEST) (envelope-from ml@netfence.it) Message-ID: <469688A2.3000708@netfence.it> Date: Thu, 12 Jul 2007 22:01:38 +0200 From: Andrea Venturoli User-Agent: Thunderbird 2.0.0.4 (X11/20070617) MIME-Version: 1.0 To: Artyom Viklenko References: <4695FEF4.4030708@netfence.it> <469616B2.2020803@aws-net.org.ua> <46961C0B.6060004@netfence.it> <4696387F.4080404@aws-net.org.ua> In-Reply-To: <4696387F.4080404@aws-net.org.ua> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.61 on 212.31.247.179 Cc: freebsd-net@freebsd.org Subject: Re: Again two ADSL lines, routing problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 20:01:52 -0000 Artyom Viklenko ha scritto: > Very brief example (just to show main idea). > Assume you have thre interfaces in router fxp0 - lan, fxp1 - adsl1, fxp2 > - adsl2. > fxp0 - 192.168.0.1, fxp1 - 192.168.1.2, fxp2 - 192.168.2.2 > adsl1 - 192.168.1.1, adsl2 - 192.168.2.1 > > > > $server="192.168.0.2" > $adsl1="192.168.1.1" > $adsl2="192.168.2.1" > > pass in on fxp1 inet from any to $server keep state tag ADSL1 > pass in on fxp2 inet from any to $server keep state tag ADSL2 > > pass out on fxp0 reply-to (fxp1 $adsl1) from any to $server tagged ADSL1 > keep state > pass out on fxp0 reply-to (fxp2 $adsl2) from any to $server tagged ADSL2 > keep state > > This is just part of whole rulebase regarding your problem. > Packets coming in via adsl1 will pass and got tagged by ADSL1 tag. Also, > state will > be created. Then packet will pass out to server, state will be created. > and all replies from server will be frowarded back via adsl1. > > Same for traffic from adsl2. Thank you very much, this might do the trick. However, in your example the two ADSL routers are on separate interfaces, while in the setup I have there's only one external interface (and a switch). Would this work the same, by tagging based on MAC address? Even if the machine is not acting as a bridge? Should I create a bridge0 interface, even if it would actually not bridge anything? Besides, I don't really understand what fxp0 has to do with this: the box which is connected to the two ADSL is running the server, so in the above example $server would be 192.168.0.1 itself. If I understand correctly I should do something on the line of: $adsl1="192.168.0.1" $adsl1mac="aa:bb:cc:dd:ee:ff" $adsl2="192.168.0.2" $adsl2mac="gg:hh:ii:jj:kk:ll" //Tag based on MAC address pass in on fxp0 reply-to (fxp0 $adsl1) inet from any to $server tagged ADSL1 keep state pass in on fxp0 reply-to (fxp0 $adsl2) inet from any to $server tagged ADSL2 keep state One last question: could I use this, while still filtering with ipfw as I do now? Can the two firewalls cooperate? Would this be too much trouble (even if I have a non trivial ruleset working)? Someone can suggest a way with ipfw? I found this: http://archive.netbsd.se/?ml=dfbsd-users&a=2005-10&t=1361976 (the last message). It would involve creating a second net on the same ethernet segment, but I can live with that (altough it is going to be slightly more compilcated since I'm also using CARP). Any opinion on this? bye & Thanks av. bye & Thanks av.