Date: Tue, 18 Jul 2017 01:19:00 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Alan Somers <asomers@freebsd.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, freebsd-jail@freebsd.org, Grzegorz Junka <list1@gjunka.com> Subject: Re: A web server behind two gateways? Message-ID: <596CFF94.2090506@grosbein.net> In-Reply-To: <CAOtMX2g6cwDCWJNabqp8AxX_ojSD9T8M9Ga3%2BcX7aUysmzLjSg@mail.gmail.com> References: <a35370da-531d-6678-4a60-95304bdd919b@gjunka.com> <596CA093.6020508@grosbein.net> <CAOtMX2h6zBi4aVDSdUP_Po_JwOLbxynanZ624530mGLk16fWbg@mail.gmail.com> <596CF1BA.8050104@grosbein.net> <CAOtMX2g6cwDCWJNabqp8AxX_ojSD9T8M9Ga3%2BcX7aUysmzLjSg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
18.07.2017 0:48, Alan Somers wrote: > I think what you meant to say is "this will work for a server directly > connected to two external gateways (whether or not NAT is involved), > but won't work if the server is not on the same subnet as the > gateways". That's true. But judging by the OP, I think they're all > on the same subnet. Yes. Anyway, as long as there is NAT involved, one already has stateful engine and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. It works no matter whether gateways are directly connecter or not and does not require multiple routing tables nor complex FIB or VNET configurations: # remove "default" NAT rule ipfw delete 50 # translate incoming traffic and create NAT states ipfw add 40 nat 123 ip from any to any in recv $iface1 ipfw add 50 nat 124 ip from any to any in recv $iface2 # insert normal filtering here ... # translate outgoing replies using existing NAT states ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 # translate new outgoing connections not having a state yet ipfw add 50040 nat 123 ip from any to any out xmit $iface1 ipfw add 50050 nat 124 ip from any to any out xmit $iface2 # perform Policy Based Routing for packets going to "wrong" route ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 # that's all, folks! This works no matter where default route points to ($gateway1 or $gateway2). All you need is working default route and net.inet.ip.fw.one_pass=0. This can be extended to any number of external channels/interfaces and optimized with ipfw tables but for two channels I prefer write it so for readability. I use this for many installations and it just works.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?596CFF94.2090506>