From owner-freebsd-jail@freebsd.org Mon Jul 17 18:19:19 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6465D9CE31; Mon, 17 Jul 2017 18:19:19 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BE706AF37; Mon, 17 Jul 2017 18:19:18 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HIJ9XR080790 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 20:19:10 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HIJ56N073335 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 01:19:05 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596CFF94.2090506@grosbein.net> Date: Tue, 18 Jul 2017 01:19:00 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 18:19:20 -0000 18.07.2017 0:48, Alan Somers wrote: > I think what you meant to say is "this will work for a server directly > connected to two external gateways (whether or not NAT is involved), > but won't work if the server is not on the same subnet as the > gateways". That's true. But judging by the OP, I think they're all > on the same subnet. Yes. Anyway, as long as there is NAT involved, one already has stateful engine and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. It works no matter whether gateways are directly connecter or not and does not require multiple routing tables nor complex FIB or VNET configurations: # remove "default" NAT rule ipfw delete 50 # translate incoming traffic and create NAT states ipfw add 40 nat 123 ip from any to any in recv $iface1 ipfw add 50 nat 124 ip from any to any in recv $iface2 # insert normal filtering here ... # translate outgoing replies using existing NAT states ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 # translate new outgoing connections not having a state yet ipfw add 50040 nat 123 ip from any to any out xmit $iface1 ipfw add 50050 nat 124 ip from any to any out xmit $iface2 # perform Policy Based Routing for packets going to "wrong" route ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 # that's all, folks! This works no matter where default route points to ($gateway1 or $gateway2). All you need is working default route and net.inet.ip.fw.one_pass=0. This can be extended to any number of external channels/interfaces and optimized with ipfw tables but for two channels I prefer write it so for readability. I use this for many installations and it just works.