From owner-freebsd-net@FreeBSD.ORG Wed May 14 10:26:11 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3A05919 for ; Wed, 14 May 2014 10:26:11 +0000 (UTC) Received: from mp1-smtp-6.eutelia.it (mp1-smtp-6.eutelia.it [62.94.10.166]) by mx1.freebsd.org (Postfix) with ESMTP id 2875C211C for ; Wed, 14 May 2014 10:26:10 +0000 (UTC) Received: from ns2.biolchim.it (ip-188-188.sn2.eutelia.it [83.211.188.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mp1-smtp-6.eutelia.it (Eutelia) with ESMTP id 141AB6B9882 for ; Wed, 14 May 2014 12:05:36 +0200 (CEST) Received: from soth.ventu (adsl-ull-47-174.41-151.net24.it [151.41.174.47]) (authenticated bits=0) by ns2.biolchim.it (8.14.8/8.14.8) with ESMTP id s4EA5Wgg084761 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 14 May 2014 12:05:33 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: ns2.biolchim.it: Host adsl-ull-47-174.41-151.net24.it [151.41.174.47] claimed to be soth.ventu Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.8/8.14.7) with ESMTP id s4EA5QUo067983; Wed, 14 May 2014 12:05:26 +0200 (CEST) (envelope-from ml@netfence.it) Message-ID: <53733FE6.4060605@netfence.it> Date: Wed, 14 May 2014 12:05:26 +0200 From: Andrea Venturoli User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Server with multiple public IP References: <535E1842.20905@netfence.it> <535E1C66.6090004@talk2dom.com> In-Reply-To: <535E1C66.6090004@talk2dom.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (ns2.biolchim.it [192.168.2.203]); Wed, 14 May 2014 12:05:33 +0200 (CEST) X-Scanned-By: MIMEDefang 2.74 Cc: dom@talk2dom.com X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2014 10:26:11 -0000 On 04/28/14 11:16, Dominic Froud wrote: > On 28/04/2014 09:58, Andrea Venturoli wrote: >> I've got a server which has two (or more) interfaces with public IPs. >> >> Let's say, as an example (with fictional IPs): >> ifconfig_vlan1="inet 1.0.0.2 netmask 255.255.255.248..." >> ifconfig_vlan2="inet 2.0.0.2 netmask 255.255.255.248..." >> >> Of course, I can only have a default route, let's say 1.0.0.1. >> This is fine for outgoing traffic and for incoming connections on vlan1. >> However, when someone from the outside connects to 2.0.0.2, reply >> packets still go out through 1.0.0.1 (on vlan1), but they should go >> through vlan2 to 2.0.0.1 > > You want source-based routing. > > I have this situation and I used pf(4) to do it with a rule like: > > pass out quick route-to ( vlan2 ) from 2.0.0.0/29 to any no state > > As a variation you can give an optional next-hop address if you have a > static router for that vlan, e.g. if your router is 2.0.0.1: > > pass out quick route-to ( vlan2 2.0.0.1 ) from 2.0.0.0/29 to any no state > > Also, you can run pf and ipfw at the same time! > > Hope this helps, I ended up using this solution... so far so good (and so easy). Thanks a lot. bye av.