From owner-freebsd-hackers@FreeBSD.ORG  Sun Oct  5 19:05:33 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6107716A4B3; Sun,  5 Oct 2003 19:05:33 -0700 (PDT)
Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4C97643FB1; Sun,  5 Oct 2003 19:05:32 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from skywalker.rogness.net (localhost [127.0.0.1])
	by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h962B8Vs047326;
	Sun, 5 Oct 2003 20:11:08 -0600 (MDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)h962B7ru047323;
	Sun, 5 Oct 2003 20:11:07 -0600 (MDT)
X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs
Date: Sun, 5 Oct 2003 20:11:05 -0600 (MDT)
From: Nick Rogness <nick@rogness.net>
To: Wes Peters <wes@softweyr.com>
In-Reply-To: <200310051343.01251.wes@softweyr.com>
Message-ID: <20031005193343.F47183-100000@skywalker.rogness.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: darrenr@freebsd.org
cc: freebsd-hackers@freebsd.org
Subject: Re: Changing the NAT IP on demand?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2003 02:05:33 -0000

On Sun, 5 Oct 2003, Wes Peters wrote:

> On Sunday 05 October 2003 01:02 am, Nick Rogness wrote:
> > On Sat, 4 Oct 2003, Leo Bicknell wrote:
> > > I'm considering options for a new project, and I think I've
> > > discovered what I think is the best idea, but I don't think current
> > > software supports the config.  I'd like to get some confirmation,
> > > and comments on if it would be hard to implement.
> > >
> > > Consider:
> > >
> > >
> > > ISP #1-------\
> > >               \
> > >               FreeBSD Box----LAN
> > >               /
> > > ISP #2-------/
> > >
> > > In this case the LAN would be 1918 space, the two ISP's would each
> > > provide a public IP for the FreeBSD box.
> > >
> > > Now, NAT would be required.  What I want to do is write an external
> > > application to decide the performance of ISP #1 and ISP#2, and
> > > somehow tell NAT which outside address to use.
> > >
> > > That, by itself, is not hard.  Here's the trick.  I want the switch
> > > to be seamless.  That is, if NAT is translating to ISP #1 and the
> > > application says switch to #2 the existing translations to #1 (until
> > > they go away naturally) should be kept, while new ones go to #2.
> > >
> > > The only ways I know to change the outside address seem to tear
> > > down all existing connections.
> > >
> > > Is it possible to make this work today?  Would it be hard to fix if
> > > it doesn't work today?
> >
> > 	This can simply not work without resetting connections.  The
> > 	socket pair on the "outside" would break as your outside traffic
> > 	switches from one to the other (src/dst would change).  There is
> > 	no fix, as this breaks basic IP principals.
>
> That's not at all what Leo was asking.

	Sorry bout that, didn't read carefully enough.  I understand the
	question now after more careful reading.

>
> Leo, you may be able to do this with ipfilter's ipnat.  Nat rules are
> traditionally processed with 'ipnat -CF', the -C clears the rules and
> the -F option clears the currently active NAT mappings.  You should
> experiment with rewriting the rules and instantiating them with -C only.
> This should leave the existing stateful mappings to the formerly
> preferred interface while creating all new mappings on the newly
> preferred interface.

	In addition to keeping your NAT translations (as suggested by
	Wes), you need to also keep routes for those entries as well, so
	that preserved traffic remains to route out the right ISP even if
	a switch occurs.

	The reason for this is simple.
	When you switch the route(s) to the other ISP (which you would
	have to do), your existing translations would get routed out to
	the wrong ISP.  You would need to keep routes for existing
	translations to make sure they leave the proper 'old' interface.
	This would not be necessary if each ISP allowed you to use either
	public IP on each others network (not likely).

	Nat (AFAIK) does not determine which interface to leave.  You can
	change the source address in the packet to anything you want, this
	will not tell it to leave 'interace_to_ISP#1' or
	'interface_to_ISP#2'. That is a decision made using the routing
	table.  Your app would have to keep track of these NAT things and
	also add and remove routes from the routing table.

	That is, if everything is going out ISP#1 and you decide to switch
	to ISP#2 you would need to:

		1) Keep exisiting NAT translation(s) like suggested by
		   Wes.
		2) Add routing table entry for each of the NAT
		   translations you want to preserve to ISP#1
		3) Switch default routing to ISP#2
		4) When sessions are finsihed and NAT translations
		   removed to ISP#1, the route(s) that pertain to those
		   NAT translations would need to be removed.


Nick Rogness <nick@rogness.net>
-
  How many people here have telekenetic powers? Raise my hand.
  				-Emo Philips