From owner-freebsd-jail@freebsd.org Mon Jul 17 18:22:14 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC0E5D9D188; Mon, 17 Jul 2017 18:22:14 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F5286B449; Mon, 17 Jul 2017 18:22:13 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HIM9sS080836 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 20:22:09 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HIM5OB074201 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 01:22:05 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> <596CFF94.2090506@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596D0048.7040100@grosbein.net> Date: Tue, 18 Jul 2017 01:22:00 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <596CFF94.2090506@grosbein.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 18:22:14 -0000 18.07.2017 1:19, Eugene Grosbein пишет: > 18.07.2017 0:48, Alan Somers wrote: > >> I think what you meant to say is "this will work for a server directly >> connected to two external gateways (whether or not NAT is involved), >> but won't work if the server is not on the same subnet as the >> gateways". That's true. But judging by the OP, I think they're all >> on the same subnet. > > Yes. Anyway, as long as there is NAT involved, one already has stateful engine > and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. > > It works no matter whether gateways are directly connecter or not > and does not require multiple routing tables nor complex FIB or VNET configurations: > > # remove "default" NAT rule > ipfw delete 50 > > # translate incoming traffic and create NAT states > ipfw add 40 nat 123 ip from any to any in recv $iface1 > ipfw add 50 nat 124 ip from any to any in recv $iface2 > > # insert normal filtering here > ... > # translate outgoing replies using existing NAT states > ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 > ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 > > # translate new outgoing connections not having a state yet > ipfw add 50040 nat 123 ip from any to any out xmit $iface1 > ipfw add 50050 nat 124 ip from any to any out xmit $iface2 bugfix: ipfw add 50040 nat 123 ip from $LAN to any out xmit $iface1 ipfw add 50050 nat 124 ip from $LAN to any out xmit $iface2 > # perform Policy Based Routing for packets going to "wrong" route > ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 > ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 > > # that's all, folks! > > This works no matter where default route points to ($gateway1 or $gateway2). > All you need is working default route and net.inet.ip.fw.one_pass=0. > > This can be extended to any number of external channels/interfaces > and optimized with ipfw tables but for two channels I prefer write it so > for readability. I use this for many installations and it just works.