Date: Tue, 22 Sep 2020 08:07:00 +0000 From: Grzegorz Junka <list1@gjunka.com> To: freebsd-net@freebsd.org Subject: Re: sshd on two fibs Message-ID: <08ecc039-99eb-721c-40f5-28b75be392d3@gjunka.com> In-Reply-To: <c7af254d-e27b-9834-8b9f-6d62cf9a4f89@grosbein.net> References: <48e3aa5d-3123-45f2-5c46-6851ad90110a@gjunka.com> <4d78a442-147f-db32-72ae-487d3e0197cc@grosbein.net> <9ff48087-b24e-263c-b1c2-030318722ec1@gjunka.com> <c7af254d-e27b-9834-8b9f-6d62cf9a4f89@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21/09/2020 07:35, Eugene Grosbein wrote: > 21.09.2020 14:21, Grzegorz Junka wrote: > >>> All you need is telling kernel to use right gateway based on source IP address despite of default route, >>> this is called policy-based routing and you can achieve that with single ipfw rule: >>> >>> ipfw add 2000 fwd $gateway2 ip from $wan2ip to any out xmit $wan1 >>> >>> That is: redirect IP packets with source of second WAN interface ($wan2ip) to right gateway of that WAN ($gateway2) >>> if they are going using (wrong) route to WAN1. That's all. >> Thanks Eugene. I am reluctant to add firewall rules because the second interface is configured as being in fib 1. > Existance of the fib 1 does not matter for your case, at all. > >> This is so that jails, which are also started with fib 1, can use the proper routing table. > Exactly. > >> I don't want to add complexity where it isn't necessary, unless there is no other option. > Me too. And single ipfw rule is minimal possible addition, all other solutions are more complex. > >> Is it possible to somehow configure sshd to use the proper routing table? > It is possible but it won't help you because every routing table contains routes that do NOT depend > on source IP address of the packet and you need such policy-based routing. Standard routing tables > do not offer policy-based routing, so they are useless for you. > > You could read rc.conf(5) manual page to learn about <name>_fib knob (f.e. sshd_fib="1") > but it won't solve your problem. You could also add your own startup script to run second copy of sshd > with its own PID file and listening IP address and FIB but that would be much more complex solution. > > Just tell kernel you need policy-based routing with ipfw. This just works. > No need to utilize second FIB just because you already have it. > OK, yeah, sounds reasonable. Thanks for explaining! GrzegorzJ
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08ecc039-99eb-721c-40f5-28b75be392d3>