From owner-freebsd-net@FreeBSD.ORG Mon Jan 30 18:49:14 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5DA716A420 for ; Mon, 30 Jan 2006 18:49:14 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A02743D48 for ; Mon, 30 Jan 2006 18:49:14 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 30 Jan 2006 10:49:14 -0800 Message-ID: <43DE5FA9.1070107@elischer.org> Date: Mon, 30 Jan 2006 10:49:13 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brian Candler References: <001501c62402$a1bd4c70$05000100@cloe> <20060130083744.GA70515@uk.tiscali.com> In-Reply-To: <20060130083744.GA70515@uk.tiscali.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Unix-Solutions - Steven Subject: Re: multiple natd + ipfw, with 2 internal ip's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 18:49:15 -0000 Brian Candler wrote: >On Sat, Jan 28, 2006 at 01:01:53PM +0100, Unix-Solutions - Steven wrote: > > >>Hi you guy's, >> >>I have a little problem with my natd or ipfw configuration. >> >> > >This may not be what you want to hear, but in my experience if you have a >configuration with multiple external interfaces and multiple NAT instances, >ipfw + natd becomes almost impossible to configure correctly. You need >multiple running instances of natd, which isn't a problem, but making a set >of ipfw rules which correctly passes the right packets to the right natd >instances, both inbound and outbound, is pretty hard. > > Actually it's pretty easy. make a separate natd.conf file for each daemon, and specify it to each daemon on the command line. then separate out the dataflow usinf ipfw. e.g. add 100 skipto 300 ip from any to any in recv fxp0 add 101 skipto 400 ip from any to any in recv fxp1 add 102 skipto 500 ip from any to any out xmit fxp0 add 103 skipto 600 ip from any to any out xmit fxp1 now in each section 300,400,500,600 you can have a different set of filters etc. you can also use different divert sockets for the two interfaces, sending the data to the two different natds which you have listenning on different divert sockets. >If I were you, I'd switch to pf. Having two NAT interfaces in pf.conf is >trivial. So then the only thing you need to do is to swing your defaultroute >from ISP1 to ISP2, to change the traffic flow. > > > >>Now I want to add 192.168.2.253 as alias on the FXP0 >>and when a PC on my internal network sets his gateway to 192.168.2.253 >>I want that this PC takes the versatel route. >>How is this possible ? >> >> > >Unfortunately, it's not possible at all. > > Well you could if you set your internal interface to be in promiscuous mode and set proxy arp for that address using a different MAC address. Then using ipfw at the ethernet layer you could tell which address it had been aimed at.. A different approach would be to run two different subnets on the wire. 192.168.1.x and 192.1.68.2.x for example. each by default could be made to go out through a different egress interface using an ipw FWD rule. >When your PC sends a packet from X.X.X.X to Y.Y.Y.Y, and decides that >192.168.2.254 is the next hop router, it uses ARP to find the MAC address of >this router. It then encapsulates the IP datagram in an ethernet frame using >this as the destination MAC address. > >If it decided to use 192.168.2.253 as the next hop, and this is an alias on >the same machine, then it would still get the same MAC address. So when the >packet arrives at the router, it would be impossible to tell whether the >originator had used 192.168.2.254 or 192.168.2.253 as the next-hop address. > >(That's unless you do something very nasty, like assigning multiple MAC >addresses to the same interface and writing your own ARP daemon to respond >with different MAC addresses, but even then you would still have to somehow >make a forwarding decision based on the MAC address of the incoming frame. >You could put two different NICs on the same LAN segment, which would >automatically give you two MAC addresses and let you forward based on the >source interface, but I think that FreeBSD still has a problem when running >two NICs on the same LAN segment, because it mixes the ARP table into the >forwarding table) > >If you want to selectively have some clients using ISP1 and other clients >using ISP2, then I think you could implement that using pf 'route-to' or >ipfw 'fwd' rules, matching the source IP address, which is a lot simpler. > >In any case, if all you're concerned about is failover, then you probably >don't want to reconfigure every client PC when ISP1 goes down in order to >point to ISP2. Rather, you could run a script on the gateway PC which >monitors the link status, and changes its own defaultroute to point to the >other ISP. > >HTH, > >Brian. >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >