Date: Tue, 18 Jul 2017 01:22:00 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Alan Somers <asomers@freebsd.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, freebsd-jail@freebsd.org, Grzegorz Junka <list1@gjunka.com> Subject: Re: A web server behind two gateways? Message-ID: <596D0048.7040100@grosbein.net> In-Reply-To: <596CFF94.2090506@grosbein.net> References: <a35370da-531d-6678-4a60-95304bdd919b@gjunka.com> <596CA093.6020508@grosbein.net> <CAOtMX2h6zBi4aVDSdUP_Po_JwOLbxynanZ624530mGLk16fWbg@mail.gmail.com> <596CF1BA.8050104@grosbein.net> <CAOtMX2g6cwDCWJNabqp8AxX_ojSD9T8M9Ga3%2BcX7aUysmzLjSg@mail.gmail.com> <596CFF94.2090506@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
18.07.2017 1:19, Eugene Grosbein пишет: > 18.07.2017 0:48, Alan Somers wrote: > >> I think what you meant to say is "this will work for a server directly >> connected to two external gateways (whether or not NAT is involved), >> but won't work if the server is not on the same subnet as the >> gateways". That's true. But judging by the OP, I think they're all >> on the same subnet. > > Yes. Anyway, as long as there is NAT involved, one already has stateful engine > and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. > > It works no matter whether gateways are directly connecter or not > and does not require multiple routing tables nor complex FIB or VNET configurations: > > # remove "default" NAT rule > ipfw delete 50 > > # translate incoming traffic and create NAT states > ipfw add 40 nat 123 ip from any to any in recv $iface1 > ipfw add 50 nat 124 ip from any to any in recv $iface2 > > # insert normal filtering here > ... > # translate outgoing replies using existing NAT states > ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 > ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 > > # translate new outgoing connections not having a state yet > ipfw add 50040 nat 123 ip from any to any out xmit $iface1 > ipfw add 50050 nat 124 ip from any to any out xmit $iface2 bugfix: ipfw add 50040 nat 123 ip from $LAN to any out xmit $iface1 ipfw add 50050 nat 124 ip from $LAN to any out xmit $iface2 > # perform Policy Based Routing for packets going to "wrong" route > ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 > ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 > > # that's all, folks! > > This works no matter where default route points to ($gateway1 or $gateway2). > All you need is working default route and net.inet.ip.fw.one_pass=0. > > This can be extended to any number of external channels/interfaces > and optimized with ipfw tables but for two channels I prefer write it so > for readability. I use this for many installations and it just works.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?596D0048.7040100>