From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 18 02:32:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B762416A4CF for ; Thu, 18 Mar 2004 02:32:35 -0800 (PST) Received: from mail019.syd.optusnet.com.au (mail019.syd.optusnet.com.au [211.29.132.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13CC843D46 for ; Thu, 18 Mar 2004 02:32:30 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-126.eburwd5.vic.optusnet.com.au [211.28.241.126])i2IAW4B28473; Thu, 18 Mar 2004 21:32:14 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id 4600A1FB81; Thu, 18 Mar 2004 21:32:00 +1100 (EST) Date: Thu, 18 Mar 2004 21:32:00 +1100 From: Tony Frank To: "J.T. Davies" Message-ID: <20040318103200.GA49704@marvin.home.local> References: <1078597745.1981.15.camel@w1-par1-fr.corp.ndsoftware.com> <20040317021928.GA26065@scylla.towardex.com> <002701c40be5$43298f70$3301020a@hostthecaost.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002701c40be5$43298f70$3301020a@hostthecaost.org> User-Agent: Mutt/1.4.2.1i cc: freebsd-ipfw@freebsd.org Subject: Re: Internal routing to different gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2004 10:32:35 -0000 Hi there, On Tue, Mar 16, 2004 at 10:01:17PM -0800, J.T. Davies wrote: > I have an internal mail server running qmail on FreeBSD (ip of 10.2.1.52). > > I have two gateway/routers:: > Internal IP's of 10.2.1.1 and 10.2.1.2, each has their own external IP's. > > The mail server (10.2.1.52) has a default_router set as 10.2.1.1. > > However, traffic coming in from 10.2.1.2 is answered via 10.2.1.1 (and not > going back out the original route of 10.2.1.2). > > Of course this doesn't work because the NAT tables don't sync up between the > two, so 10.2.1.1 doesn't know where to route the reply traffic. > > Incoming traffic on 10.2.1.1 works very well. > > Here's my potential solution...please tell me if there's a better way > (through another port) or if I'm on a good track. > > ========== > I create an IP alias on the mail server (10.2.1.53) and create routes in > natd on 10.2.1.2 to route SMTP and POP3 traffic to the new alias IP. > > I enable IPFW on the mail server (defaults to allow connections because it's > internal). > > I'll add two rules: > ipfw add fwd 10.2.1.2 from 10.2.1.53 to any out via vr0 > ipfw add fwd 10.2.1.1 from 10.2.1.52 to any out via vr0 > (I think the syntax of the rules are right...if not, I'll experiment to > perfect them) > ========== > > Thoughts? I just (last week or so) posted a reply (on -net or -isp I think) that did this kind of things for a webserver setup with alternate upstream sources. The setup was a bit different to what you describe in that there was one 'router' with two uplinks rather than two separate routers. In that case I needed to use the natd redirection feature to proxy traffic to the alias address. Your routers will need to be able to rewrite the traffic in some way to do this (ie change the destination IP to 10.2.1.53) As it is application layer, a regular IP route is probably not sufficient. Another option is to 'reverse NAT' on the routers so the traffic to 10.2.1.52 appears to originate from 10.2.1.1 or 10.2.1.2. Then your server will reply to the appropriate address and the NAT on the router should send the result to the original client. I guess this will depend a little on the application and how well it can handle NAT; SMTP and POP3 should be fine as long as you're not trying to do source-ip based filtering. (unless you do that on the routers before they nat/proxy the traffic) Hope it helps, Tony