Date: Wed, 04 Apr 2001 07:09:23 +1000 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: Michael Owens <owensmk@earthlink.net> Cc: security@FreeBSD.ORG Subject: Re: Multiple Default Gateways using DIVERT Message-ID: <20010404070923.O27632@gsmx07.alcatel.com.au> In-Reply-To: <0104021648540A.00570@mike>; from owensmk@earthlink.net on Mon, Apr 02, 2001 at 04:48:54PM -0500 References: <0104021648540A.00570@mike>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2001-Apr-02 16:48:54 -0500, Michael Owens <owensmk@earthlink.net> wrote: >We are getting a second DSL line, and I was wondering what the best way, if >any, would be to use NAT and different default gateways so as to divide up >the groups by source address across them. I would like 10.10.10.1-128 to go >through gateway 1 (say 2.2.2.1) and 10.10.10.129-254 through gateway 2 (say >2.2.2.2). I have searched the mail archives and seen various suggestions, but >none seemed to address this specifically. I presume you're interested in outgoing, rather than incoming access. I'm (ab)using ipfw/natd to do something fairly similar to this. Basically I have an ipfw divert to natd and then in my natd.cf file I have a list of redirect addresses. In your case, it would look like: redirect_address 10.10.10.1 2.2.2.1 redirect_address 10.10.10.2 2.2.2.1 redirect_address 10.10.10.3 2.2.2.1 ... redirect_address 10.10.10.128 2.2.2.1 redirect_address 10.10.10.129 2.2.2.2 redirect_address 10.10.10.130 2.2.2.2 redirect_address 10.10.10.131 2.2.2.2 ... redirect_address 10.10.10.254 2.2.2.2 The downside is that you need to list each internal address (or at least half of them, with the remainder handled via a target_address directive). If your internal address split can be represented by a mask (ie 10.10.10.0/25 => 2.2.2.1 and 10.10.10.128/25 => 2.2.2.2) then another alternative would be to use two natd's (on different divert ports with different config files) with ipfw rules to split the packets between them. Note that the mask does not need to be a normal subnet mask - it can be an arbitrary bit pattern. As an example 10.10.10.1/255.255.255.1 could be used to split addresses into even and odd. Unfortunately, I don't think there's any simple way to statistically split the traffic between the different gateways. If you're concerned about reliability, you might also consider hacking up some tools to automatically redirect all your internal hosts via one gateway if the other fails. This wouldn't save pre-existing connections, but would at least let you set up new ones. Note that natd is inherently less efficient than ipnat because it is userland. This means that each packet goes kernel->userland->kernel, which is quite expensive. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010404070923.O27632>