From owner-freebsd-security Tue Apr 3 14: 9:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id 5D1B337B71B for ; Tue, 3 Apr 2001 14:09:39 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id HAA06435; Wed, 4 Apr 2001 07:09:29 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37645) with ESMTP id <01K1ZRMX400WS4MGOY@cim.alcatel.com.au>; Wed, 4 Apr 2001 07:09:23 +1100 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f33L9NY54480; Wed, 04 Apr 2001 07:09:23 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Wed, 04 Apr 2001 07:09:23 +1000 From: Peter Jeremy Subject: Re: Multiple Default Gateways using DIVERT In-reply-to: <0104021648540A.00570@mike>; from owensmk@earthlink.net on Mon, Apr 02, 2001 at 04:48:54PM -0500 To: Michael Owens Cc: security@FreeBSD.ORG Mail-Followup-To: Michael Owens , security@FreeBSD.ORG Message-id: <20010404070923.O27632@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <0104021648540A.00570@mike> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-Apr-02 16:48:54 -0500, Michael Owens wrote: >We are getting a second DSL line, and I was wondering what the best way, if >any, would be to use NAT and different default gateways so as to divide up >the groups by source address across them. I would like 10.10.10.1-128 to go >through gateway 1 (say 2.2.2.1) and 10.10.10.129-254 through gateway 2 (say >2.2.2.2). I have searched the mail archives and seen various suggestions, but >none seemed to address this specifically. I presume you're interested in outgoing, rather than incoming access. I'm (ab)using ipfw/natd to do something fairly similar to this. Basically I have an ipfw divert to natd and then in my natd.cf file I have a list of redirect addresses. In your case, it would look like: redirect_address 10.10.10.1 2.2.2.1 redirect_address 10.10.10.2 2.2.2.1 redirect_address 10.10.10.3 2.2.2.1 ... redirect_address 10.10.10.128 2.2.2.1 redirect_address 10.10.10.129 2.2.2.2 redirect_address 10.10.10.130 2.2.2.2 redirect_address 10.10.10.131 2.2.2.2 ... redirect_address 10.10.10.254 2.2.2.2 The downside is that you need to list each internal address (or at least half of them, with the remainder handled via a target_address directive). If your internal address split can be represented by a mask (ie 10.10.10.0/25 => 2.2.2.1 and 10.10.10.128/25 => 2.2.2.2) then another alternative would be to use two natd's (on different divert ports with different config files) with ipfw rules to split the packets between them. Note that the mask does not need to be a normal subnet mask - it can be an arbitrary bit pattern. As an example 10.10.10.1/255.255.255.1 could be used to split addresses into even and odd. Unfortunately, I don't think there's any simple way to statistically split the traffic between the different gateways. If you're concerned about reliability, you might also consider hacking up some tools to automatically redirect all your internal hosts via one gateway if the other fails. This wouldn't save pre-existing connections, but would at least let you set up new ones. Note that natd is inherently less efficient than ipnat because it is userland. This means that each packet goes kernel->userland->kernel, which is quite expensive. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message