Date: Thu, 12 Jul 2007 07:44:59 -0500 From: Josh Paetzel <josh@tcbug.org> To: freebsd-net@freebsd.org Cc: Eric F Crist <ecrist@secure-computing.net>, Artyom Viklenko <artem@aws-net.org.ua> Subject: Re: Again two ADSL lines, routing problems Message-ID: <200707120745.03102.josh@tcbug.org> In-Reply-To: <46961C0B.6060004@netfence.it> References: <4695FEF4.4030708@netfence.it> <469616B2.2020803@aws-net.org.ua> <46961C0B.6060004@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1524610.0FQksEAgMv Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 12 July 2007, Andrea Venturoli wrote: > Artyom Viklenko ha scritto: > > You have to enforce simmetrical routing on your FreeBSD box. > > You can use, for example, PF firewall Using such options and > > features as labels and route-to/reply-to statemens. > > > > Also it is possible with ipfw, but I prefer PF. :) > > Thanks, this is interesting. However I failed to understand what > you mean exactly. > Do you have any pointer to a document that explains this? > I searched in PF's and ipfw's manual, but found nothing that I > could relate to this. > > Also, I'm right now using ipfw... > > bye & Thanks > av. errrm, in pf I can give you a concrete example of how to deal with=20 this. Since you haven't given a concrete example I'll make one up. Say you=20 have a FBSD box with em0 connected to one DSL connection on=20 192.168.1.2 and the default route set to 192.168.1.1 and em1 on the=20 other DSL connection with IP 192.168.2.2 and the router for that=20 connection on 192.168.2.1 Your question seemed to imply that you don't want to load-balance or=20 really even do round-robin NAT and you're fine with manually cutting=20 over the default route in case a link fails, but the problem you are=20 having is that the responses to incoming connections go out the=20 default route, which doesn't work. Here's the fix to that in PF: pass out route-to (em1 192.168.2.1) from 192.168.2.2 to any This will not do load-balancing, fail-over, or round-robin NAT, but it=20 will make replies to incoming connections on the 'other' DSL=20 connection go out the same interface the incoming connection came in=20 on with the proper source address. HTH =2D-=20 Thanks, Josh Paetzel --nextPart1524610.0FQksEAgMv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGliJPJvkB8SevrssRAuPkAKCMw3XgGhJqGS5nS3vFEAlGUVvTQQCcDN10 E8MayelichryIkROHSNyS4g= =kCvZ -----END PGP SIGNATURE----- --nextPart1524610.0FQksEAgMv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707120745.03102.josh>