Date: Tue, 21 Jun 2011 19:27:25 +0200 From: Jerome Herman <jherman@dichotomia.fr> To: freebsd-questions@freebsd.org Subject: Re: Two Networks on one System Message-ID: <4E00D47D.9040603@dichotomia.fr> In-Reply-To: <4E00CAA4.7080008@my.gd> References: <201106202107.p5KL7PW0091851@x.it.okstate.edu> <4DFFC61B.2080201@radel.com> <27899_1308609017_4DFFC9F9_27899_767_1_D9B37353831173459FDAA836D3B43499BF89C588@WADPMBXV0.waddell.com> <4DFFD0A7.8010806@radel.com> <4DFFE6B9.2020107@dichotomia.fr> <4E00756B.5050805@my.gd> <4E00C720.5010701@dichotomia.fr> <4E00CAA4.7080008@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/21/11 18:45, Damien Fleuriot wrote: > > On 6/21/11 6:30 PM, Jerome Herman wrote: >> On 06/21/11 12:41, Damien Fleuriot wrote: >>> This does not depend on the route the client takes, but rather on the IP >>> the client tries to reach, wouldn't you agree ? >> Most of the problems I was afraid of were lifted when further >> explanations where given. But just for the records I would like to >> explain further what I meant, adding some examples. >> >> 1°) It is perfectly possible for a public IP to be routed differently >> depending on the ISP. Actually it is quite common when you have multiple >> provider to create "shortcuts" in the routing table. Let us say your >> main provider is ISP A who is officially routing your public IP, but you >> also have a privileged link with ISP B who will redirect any request >> made to your public IP to a private IP on your network (NAT or DMZ, your >> pick). >> All clients from ISP A will come to your public IP directly, all clients >> from ISP B will go through your private IP, but clients from ISP C ? >> Well it will depends on whether the route they elect goes to ISP A or >> ISP B first. >> > This has to do with BGP, transits and peerings, this is not really > relevant to your case of having 2 public IPs served by a box. > > But then, to answer your question: > > Let's say you have 2 public and 1 private IP on the box. > > Traffic to public IP A has a reply-to to the ISP's router in network A. > Traffic to public IP B has a reply-to to the ISP's router in network B. > Traffic to private IP C has a reply-to to the ISP's router in network C. No, the problem is the following : Traffic to public IP A going through ISP X goes to interface 1 configured with public IP A Traffic to public IP A going through ISP Y goes to interface 2 configured with private IP C And no this is not a fantasy config that can only be found once every millennium when following a unicorn. There are actually quite a lot of setups that use this trick to work. > I really can not see what your concern is, here. > > In fact, this is pretty much what we use here, we have RDR rules set up > on our firewalls to pass packets to our reverse proxies' private IPs. > > >> 2°) Even if there are two distinct public addresses A& B , what happens >> when two nated computers behind an public address Z try to connect to >> the server at the same time ? reply-to disturbs the normal flow of >> answers, in case two connections are attempted from the same distant >> address at the same moment (second SYN received before first SYN/ACK is >> sent ) what is supposed to happen. I think each connection will receive >> a proper SYN/ACK from the right interface, but I cannot find anything to >> confirm/infirm this. >> > What you need to take into account is that these are 2 different > connections each with an ID, a source IP (shared: Z) and a source port > (randomized). > > This will not be messed up by reply-to. That is what I thought, but I can't seem to find a proper doc on the nook and crannies of reply-to and route-to. And I am always a bit cautious about the idea of checking BSD code myself to get answers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E00D47D.9040603>