Date: Sat, 14 Jun 2014 14:25:39 -0300 From: Mario Lobo <lobo@bsd.com.br> To: freebsd-questions@freebsd.org Subject: Re: BSD as routing device for 2 ISPs Message-ID: <20140614142539.7dc1aa97@Papi> In-Reply-To: <539C6975.3040404@mgedv.net> References: <539C6975.3040404@mgedv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi;
I have a FreeBSD 8 STABLE doing just that!
On Sat, 14 Jun 2014 17:25:41 +0200
"no@spam@mgedv.net" <nospam@mgedv.net> wrote:
> hi,
>
> although i had a look on pfsense, openbgpd, setfib(1) ideas and such,
> googlin' around and discussing with nw-admins for hours, i still don't
> really see a clear path for setting up a proper solution which is not
> sort of "tinkering" but still based on free OS's.
Not possible! You will have to tinker it, starting by recompiling the
kernel with options ROUTETABLES=whatever.
>
> situation:
> we have 2 independent ISPs, each running it's own router/ext-ip-block.
> e.g. ISP A: IP 1.1.1.10-1.1.1.20, ISP B: IP 2.2.2.50-2.2.2.60.
>
Almost exactly my situation.
> goal 1: inside->outside:
> - NAT and spread traffic load-based across ISPs to use both wires
I've done it like this:
nat on $ext_if1 from ! ($ext_if1) to any -> ($ext_if1) port 1024:65535
nat on $ext_if2 from ! ($ext_if2) to any -> ($ext_if2) port 1024:65535
[snip..]
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2
$ext_gw2) } round-robin sticky-address inet proto { tcp, udp } from any
to ! $int_if:network.
This balances the traffic beautifully between both ISPs
> - switch to "living" ISP in case the other goes down
> (loosing active connections is ok and will of course happen)
Ahh ! heavy tinkering here.
I've developed a daemon that keeps testing both links for
connectivity, that acts together with a series of scripts, that
re-writes/reapplies the whole pf.conf, directing everything to the link
that is working.
I also have two squids running, one for each ISP. Traffic is
round-robin redirected from the inside to them.
> goal 2: outside->inside:
> - NAT different external IPs to the SAME service inside
> (eg. smtp: NAT 1.1.1.11:25 and 2.2.2.51:25 to 192.168.10.10:25)
> - allow connecting to the same service via different routes
> simultaneously eg: ssh from 8.8.8.8->1.1.1.12:22
> while ssh from 9.9.9.9->2.2.2.12:22,
> both end up NAT'd at 192.168.10.20:22.
That's even simpler. Redirect the traffic on each ext_if to the ssh
daemon.
rdr pass on $ext_if1 inet proto tcp to port 22 -> 192.168.10.20 port
22
rdr pass on $ext_if2 inet proto tcp to port 22 -> 192.168.10.20 port
22
You will know your external IPs so you choose the link.
>
> goal 3: firewalling:
> either this box is the firewall, or any other idea welcome.
> (currently, there's a separate hw-firewall running which does NAT,
> too)
In my case, it is THE firewall.
> oh, and the box will be run as virtual machine's guest OS.
>
That shouldn't be a problem but test, test and test. Depending on the
hypervisor, results could be different.
In my case, it is a physical machine.
I hope this helps.
--
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)
"UNIX was not designed to stop you from doing stupid things,
because that would also stop you from doing clever things."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140614142539.7dc1aa97>