From owner-freebsd-net@FreeBSD.ORG Sat Feb 25 22:26:39 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 642B716A423 for ; Sat, 25 Feb 2006 22:26:39 +0000 (GMT) (envelope-from edwin@mavetju.org) Received: from mail2out.barnet.com.au (mail2out.barnet.com.au [202.83.176.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD88143D45 for ; Sat, 25 Feb 2006 22:26:36 +0000 (GMT) (envelope-from edwin@mavetju.org) Received: by mail2out.barnet.com.au (Postfix, from userid 27) id AD43F7073D5; Sun, 26 Feb 2006 09:26:34 +1100 (EST) X-Viruscan-Id: <4400D99A0000B554703BF0@BarNet> Received: from mail2-auth.barnet.com.au (mail2.barnet.com.au [202.83.176.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.barnet.com.au", Issuer "BarNet Root Certificate Authority" (verified OK)) by mail2.barnet.com.au (Postfix) with ESMTP id 593DC7073B7; Sun, 26 Feb 2006 09:26:34 +1100 (EST) Received: from k7.mavetju (edwin-3.int.barnet.com.au [10.10.12.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail2-auth.barnet.com.au (Postfix) with ESMTP id 55C067073B0; Sun, 26 Feb 2006 09:26:33 +1100 (EST) Received: by k7.mavetju (Postfix, from userid 1001) id 26FB81F4; Sun, 26 Feb 2006 09:26:28 +1100 (EST) Date: Sun, 26 Feb 2006 09:26:27 +1100 From: Edwin Groothuis To: Chuck Swiger Message-ID: <20060225222627.GB92618@k7.mavetju> References: <20060225070722.GA92618@k7.mavetju> <44005FD4.2010100@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44005FD4.2010100@mac.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: socket / bind - specific address X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2006 22:26:39 -0000 On Sat, Feb 25, 2006 at 08:47:00AM -0500, Chuck Swiger wrote: > Edwin Groothuis wrote: > > The situation is as follows: > > > > We have a couple of FreeBSD routers, with RFC1918 addresses on the > > ethernets and a public address on the loopback. This works fine for > > connecting to the routers, but is problematic for locally originated > > outgoing traffic (think NTP, think syslog): it takes the IP address > > of the outgoing interface, which is the RFC1918 address. > > You're giving lo0 a public IP? Why? So that it's always reachable. The machines are routers (i.e. one or more LAN interfaces, one or more WAN interfaces). If one WAN interface is down, traffic will follow a different path. The loopback interface is always up, so it's always reachable. > If you want to reach the box via a public IP and are using 1-to-1 NAT > translation to deliver the traffic to one of your NICs using unroutable RFC-1918 > addresses, why not configure that NIC to also have the public IP, too? > The IP used for locally originated traffic should be governed by the address > specified in the bind() call; if you want that to be different, normally you > configure the associated software being run to use something else. Yes, but what if the software doesn't support it? Like said, I could try a jail but I wonder what kind of limitations that brings on what the software can do. For example, does xntpd work inside a jail, does snmpd work inside a jail etc. > I don't know how to override the default the kernel hands you if you leave the > decision up to it, short of crafting the packets yourself or using some external > capability like NAT to re-write the addresses being used. Problem is that the incoming interface doesn't need to match the outgoing interface, and that confuses ipnat (been there, done that, forced the route) and that it causes other problems. Edwin -- Edwin Groothuis | Personal website: http://www.mavetju.org edwin@mavetju.org | Weblog: http://weblog.barnet.com.au/edwin/