Date: Mon, 5 Mar 2001 16:43:46 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: Mike Nowlin <mike@argos.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re: questions re: multiple internet conn routing Message-ID: <Pine.BSF.4.21.0103051510070.29744-100000@cody.jharris.com> In-Reply-To: <20010304025518.A1844@argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 4 Mar 2001, Mike Nowlin wrote: > > Just had a second DSL connection installed, and have several questions > regarding how to map it into the FBSD router we use... > > The basic setup here (with just the single DSL line, 32 IPs on that > line) is DSL->Router->hosts, where DSL->Router is on dc0, and > Router->hosts is on fxp0. Basically, I added dc1 for the 2nd DSL > connection. Local traffic is split between fxp0 and dc2, depending on > the subnet it's for. (10.193.x.x or 10.98.x.x, and those subnets go > to a pair of BSD routers that break things down further, going to > several ethernet segs and Cisco 804s for various ISDN links, plus > another router that has a cable connection on it for outgoing FTP/HTTP > requests from certain machines, not to mention the 200+ "ppp -auto" > links - kinda fun to figure out how a packet gets from point A to > point B..:) ) Ah, the joys of having a network supporting a lot of > physical locations that has to be cost-effective.. > > All of our machines are assigned a 10.x.x.x address, and I use ipfw > and natd to do translation between the DSL1 and net-10 addresses - > works beautifully. > > First question: after playing with this a bit, I've come to the > decision that I probably need to send NAT packets to two different > divert sockets - one for each DSL IP block. With /etc/natd.conf > holding the NAT rules, is it possible to have two "port" or > "alias_address" lines: > > alias_address 1.2.3.4 > port 8668 > redirect_address 10.1.1.7 1.2.3.7 > redirect_address 10.1.1.8 1.2.3.8 > alias_address 5.6.7.1 > port 8669 > redirect_address 10.1.1.7 5.6.7.7 > redirect_address 10.1.1.8 5.6.7.8 > > ...or do I need to run two copies of natd for this to work correctly? You should run 2 different copies of natd. More comments below. > > Second question: I could probably do this blindfolded on a Cisco > router, but is there some way to accomplish the Cisco idea of > "policy-based routing" on a FBSD box? I basically need to look at the > source address of a packet and send it to the appropriate ethernet > interface for the DSL IP block that matches that source address. The closest thing to Cisco's policy based routing (not including netgraph) is `ipfw fwd`. As a side note, 1 thing you are going to have a problem with is routing out these 2 different DSL providers. Once the packet gets diverted (inbound from DSL provider-2) to a private address and ran through your network, it doesn't know how to get back through to the original source DSL (provider2) network, if your default gateway is through DSL provider1. There is no way in FreeBSD to do route caching on inbound interfaces. If your DSL provider #1 is allowing only your hosts IP's to go through his network (likely) you're SOL! However, there is a solution to this problem. Run 3 copies of natd [!!], Why??? I'll see if I can explain. Consider the folowing diagram: ISP #1 ISP #2 | | \ / dc0 - BSD - dc1 | fxp0 | Internet net (10.0.0.0) The BSD machine is running 2 different copies of natd both operating on dc0 and dc1. It's default gateway is through ISP #1. What happens when packets originate from (or through) ISP #2? : 1) Packets get diverted to the proper redirect_address inside 2) Packets get sent to the internal machine 3) Machine responds to packet, sending it to the BSD machine ==> 4) BSD machine tries to send out ISP #1 because of default gateway 5) ...timeout...timeout...timeout... ACK! This is because FreeBSD doesn't support route caching. So you solve this by tagging packets coming in from ISP #2 by chaning the source address using natd -reverse and aliasing all inbound traffic to a non-routeable like (192.168.1.1). This tricks the internal machines to think that all traffic from ISP #2 is coming from one machine, 192.168.1.1. Now you can add the appropriate route on your BSD machine: # route add 192.168.1.1 -iface dc1 and force the packets to go the right way as they are on the return from the internal machines. Here's the tricky part. You also want to change the destination address (redirect_address) after the source address has been changed to 192.168.1.1 on incoming packets. This is were your 3rd natd comes into play. This 3rd natd will also keep track of your outbound address translations as well. So here is how the packets get treated for ISP #2 traffic: 1) Packets come in from a host (3.3.3.3) via ISP #2 2) destination address is changed to internal machine-A 3) Source address (3.3.3.3) is changed to 192.168.1.1 4) Packet is sent to machine-A 5) machine-A responds to packet, sends to BSD machine 6) BSD machine changes destination from 192.168.1.1 to 3.3.3.3 7) BSD machine changes source address from internal to public 8) Packet is sent to ISP #2 (ipfw fwd). The firewall rules for these operations are a tad tricky. Using a combination of skipto's, natd's, and fwd it seems to work OK. If anyone would like more detail (config files, etc) please let me know. There may be a better solution...anyone? Nick Rogness <nick@rogness.net> - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0103051510070.29744-100000>