Date: Wed, 06 Mar 2002 15:41:39 +0100 From: "Roger 'Rocky' Vetterberg" <listsub@rambo.simx.org> To: Edwin Groothuis <edwin@mavetju.org> Cc: questions@FreeBSD.ORG Subject: Re: multiple defaultrouter Message-ID: <3C862AA3.2050404@rambo.simx.org> References: <20020304001952.PLTC8848.mta02-svc.ntlworld.com@there> <005301c1c32f$21a623a0$1e01a8c0@lc.ca.gov> <20020303214112.2e786336.chip@wiegand.org> <20020304171534.H576@k7.mavetju.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Edwin Groothuis wrote: >On Sun, Mar 03, 2002 at 09:41:12PM +0000, Chip Wiegand wrote: > >>On Sun, 3 Mar 2002 19:46:11 -0800 >>"Drew Tomlinson" <drew@mykitchentable.net> wrote: >> >>>----- Original Message ----- >>>From: "Mike D" <d01f1n@yahoo.com> >>>To: <questions@freebsd.org> >>>Sent: Sunday, March 03, 2002 4:19 PM >>>Subject: multiple defaultrouter >>> >>>>I have a machine that sits in the dmz and needs to be use 2 >>>>firewalls as >>>>gateways as possible, otherwise one firewall does not not know what >>>>to do >>>>with traffic intended for the other one. >>>> >>>>Basically, how do i specify 2 "defaultrouter"s for 1 machine? >>>> >>>I don't think this is possible. What exactly are you trying to do? >>>Can you include a diagram of your setup? >>> >>>Drew >>> >>I'd be interested in the answer to this also. I know it's possible on a >>winNT box - to have two differant gateways. If it's possible on a >>winblows box, then it must be possible on a FreeBSD box, right? ;-) >> > >But what does it do then? >Does it send every other packet to the other gateway or is it saving >the second one in case the first one dies? > >Honestly, the problem of this guy (two firewalls) is a problem in >the fact that his firewalls can't resume statefull sessions if one >dies. Big deal, this has always been a problem. What he should do >is make a firewall-pair which have one unique IP address (per server) >and one shared IP address. They have to monitor each other and the >standby one has to take over the moment the active one isn't working >anymore. The shared IP address is the one which is his default >gateway. > >Edwin > This is a issue I have investigated for a long time, but so far I have not been able to find a solution. I have 2 different machines with individual internet access. Both machines run nat and are fully capable of functioning as gateways. By default, the machine called 192.168.0.3 handles all internet bound traffic, *but* 192.168.0.10 is fully capable of doing exactly what the 0.3 machine does. In the win2k based workstation, I can add 2 default routes, and specify a metric for each route. As of now, all workstations has 192.168.0.3 with metric 1 and 192.168.0.10 with metric 10. If a win2k is unable to reach a host through 192.168.0.3, or is unable to reach 192.168.0.3 itself, it will try 192.168.0.10 instead. This is very usefull, since I can reboot any of the two gateway machines at any given time, without breaking internet connectivity for the workstations. Of course, all open connections, such as big file transfers over ftp, irc or similar will be killed and restarted in the event of a "gateway switch". However, it takes nomore then a few seconds for the win2k's to switch to the other gateway and be online again. Since most of the users here only use internet for http and mail, they have never even noticed when a gateway goes down. If 192.168.0.3 has been dead or unreachable, and then comes back up, the win2k will go back to using 192.168.0.3 as default gateway. I have not investigated how often the win2k's check if a "dead" gateway is back up, they may do it every time they try to connect, but it doesnt seem to add any noticable delay in network traffic. I would love to see this in FreeBSD as well. As someone stated earlier in this thread, the 'route' command does not allow you to add two routes with the default keyword. In my case, I would like to see something like this doable: route add default metric 1 192.168.0.3 route add default metric 10 192.168.0.10 Any ideas how this could be accomplished? -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C862AA3.2050404>