From owner-freebsd-questions@FreeBSD.ORG Mon Jun 20 22:13:57 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B26C106564A for ; Mon, 20 Jun 2011 22:13:57 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id 1A43C8FC0A for ; Mon, 20 Jun 2011 22:13:56 +0000 (UTC) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 10227381; Mon, 20 Jun 2011 18:13:56 -0400 Received: from [192.168.43.232] (account jon@radel.com HELO gravenstein.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 10227379 for freebsd-questions@freebsd.org; Mon, 20 Jun 2011 18:13:47 -0400 Message-ID: <4DFFC61B.2080201@radel.com> Date: Mon, 20 Jun 2011 18:13:47 -0400 From: Jon Radel User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201106202107.p5KL7PW0091851@x.it.okstate.edu> In-Reply-To: <201106202107.p5KL7PW0091851@x.it.okstate.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Subject: Re: Two Networks on one System X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2011 22:13:57 -0000 On 6/20/11 5:07 PM, Martin McCormick wrote: > We are moving a primary name server from network A to > network B on one of our branch campuses. If the secondary > interface was reachable from the world, we can change the whois > information and not worry about the exact second the change goes > in to effect. Can networks A and B talk to each other? I suspect not, otherwise things would be just working even if all traffic went to the primary's gateway, but I just wanted to check that there wasn't something else bad happening. On the assumption that A and B are completely disconnected, then the only solution for this problem that I know of is to do policy-based routing using the source address or interface to make routing decisions, rather than using solely the destination address. This is actually relatively trivial to do using PF. pass in on nic_a reply-to ($nic_a $gw_a) pass in on nic_b reply-to ($nic_b $gw_b) with the various interfaces named appropriately and variables set to match should get you much of the way there. If you're using a slightly older version of PF, where keeping state on connections is not the default, you'll have to add state maintenance options to the lines. If you want packets to local machines to not go to the gateways and do u-turns there, you'll have to add a bit of filtering based on addresses, etc., etc. The explanation for the first line is more or less: For any new "connection" that comes in on NIC A, add an entry to the state table indicating that any reply packets should physically go out NIC A and should be passed to the next hop at adress $gw_a. WARNING: I use PF primarily on OpenBSD so sometimes get caught out on the subtle differences to the FreeBSD version. --Jon Radel jon@radel.com