Date: Thu, 16 Dec 2010 23:15:15 -0800 From: Julian Elischer <julian@freebsd.org> To: Jayster <jayster@comcast.net> Cc: freebsd-net@freebsd.org Subject: Re: Web Server supporting up to 4 WANs/Interfaces Message-ID: <4D0B0E03.2020707@freebsd.org> In-Reply-To: <17835728.248313.1292567569116.JavaMail.root@sz0077a.emeryville.ca.mail.comcast.net> References: <17835728.248313.1292567569116.JavaMail.root@sz0077a.emeryville.ca.mail.comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/16/10 10:32 PM, Jayster wrote: > I am in need of immediate help and while I rarely post on boards or lis= ts (I promise I'll start sharing more of my own wisdom in the future), th= is issue has me stumped like no other. First of all, I need multiple gate= ways. Yes, I understand there is no such thing as multiple "default" gate= ways and I have a solid grasp of networking in general... . I also have a= reasonable grasp of FreeBSD, though I am no where near the expert of man= y. I actually come from the world of programming and I've only used Linux= and Windows in the past. > > I am currently working on a big project that involves many sites and a = custom appliance with multiple applications designed in-house. In fact, I= might be the ONLY person in snowy Michigan hiring right now... . After a= n exhaustive investigation, I chose FreeBSD over all other OSs. It was no= t a light choice, but I've been very pleased despite having zero knowledg= e at the start of it. The main reasons were flexibility, licensing and mo= st important, I'm still shocked how open the community is to answering qu= estions in posts, instead of putting people down for having less knowledg= e than a rude poster. I have found an answer to the most obscure question= s through very quick google searches...until now. Kudos to those who take= the time...FreeBSD far outnumbers other OS communities. Please help me a= void this issue being the big letdown, possibly forcing us to leave FreeB= SD. I like the OS way too much already. > > Now the issue. Without too much detail, my device has 4 GigE ports on i= t. Each will be attached to a routed network. There is NO routing require= d between networks inside the box (not a router or firewall) and in fact,= it CANNOT be allowed to happen because of security. Instead, each WAN po= rt needs access to this box, but nothing beyond. The access consists of a= Web Server, though several other Ports are required, such as SNMP Traps,= Syslog, etc. Getting to the box is easy, routers do all the work. The is= sue is getting traffic back through the same interface it came in on and = through the same router gateway. As we all know, only 1 gateway can be as= signed in FreeBSD, unlike other flavors of Linux. Even the ones who don't= offer single line gateway support can use IPTables to accomplish this ta= sk. But IPTables is not supported in FreeBSD. Not a bad thing as long as = comparable solutions exist. > > Setting up static routes is not the solution. The problem with it is th= at multiple sites which will have this box will not have access to the ne= xt hop info from the gateway (the next hop gateway and subnet on the othe= r side of the router). So I cannot use static routes. > > PFSense appears to support this (though not tested by me). I REALLY do = not want to go that route. We have invested 3 months into adding many app= s to the FreeBSD we have. PFSense is a custom FreeBSD kernel with many ch= anges. Many message boards claim it breaks many Ports and changes other b= ehaviors. Even if it didn't, we are under deadline and moving everything = over to a new FreeBSD Version and then extensively testing everything rep= eatedly again would be a nightmare. I am interested in experiences with i= t if it becomes the last resort, though. > > I have tried both PF and IPFW. Different posts around the web claim Mul= tiple Gateway solutions using both of them. I have tried each of the reco= mmended setups, but had no luck. If you read the last responses to each o= f those posts, others also state they could not duplicate what is claimed= , as well. PF looks the most promising. It has "if-bound", which is suppo= sed to keep interface traffic on the same interface. That is a good first= step. But pointing it to the gateway on that interface is still an issue= =2E Please HELP!!! I haven't slept in days and I've been stuck for a week= now!!! This is our last showstopper. > if you are running on freeBSD 8 or newer you have two solutions open=20 to you (maybe 3). * Firstly, you can assign a completely different routing table to each=20 socket so that packets from one socket only see things through the perspective of one=20 routing table but packets from another socket behave according to the rules of=20 a completely different routing table. alternatively you can assign a different=20 routing table to a process and its descendants. you can also use ipfw fwd to remap ports and addresses, in conjunction=20 with the different routing tables. Routing tables are sometimes called FIBs=20 (Forwarding Information Bases) man setfib(1) and setfib(2) for more details. Also see the setfib socket option in setsockopt(2). There are details that are still open for development (like IPV6=20 support) but it sounds like it will do what you want. * The second option is the new jail support. while setfib and friends can easily allow a single process to act=20 differently on a socket by socket basis the new jail facilities allow you to take multiple interfaces and=20 assign them to different jails, and each jail can be given a completely different routing table or in=20 fact a completely different SET of routing tables. man jail and man ifconfig (ifconfig vnet) * As a poor third contender you can do really funky things with the=20 ipfw 'fwd' command. julian (let me know offline a bit more about what you want and maybe I can be=20 a bit more specific about how to do it.) > Jay > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D0B0E03.2020707>