Date: Wed, 12 May 2004 18:20:59 -0700 (PDT) From: Ken Bolingbroke <freebsd@bolingbroke.com> To: "Eli K. Breen" <eli@gopostal.ca> Cc: freebsd-stable@freebsd.org Subject: Re: Multiple Internet feeds to a single machine. Message-ID: <20040512180711.X67683@saruman.bolingbroke.com> In-Reply-To: <40A2A5C7.4030801@gopostal.ca> References: <40A2A5C7.4030801@gopostal.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 May 2004, Eli K. Breen wrote: > Has anyone successfully used two different Internet connections to feed > a single BSD machine, without BGP? Yes, I've done this. > Also, it is possible to have two copies of natd running on different > ports in order to accomplish this (each with their own config file)? > natd-a : 8668, > natd-b: 8669 and have the following rules in ipfw: Yes, this works, and this is almost just what I did myself. I have a DSL line and a cable connection. I wanted to be able to easily switch my default route from one to the other as needed (they go offline occasionally), and I also wanted to be able to access my server from outside via either connection. I used 'ipfw' to sort things out correctly. The main key for me was to apply a 'fwd' rule to make sure things went out the right line. That is, the main problem was that if my default route pointed at DSL, if a connection came in on cable, then the response would try to go out on the default route through DSL. But the DSL provider would reject anything not coming from my DSL IP. And I couldn't NAT it as coming from my DSL IP, because then the original client wouldn't recognize my response. So 'fwd' would set the next-hop to the correct gateway. That created a new problem, though...a match on a 'fwd' rule aborts further processing of the ruleset, and this broke my rules, including NAT. I could have perhaps worked around that by replacing all my 'accept' rules with 'fwd' rules, but that was just too ugly. Instead, I hacked the ipfw.c source code to make any 'fwd' matches continue with the rest of the rules. That way the next-hop would be set as I wanted it, but I could still apply all my firewall and NAT rules. This worked beautifully for quite a long time and I was able to easily access either Internet connection from both inside and outside. Recently though, the gateway machine burned out and I lost both hard disks on it, including the copies of the source code modification and my rule sets. I haven't yet recreated it, and I'm hoping to find a better solution that doesn't require hacking ipfw.c. But if you come up short on any other solution, modifying the 'fwd' behavior can do the trick decently. Ken Bolingbroke
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040512180711.X67683>