Date: Mon, 17 Jul 2017 10:46:45 -0600 From: Alan Somers <asomers@freebsd.org> To: Eugene Grosbein <eugen@grosbein.net> Cc: Grzegorz Junka <list1@gjunka.com>, FreeBSD Net <freebsd-net@freebsd.org>, freebsd-jail@freebsd.org Subject: Re: A web server behind two gateways? Message-ID: <CAOtMX2h6zBi4aVDSdUP_Po_JwOLbxynanZ624530mGLk16fWbg@mail.gmail.com> In-Reply-To: <596CA093.6020508@grosbein.net> References: <a35370da-531d-6678-4a60-95304bdd919b@gjunka.com> <596CA093.6020508@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 17, 2017 at 5:33 AM, Eugene Grosbein <eugen@grosbein.net> wrote: > On 16.07.2017 19:48, Grzegorz Junka wrote: >> Hello, >> >> I have a jail running a web server in LAN. There are two routers/WANs >> that can connect LAN to the internet. I enabled NAT and port forwarding >> to the web server on both routers. >> >> The problem is that the web server responds to requests only from one >> router at a time depending on the default gateway set on the jail's >> host. If the default gateway is set as router 1 then the web page can be >> opened only through WAN1 and vice versa. >> >> Can I configure either router/host/jail so that the web server sends the >> response back to the IP that sent the request packet rather than to the >> default gateway? > > This is the job of external NAT box to route translated replys to right WAN > based on external source IP address produced during translation of the reply. > The jail or internal NAT have nothing to do with the problem. > > So, the solution depends of kind of NAT you use. That's not 100% true. The web server is choosing which gateway to use. As Grzegorz said, it's only configured to use a single gateway at a time. To do what Grzegorz wants, he'll need to use multiple fibs. Set "net.fibs=2" and "net.add_addr_allfibs=0" in /boot/loader.conf and reboot. You'll be able to configure a separate gateway for each fib. The hard part, though, is configuring your web server to use multiple fibs. I don't know if any common web server has that kind of support builtin. But your next guess was good. > >> And a bonus question, how can I configure two jails so that each jail >> sends packets to a different gateway (which may or may not be the same >> as the jails' host's default gateway)? > > Read "man jail" for "vnet" feature. This is definitely the path of least resistance. Basically, you'll assign each jail to a separate fib, so you'll still need the loader.conf settings I mentioned. Unfortunately, VNET/VIMAGE isn't in the standard kernel. If you're unable to run a custom kernel on this machine, you can still create two jails on separate fibs. The biggest downside compared to VNET/VIMAGE is that they'll share a single DNS resolver. Here's how to do it: * Make the loader.conf settings I mentioned earlier. * Create a separate static IP address for each jail, and associated each with a separate fib. Your rc.conf should contain something like this: ifconfig_igb1_alias0="inet 10.1.2.76/20 fib 0" ifconfig_igb1_alias1="inet 10.1.18.76/20 fib 1" * Add the default routes in /etc/rc.local like this: /sbin/route add default 10.1.0.1 -fib 0 /sbin/route add default 10.1.16.1 -fib 1 * Assign one address to one jail and the other address to the other jail * Ensure that in each jail, the web server starts with the correct fib. For example, if you're using apache24, I think you can put "apache24_fib=1" in /etc/rc.conf. Other web servers may require something different, depending on how their RC scripts are written. Happy hacking! -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2h6zBi4aVDSdUP_Po_JwOLbxynanZ624530mGLk16fWbg>