From owner-freebsd-net@FreeBSD.ORG Mon Apr 28 08:59:04 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A3B15D3 for ; Mon, 28 Apr 2014 08:59:04 +0000 (UTC) Received: from mp1-smtp-6.eutelia.it (mp1-smtp-6.eutelia.it [62.94.10.166]) by mx1.freebsd.org (Postfix) with ESMTP id E3AEB1CFF for ; Mon, 28 Apr 2014 08:59:03 +0000 (UTC) Received: from ns2.biolchim.it (ip-188-188.sn2.eutelia.it [83.211.188.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mp1-smtp-6.eutelia.it (Eutelia) with ESMTP id 1192C6B8CBF for ; Mon, 28 Apr 2014 10:58:54 +0200 (CEST) Received: from soth.ventu (adsl-ull-90-150.41-151.net24.it [151.41.150.90]) (authenticated bits=0) by ns2.biolchim.it (8.14.8/8.14.8) with ESMTP id s3S8wmtX009564 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Mon, 28 Apr 2014 10:58:50 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: ns2.biolchim.it: Host adsl-ull-90-150.41-151.net24.it [151.41.150.90] claimed to be soth.ventu Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.8/8.14.7) with ESMTP id s3S8wgMj066689 for ; Mon, 28 Apr 2014 10:58:42 +0200 (CEST) (envelope-from ml@netfence.it) Message-ID: <535E1842.20905@netfence.it> Date: Mon, 28 Apr 2014 10:58:42 +0200 From: Andrea Venturoli User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Server with multiple public IP Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (ns2.biolchim.it [192.168.2.203]); Mon, 28 Apr 2014 10:58:50 +0200 (CEST) X-Spam-Score: 5.206 (*****) RCVD_IN_PBL, RCVD_IN_RP_RNBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC X-Scanned-By: MIMEDefang 2.74 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 08:59:04 -0000 Hello. This has probably come up several times, however... I've got a server which has two (or more) interfaces with public IPs. Let's say, as an example (with fictional IPs): ifconfig_vlan1="inet 1.0.0.2 netmask 255.255.255.248..." ifconfig_vlan2="inet 2.0.0.2 netmask 255.255.255.248..." Of course, I can only have a default route, let's say 1.0.0.1. This is fine for outgoing traffic and for incoming connections on vlan1. However, when someone from the outside connects to 2.0.0.2, reply packets still go out through 1.0.0.1 (on vlan1), but they should go through vlan2 to 2.0.0.1 The only way I found so far to achieve this, is through ipfw: ipfw add 30 fwd 2.0.0.1 tcp from 2.0.0.2 to not 2.0.0.0/29 out This more or less works, but it will break ipfw firewalling (since after that rule matches, "the search terminates"). Besides, I don't feel this is a very clean solution. So I wonder: do other ways exist to achieve this? Any best practice? I thought natd might help, but found no reference to this functionality in its docs... Does any other program exists which I can "divert" packets to, which would modify and reinject them as natd does? Another thing I though of would be combining two firewalls (ipfw + pf/ipf), letting one do the filtering and leaving the above problem to the other. I'm not sure how hard this would be, however, so if a simple solution exists... Any hint appreciated. bye & Thanks av.