Date: Mon, 28 Apr 2014 12:06:21 +0100 From: Dominic Froud <dom@talk2dom.com> To: freebsd-net@freebsd.org Subject: Re: Server with multiple public IP Message-ID: <535E362D.1050408@talk2dom.com> In-Reply-To: <535E2A2F.3030505@freebsd.org> References: <535E1842.20905@netfence.it> <535E1C66.6090004@talk2dom.com> <CAPS9%2BSuGbQgZ0yM5HSy8KhPRF_-7ixuMf26DHJ27XqoJWPZX1A@mail.gmail.com> <535E231A.1050800@netfence.it> <535E293C.5050705@freebsd.org> <535E2A2F.3030505@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28/04/2014 11:15, Julian Elischer wrote: > replying to myself.. > > On 4/28/14, 6:11 PM, Julian Elischer wrote: >> On 4/28/14, 5:44 PM, Andrea Venturoli wrote: >>> On 04/28/14 11:18, Andreas Nilsson wrote: >>> >>>> You could put all the services which are on 2.0.0.2 in a separate >>>> fib and >>>> there have another default-route. >>> >>> Thanks, but unfortunately I can't, since some services must be able >>> to answer on both addresses. >> >> the answer is to use the ipfw setfib rule for incoming packets on the >> second interface. >> setfib 1 ip from any to any in recv em0 >> In new freebsd kernels you can do this with ifconfig em0 fib 1 (I >> think that's the syntax) without involving ipfw. >> >> then the session will inherit that fib. Outgoing packets from that >> session will use fib 1 while other outgoing packets will use fib0. > from the ifconfig man page. (FreeBSD 11 but I think it's in 10 too.) > > fib fib_number > Specify interface FIB. A FIB fib_number is assigned to all > frames or packets received on that interface. The FIB is > not > inherited, e.g., vlans or other sub-interfaces will use the > default FIB (0) irrespective of the parent interface's > FIB. The > kernel needs to be tuned to support more than the default > FIB > using the ROUTETABLES kernel configuration option, or the > net.fibs tunable. > > this can be simulated using ipfw setfib should you not have it in the > release you are running. > "Outgoing packets from that session will use fib 1 while other outgoing packets will use fib0." I haven't tried this but outgoing packets not associated with any existing fib1 session (e.g. new TCP connections, UDP, etc.) could also be attached to fib1 with a rule like this? setfib 1 ip from 2.0.0.0/29 to any out xmit vlan2 Keeping all the rules in ipfw is one advantage but then you have to maintain 2 sets of routing tables - one for each fib. Doing source-routing with pf means two firewalls to manage but just one routing table. You could argue that the routing table is obscured by rules in pf though so doing "netstat -rnf inet" wouldn't be authorititative. I'd like to do something like this: route add -srcnet 2.0.0.0/29 2.0.0.1 (kernel uses arp to translate 2.0.0.1 to an interface address like vlan2) Dom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?535E362D.1050408>