Date: Sat, 17 Mar 2001 22:45:43 -0800 From: Julian Elischer <julian@elischer.org> To: Nick Rogness <nick@rogness.net> Cc: Alex Pilosov <alex@acecape.com>, freebsd-net@FreeBSD.ORG, Jeroen Ruigrok/Asmodai <asmodai@wxs.nl> Subject: Re: same interface Route Cache Message-ID: <3AB45997.D82A43B9@elischer.org> References: <Pine.BSF.4.21.0103171329150.16998-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick Rogness wrote:
>
> On Sat, 17 Mar 2001, Julian Elischer wrote:
>
> > Alex Pilosov wrote:
> > >
> > > On Sat, 17 Mar 2001, Nick Rogness wrote:
> > >
> > > > There is no way to tell your packet to go back out to ISP #2. That is the
> > > > point I'm trying to get across. Unless your running a routing
> > > > daemon. But is that really practical with cable modems, dsl, etc?...I
> > > > don't think so.
> > > <flame>
> > > Is the clue really gone from this list?
> > > </flame>
> > >
> > >
> > >
> > > With policy routing, you indeed will be able to multihome, without any
> > > cooperation of your upstream (assuming strict filters on their ingress
> > > interfaces) and have things work.
> >
> > it should be possible to use IPFW and natd to do this:
> > IPFW could use Luigi's probability feature to select an interface to
> > use for each initiating session and ipfw could use a stateful rule
> > to 'remember the choice made'
>
> I would be interested to see what you are talking about with
> probability. I'll play with it this afternoon.
you could make the selection of interface based upon a single bit in
the remote addres but if you were talking to one machine they would
all go across the same interface. it may be more 'fair' to use luigi's
random selection and make interface independent of destination AND source.
>
> Just to be clear to everyone, the problem I'm seeing is this:
>
> 1) Packet comes in with src A.A.A.A dest B.B.B.B in interface A
> (in from ISP #2)
>
> 2) natd-2 (listening on interface A from ISP #2) changes the
> destination from B.B.B.B to machine X.X.X.X (internal)
>
> 3) Packet gets sent to machine X.X.X.X on the internal network.
>
> 4) Machine X.X.X.X responds to B.B.B.B, sending the packet
> back to the BSD machine.
>
> 5) The BSD machine looks up in the routing table how to get to
> B.B.B.B. Oh no! Go out interface B connected to ISP#1...the
> default gateway.
>
> 6) This triggers natd-1 to change the source to C.C.C.C and sends
> the packet out to B.B.B.B on the default interface B because of
> the default gateway.
you should have used a 'dynamic rule' to capture the state
of the session. I've never done this, only read the code.
>
> 7) Machine B.B.B.B is expecting a response from A.A.A.A, but
> instead, it is seeing a response from C.C.C.C
>
> And Alex, you can't fwd based on source because of the 2 natd's
> on 2 different interfaces. The firewall does not keep track of
> INCOMING packets. So the firewall does not know the right
> interface to forward the packet to, so the wrong natd get's
> triggered.
it's up to teh remote machine to decide who it talks to..
you just have t DNS entries. Once an interface has been selected you
used dynamic rules to 'lock it in'.
>
>
> >
> > The final step is to select to which divert rule the packets eventually get
> > sent.
> > Each divert rule goes to a different natd, each of which is attached to a
> > different outgoing interface.
>
> I am going to look at what you suggested this afternoon to see if
> it works.
>
> Nick Rogness <nick@rogness.net>
> - Keep on routing in a Free World...
> "FreeBSD: The Power to Serve!"
--
__--_|\ Julian Elischer
/ \ julian@elischer.org
( OZ ) World tour 2000-2001
---> X_.---._/
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB45997.D82A43B9>