Date: Mon, 20 Jun 2011 17:30:17 -0500 From: Gary Gatten <Ggatten@waddell.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: RE: Two Networks on one System Message-ID: <27899_1308609017_4DFFC9F9_27899_767_1_D9B37353831173459FDAA836D3B43499BF89C588@WADPMBXV0.waddell.com> In-Reply-To: <4DFFC61B.2080201@radel.com> References: <201106202107.p5KL7PW0091851@x.it.okstate.edu> <4DFFC61B.2080201@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/20/11 5:07 PM, Martin McCormick wrote: > We are moving a primary name server from network A to > network B on one of our branch campuses. If the secondary > interface was reachable from the world, we can change the whois > information and not worry about the exact second the change goes > in to effect. Can networks A and B talk to each other? I suspect not, otherwise=20 things would be just working even if all traffic went to the primary's=20 gateway, but I just wanted to check that there wasn't something else bad=20 happening. On the assumption that A and B are completely disconnected, then the=20 only solution for this problem that I know of is to do policy-based=20 routing using the source address or interface to make routing decisions,=20 rather than using solely the destination address. This is actually relatively trivial to do using PF. pass in on nic_a reply-to ($nic_a $gw_a) pass in on nic_b reply-to ($nic_b $gw_b) with the various interfaces named appropriately and variables set to=20 match should get you much of the way there. If you're using a slightly=20 older version of PF, where keeping state on connections is not the=20 default, you'll have to add state maintenance options to the lines. If=20 you want packets to local machines to not go to the gateways and do=20 u-turns there, you'll have to add a bit of filtering based on addresses,=20 etc., etc. The explanation for the first line is more or less: For any new "connection" that comes in on NIC A, add an entry to the=20 state table indicating that any reply packets should physically go out=20 NIC A and should be passed to the next hop at adress $gw_a. WARNING: I use PF primarily on OpenBSD so sometimes get caught out on=20 the subtle differences to the FreeBSD version. I was kinda going this route as well - policy based routing type thing, but= , is there an "easier" way? 1.) Temporarily enable ipforwarding - not my favorite 2.) Instead of a second NIC, bind the new IP to the org nic (alias). man ifconfig specifically mentions using alias during ip renumbering: " alias Establish an additional network address for this interface. This is sometimes useful when changing network numbers, and one wishes to accept= packets addressed to the old interface. If the address is on the same sub= net as the first network address for this interface, a non-conflicting netm= ask must be given. Usually 0xffffffff is most appropriate." Once everything is transitioned, you may reconfigure the interface with the= "permanent" config. G <font size=3D"1"> <div style=3D'border:none;border-bottom:double windowtext 2.25pt;padding:0i= n 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27899_1308609017_4DFFC9F9_27899_767_1_D9B37353831173459FDAA836D3B43499BF89C588>