On 2/4/12 9:05 AM, Poul-Henning Kamp wrote:
Natd(8) knows how to deal with multiple NAT instances for different
interfaces, which is useful when you have multiple ISPs.
The problem with it, is that it becomes incredibly hairy to configure
your IPFW rules, in particular if you have other policy to implement
too.
this is sort of what I did when I switched ISPs recently, and had a
transition period..
I had a jail/vnet for each ISP. and just switched at the top level
an unexpected advantage was that sessions from the main machine were
'one hop'
away from the disruption when I screwed things so instead of getting
terminated
when teh rules/routes were screwed, they just 'hung' until I fixed things.
Much like they do when there is internet disruption between sites.
I've meant to do something cleaner like this for a while..
good move.
I spent some quality time with a 9.0-Stable nanobsd image today,
and the script below is my proof of concept of a simpler way to
do that.
The idea is to let a jail deal with the two ISPs and use an epair
to deliver a "normal default route interface" to the rest of the
firewall, making its configuration simpler and easier to understand.
[...]
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
