On 06/21/11 18:45, Damien Fleuriot wrote:
On 6/21/11 6:30 PM, Jerome Herman wrote:
On 06/21/11 12:41, Damien Fleuriot wrote:
This does not depend on the route the client takes, but rather on the IP
the client tries to reach, wouldn't you agree ?
Most of the problems I was afraid of were lifted when further
explanations where given. But just for the records I would like to
explain further what I meant, adding some examples.
1°) It is perfectly possible for a public IP to be routed differently
depending on the ISP. Actually it is quite common when you have multiple
provider to create "shortcuts" in the routing table. Let us say your
main provider is ISP A who is officially routing your public IP, but you
also have a privileged link with ISP B who will redirect any request
made to your public IP to a private IP on your network (NAT or DMZ, your
pick).
All clients from ISP A will come to your public IP directly, all clients
from ISP B will go through your private IP, but clients from ISP C ?
Well it will depends on whether the route they elect goes to ISP A or
ISP B first.
This has to do with BGP, transits and peerings, this is not really
relevant to your case of having 2 public IPs served by a box.
But then, to answer your question:
Let's say you have 2 public and 1 private IP on the box.
Traffic to public IP A has a reply-to to the ISP's router in network A.
Traffic to public IP B has a reply-to to the ISP's router in network B.
Traffic to private IP C has a reply-to to the ISP's router in network C.
No, the problem is the following :
Traffic to public IP A going through ISP X goes to interface 1
configured with public IP A
Traffic to public IP A going through ISP Y goes to interface 2
configured with private IP C
And no this is not a fantasy config that can only be found once every
millennium when following a unicorn. There are actually quite a lot of
setups that use this trick to work.
I really can not see what your concern is, here.
In fact, this is pretty much what we use here, we have RDR rules set up
on our firewalls to pass packets to our reverse proxies' private IPs.
2°) Even if there are two distinct public addresses A& B , what happens
when two nated computers behind an public address Z try to connect to
the server at the same time ? reply-to disturbs the normal flow of
answers, in case two connections are attempted from the same distant
address at the same moment (second SYN received before first SYN/ACK is
sent ) what is supposed to happen. I think each connection will receive
a proper SYN/ACK from the right interface, but I cannot find anything to
confirm/infirm this.
What you need to take into account is that these are 2 different
connections each with an ID, a source IP (shared: Z) and a source port
(randomized).
This will not be messed up by reply-to.
That is what I thought, but I can't seem to find a proper doc on the
nook and crannies of reply-to and route-to. And I am always a bit
cautious about the idea of checking BSD code myself to get answers.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
