Re: Multiroute question
On Thu, Sep 20, 2012 at 01:25:50PM -0400, Michael MacLeod wrote: Actually, multiple routing tables is the correct solution. I documented it here: http://www.mmacleod.ca/blog/2011/06/source-based-routing-with-freebsd-using-multiple-routing-table/ From the post: ... But route-to and reply-to do not trump the default routing table for traffic that originates or terminates on the router itself. They are useful only for traffic passing through the router. pf can only make routing decisions when a packet passes through an interface. It can try and set the reply-to interface to be the second WAN connection when an inbound SSH connection is made, but neither the SSH daemon nor the routing table on the host know or care about the routing preferences of pf. FWIW, I've many dual-homed machined running perfectly by combining pf for filtering and ipfw for policy-based routing. Basically, ipfw is configured roughly as follows (a.b.c.0/29 is the first WAN connection and d.e.f.0/29 the second): 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 01001 allow carp from any to any 01002 allow pfsync from any to any 01100 allow ip from any to 10.0.0.0/8 01101 allow ip from any to 172.16.0.0/12 01102 allow ip from any to 192.168.0.0/16 01103 allow ip from any to 224.0.0.0/3 01110 allow ip from any to my_internal_public_adressblock_1 0 allow ip from any to my_internal_public_adressblock_2 ... 01200 fwd a.b.c.1 ip from a.b.c.0/29 to any 01201 fwd d.e.f.1 ip from d.e.f.0/29 to any 65535 allow ip from any to any Lines 1100 thru pass all traffic that should not go out over a WAN interface, they follow the normal routing table. I need the lines 011xx because I have multiple public IP address blocks on the inside and behind tunnels. Lines 1200 and 1201 forward packets to either WAN interface depending on the source address. I also have a default gateway set to my preferred WAN interface for connections originating from this host where the client does not explicitly select a source address. This works both for packets being routed and for packets originating from the dual homes host itself. I've been using this since FreeBSD 6 and never felt the need to switch to multiple routing tables because this fits the purpose and is quite clean IMO. It's also not necessary to run multiple server processes (like sshd, sendmail, httpd) for every routing domain. With kind regards, Paul Schenkeveld ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Multiroute question
On 9/23/12 5:20 AM, Paul Schenkeveld wrote: On Thu, Sep 20, 2012 at 01:25:50PM -0400, Michael MacLeod wrote: Actually, multiple routing tables is the correct solution. I documented it here: http://www.mmacleod.ca/blog/2011/06/source-based-routing-with-freebsd-using-multiple-routing-table/ From the post: ... But route-to and reply-to do not trump the default routing table for traffic that originates or terminates on the router itself. They are useful only for traffic passing through the router. pf can only make routing decisions when a packet passes through an interface. It can try and set the reply-to interface to be the second WAN connection when an inbound SSH connection is made, but neither the SSH daemon nor the routing table on the host know or care about the routing preferences of pf. FWIW, I've many dual-homed machined running perfectly by combining pf for filtering and ipfw for policy-based routing. Basically, ipfw is configured roughly as follows (a.b.c.0/29 is the first WAN connection and d.e.f.0/29 the second): 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 01001 allow carp from any to any 01002 allow pfsync from any to any 01100 allow ip from any to 10.0.0.0/8 01101 allow ip from any to 172.16.0.0/12 01102 allow ip from any to 192.168.0.0/16 01103 allow ip from any to 224.0.0.0/3 01110 allow ip from any to my_internal_public_adressblock_1 0 allow ip from any to my_internal_public_adressblock_2 ... 01200 fwd a.b.c.1 ip from a.b.c.0/29 to any 01201 fwd d.e.f.1 ip from d.e.f.0/29 to any 65535 allow ip from any to any Lines 1100 thru pass all traffic that should not go out over a WAN interface, they follow the normal routing table. I need the lines 011xx because I have multiple public IP address blocks on the inside and behind tunnels. Lines 1200 and 1201 forward packets to either WAN interface depending on the source address. I also have a default gateway set to my preferred WAN interface for connections originating from this host where the client does not explicitly select a source address. This works both for packets being routed and for packets originating from the dual homes host itself. I've been using this since FreeBSD 6 and never felt the need to switch to multiple routing tables because this fits the purpose and is quite clean IMO. It's also not necessary to run multiple server processes (like sshd, sendmail, httpd) for every routing domain. Interesting but but seems to me that for this to work you need to make every host inside dual home, or at least assign each internal machine to one ISP or the other. With kind regards, Paul Schenkeveld ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Multiroute question
El 20/09/2012 17:01, Michael Pounov escribió: Hi, Juan Use pf like in that simple example: $dsl_if = CardA $int_if = CardB $dsl_addr = _dsl_if_ip_ $int_addr = _int_if_ip_ $dsl_gw = _dsl_gw_ip_ $int_gw = _int_gw_ip_ set state-policy if-bound blah blah blah whatever rules ... pass out on $dsl_if route-to ($int_if $int_gw) from $int_if no state pass out on $int_if route-to ($dsl_if $dsl_gw) from $dsl_if no state # End pf example ;) Thanks!!! Worked perfectly !!! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Multiroute question
Hi! (sorry for my bad english) I have a FreeBSD machine (8.2-RELEASE-p3). The machine has two ethernet cards, configured in this way: - Card A: internet IP address - Card B: intranet IP address Default route goes via card A. Now, on the intranet I have a normal DSL router. Then, using NAT i've forewarded a simple port from the DSL to the intranet IP of this machine. The incoming packets from the DSL comes ok to the machine (via card B), but the outgoing packet goes to card A, due to the default route. There is a way to configure the network so that outgoing packets goes to the card from where the incoming packets was arrived ? Or is this impossible to configure ? Thanks!!! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Multiroute question
On Sep 20, 2012, at 16:16, Juan José Sánchez Mesa juanjo.lis...@doblej.net wrote: There is a way to configure the network so that outgoing packets goes to the card from where the incoming packets was arrived ? Policy routing e.g. with ipfw. Read up on ipfw fwd. Lars
Re: Multiroute question
On Sep 20, 2012, at 5:16 PM, Juan José Sánchez Mesa juanjo.lis...@doblej.net wrote: Hi! (sorry for my bad english) I have a FreeBSD machine (8.2-RELEASE-p3). The machine has two ethernet cards, configured in this way: - Card A: internet IP address - Card B: intranet IP address Default route goes via card A. Now, on the intranet I have a normal DSL router. Then, using NAT i've forewarded a simple port from the DSL to the intranet IP of this machine. The incoming packets from the DSL comes ok to the machine (via card B), but the outgoing packet goes to card A, due to the default route. There is a way to configure the network so that outgoing packets goes to the card from where the incoming packets was arrived ? Or is this impossible to configure ? Thanks!!! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org Hi, You will probably need the pf(4) firewall configured with the reply-to keyword for this to work. Something like : pass in on $CARD_B reply-to ($CARD_B, $CARD_B_GW) from any to any Regards, Nikolay Denev ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Multiroute question
On 9/20/12 7:16 AM, Juan José Sánchez Mesa wrote: Hi! (sorry for my bad english) I have a FreeBSD machine (8.2-RELEASE-p3). The machine has two ethernet cards, configured in this way: - Card A: internet IP address - Card B: intranet IP address Default route goes via card A. Now, on the intranet I have a normal DSL router. Then, using NAT i've forewarded a simple port from the DSL to the intranet IP of this machine. I do not understand this line please draw pictures :-) internet ---DSL DLSROUTER--A[FreeBSD]B--inside net.. is this what you mean? The incoming packets from the DSL comes ok to the machine (via card B), but the outgoing packet goes to card A, due to the default route. There is a way to configure the network so that outgoing packets goes to the card from where the incoming packets was arrived ? Or is this impossible to configure ? Thanks!!! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Multiroute question
On 9/20/12 10:25 AM, Michael MacLeod wrote: Actually, multiple routing tables is the correct solution. I documented it here: http://www.mmacleod.ca/blog/2011/06/source-based-routing-with-freebsd-using-multiple-routing-table/ From the post: ... But route-to and reply-to do not trump the default routing table for traffic that originates or terminates on the router itself. They are useful only for traffic passing through the router. pf can only make routing decisions when a packet passes through an interface. It can try and set the reply-to interface to be the second WAN connection when an inbound SSH connection is made, but neither the SSH daemon nor the routing table on the host know or care about the routing preferences of pf. On Thu, Sep 20, 2012 at 11:01 AM, Michael Pounov mi...@elwix.org wrote: hi, not a bad article.. a couple of things... firstly, though it's not relevent to THIS case, you can assign differnet fibs to different sockets on the same process, so theoretically a single sshd instance could do both tasks. The question is how does it know which to use? without extending sshd to add more config options for that, we have just a few possibilities.. Firstly, all sockets inherit their fib from that assigned to the process, but what if we didn't assign one to the process, but let the sockets take on the fib assigne to the packets of the incoming request? The packets in turn can get a fib from two sources: policy, via pf, or the ipfw setfib command, OR from the interface. as we can now assign a fib to an interface and packets coming in on that interface will take on the fib of the incoming interface. The only missing part of this is the code that lets teh process's fib float in the wind. I was considering setting this like: setfib -N sshd blah where -N would be expressed within the kernel as fib -1. In the socket code that would be inherited, and we would add code in the listen/accept code of the sockets so that when it discovers the socket is assigned fib -1, it switches it over to the fib of the incoming SYN packet (or whatever protocol). I've been meaning to a this ever since I added multifib support. It may require a small amount of code in every protocol (a line or two of C) This would allow us to make unmodified arbitrary networking servers work correctlty in multihomed systems. from man ifconfig: fib fib_number Specify interface FIB. A FIB fib_number is assigned to all frames or packets received on that interface. The FIB is not inherited, e.g. vlans or other sub-interfaces will use the default FIB (0) irrespective of the parent interface's FIB. The kernel needs to be tuned to support more than the default FIB using the ROUTETABLES kernel configuration option, or the net.fibs tunable. from man ifpw: setfib fibnum | tablearg The packet is tagged so as to use the FIB (routing table) fibnum in any subsequent forwarding decisions. Initially this is lim- ited to the values 0 through 15, see setfib(1). Processing con- tinues at the next rule. It is possible to use the tablearg key- word with a setfib. If tablearg value is not within compiled FIB range packet fib is set to 0. from man setsockopt SO_SETFIB can be used to over-ride the default FIB (routing table) for the given socket. The value must be from 0 to one less than the number returned from the sysctl net.fibs. see also:setfib(1), setfib(2), setsockopt(2) ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
