Re: CARP and NAT question
On Wed, Oct 09, 2019 at 12:50:49PM -0700, Julian Elischer wrote: > On 10/9/19 2:34 AM, Julien Cigar wrote: > > On Tue, Oct 08, 2019 at 01:05:37PM -0700, Julian Elischer wrote: > >> On 10/8/19 8:58 AM, Julien Cigar wrote: > >>> On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: > Hi Julien, > >>> Hi Matthew, > >>> > It's not clear why you are trying to assign multiple carp IP address to > two different interfaces from within the same IP subnet. Are you trying > to fail over a 2nd carp address or are you trying to improve > throughput/redundancy? If you just want to fail over a 2nd carp address, > assign a 2nd alias to your first interface. If your trying to improve > throughput/redundancy, assign both interfaces to a lagg and build your > carp interfaces on top of that instead. > > >>> Currently outbound traffic from $net1 and $net2 (two private networks) > >>> pass through the same network interface (igb0) (as you can see in (1) > >>> in my previous post) on the router. I'd like to prevent that > >>> $net2 saturates the interface and slow down traffic from $net1 (which is > >>> more important). I could lagg and build CARP on top of that but it > >>> wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ > >>> of course, which I'd like to avoid). > >>> > -Matthew > > On 10/8/2019 8:48 AM, Julien Cigar wrote: > > Hello, > > > > I'd like to NAT outbound traffic from two different private networks > > through two different interfaces, with CARP on top. I have 4 public IPS > > available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). > > > > I have two redundant router/firewall running FreeBSD 12 with CARP and > > PF with the following: (1) which works well, but all traffic > > goes through the same interface. > > > > So I'd like to switch to something like (2), which will not work (lines > > 5 and 13 are not valid) and I'm wondering if I could use something like > > (3) ..? > > > > Thank you! > > Julien > > > > (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 > > (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 > > (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db > > > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > >> can you draw it? > > yes, see https://ibb.co/mv5RPM9 > > so, you have several ways of doing this: > > one is to assign a different routing table to each class of traffic. > > Each table has a different default route, sending data out to a > different external interface. > > Each interface out is NAT'd so that the return packets will come back > the same way. I haven't played with multiple FIB(s) yet (which still require a custom kernel with options ROUTETABLES, I think?) but I'll take a look. As I can see it's a little bit more more work than the route-to PF route option. > > But you only have a single pipe to the internet, So one wonders how > that helps with redundancy? > Adding a second switch and another redundant link is also planned, but at the moment by "redundancy" I was talking of router1 and router2, and the integration with CARP, especially the "real" addresses on the interfaces as I have only 4 public ones and 3 of them are already used on the first interface. But I think that starting with FreeBSD 11 (?) real and virtual addresses couldn't be in the same subnet, for example I think this should work: ### # router1 # ### ifconfig_igb0="inet 193.1.2.89 netmask 255.255.255.224 -tso" ifconfig_igb0_alias0="inet vhid 53 advskew 0 pass xxx alias 193.1.2.90/32" ifconfig_igb1="inet 10.1.2.3 netmask 255.255.255.224 -tso" ifconfig_igb1_alias0="inet vhid 54 advskew 0 pass xxx alias 193.1.2.92/32" ### # router2 # ### ifconfig_igb0="inet 193.1.2.91 netmask 255.255.255.224 -tso" ifconfig_igb0_alias0="inet vhid 53 advskew 100 pass xxx alias 193.1.2.90/32" ifconfig_igb1="inet 10.1.2.4 netmask 255.255.255.224 -tso" ifconfig_igb1_alias0="inet vhid 54 advskew 100 pass xxx alias 193.1.2.92/32" > > thanks for you help :) Julien > > > > >> > >> ___ > >> freebsd-net@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-net > >> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > > -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. signature.asc Description: PGP signature
Re: CARP and NAT question
On Wed, Oct 09, 2019 at 01:41:40PM -0500, Matthew Grooms wrote:
> On 10/9/2019 4:10 AM, Julien Cigar wrote:
> > On Tue, Oct 08, 2019 at 11:22:51AM -0500, Matthew Grooms wrote:
> >> On 10/8/2019 10:58 AM, Julien Cigar wrote:
> >>> On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote:
> Hi Julien,
> >>> Hi Matthew,
> >>>
> It's not clear why you are trying to assign multiple carp IP address to
> two different interfaces from within the same IP subnet. Are you trying
> to fail over a 2nd carp address or are you trying to improve
> throughput/redundancy? If you just want to fail over a 2nd carp address,
> assign a 2nd alias to your first interface. If your trying to improve
> throughput/redundancy, assign both interfaces to a lagg and build your
> carp interfaces on top of that instead.
>
> >>> Currently outbound traffic from $net1 and $net2 (two private networks)
> >>> pass through the same network interface (igb0) (as you can see in (1)
> >>> in my previous post) on the router. I'd like to prevent that
> >>> $net2 saturates the interface and slow down traffic from $net1 (which is
> >>> more important). I could lagg and build CARP on top of that but it
> >>> wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ
> >>> of course, which I'd like to avoid).
> >> Well, I'm not sure how well it will work but I think what you are
> >> looking for is the route-to pf rule option. You can specify that certain
> >> traffic be transmitted via a specific network interface to a specific
> >> next hop. However, I believe you'll need to match traffic as it's
> >> received on the internal interface, ie. before the kernel determines the
> >> egress interface.
> >>
> >> table internal_networks { $net1, $net2 }
> >> pass in on $internal_interface route-to( igb0 $default_gw ) from $net1
> >> to !
> >> pass in on $internal_interface route-to( igb1 $default_gw ) from $net2
> >> to !
> > Thanks, I haven't used the route-to yet but if I understand well it's
> > a way to "bypass" the default route/interface?
>
> Yes. It's essentially pf's way of providing policy based routing in the
> rule set.
Excellent, it looks exactly what I need
Thanks!
>
> -Matthew
>
--
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
signature.asc
Description: PGP signature
Re: CARP and NAT question
On 10/9/19 12:57 PM, Matthew Grooms wrote: On 10/9/2019 2:50 PM, Julian Elischer wrote: On 10/9/19 2:34 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 01:05:37PM -0700, Julian Elischer wrote: On 10/8/19 8:58 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: Hi Julien, Hi Matthew, It's not clear why you are trying to assign multiple carp IP address to two different interfaces from within the same IP subnet. Are you trying to fail over a 2nd carp address or are you trying to improve throughput/redundancy? If you just want to fail over a 2nd carp address, assign a 2nd alias to your first interface. If your trying to improve throughput/redundancy, assign both interfaces to a lagg and build your carp interfaces on top of that instead. Currently outbound traffic from $net1 and $net2 (two private networks) pass through the same network interface (igb0) (as you can see in (1) in my previous post) on the router. I'd like to prevent that $net2 saturates the interface and slow down traffic from $net1 (which is more important). I could lagg and build CARP on top of that but it wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ of course, which I'd like to avoid). -Matthew On 10/8/2019 8:48 AM, Julien Cigar wrote: Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" can you draw it? yes, see https://ibb.co/mv5RPM9 so, you have several ways of doing this: one is to assign a different routing table to each class of traffic. Each table has a different default route, sending data out to a different external interface. Each interface out is NAT'd so that the return packets will come back the same way. How do you classify the traffic based on the source address when using multiple route tables? use ipfw to set the fib number based on some bits in the address of the internal machine. e.g. ipfw setfib 1 tcp from (some internal pattern) to (the outside) in recv (internal interface) keep_state There are several ways to do this.. this is just one... The above will assign a dynamic rule for all packets between the two machines and the table in question will be always used. for that tupple. But you only have a single pipe to the internet, So one wonders how that helps with redundancy? I asked a similar question. He believe he mentioned that he was trying to get around the 1Gbit limit of each interface. WRT redundancy, he probably means the use of a backup firewall, carp and probably pfsync. -Matthew ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On 10/9/2019 2:50 PM, Julian Elischer wrote: On 10/9/19 2:34 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 01:05:37PM -0700, Julian Elischer wrote: On 10/8/19 8:58 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: Hi Julien, Hi Matthew, It's not clear why you are trying to assign multiple carp IP address to two different interfaces from within the same IP subnet. Are you trying to fail over a 2nd carp address or are you trying to improve throughput/redundancy? If you just want to fail over a 2nd carp address, assign a 2nd alias to your first interface. If your trying to improve throughput/redundancy, assign both interfaces to a lagg and build your carp interfaces on top of that instead. Currently outbound traffic from $net1 and $net2 (two private networks) pass through the same network interface (igb0) (as you can see in (1) in my previous post) on the router. I'd like to prevent that $net2 saturates the interface and slow down traffic from $net1 (which is more important). I could lagg and build CARP on top of that but it wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ of course, which I'd like to avoid). -Matthew On 10/8/2019 8:48 AM, Julien Cigar wrote: Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" can you draw it? yes, see https://ibb.co/mv5RPM9 so, you have several ways of doing this: one is to assign a different routing table to each class of traffic. Each table has a different default route, sending data out to a different external interface. Each interface out is NAT'd so that the return packets will come back the same way. How do you classify the traffic based on the source address when using multiple route tables? But you only have a single pipe to the internet, So one wonders how that helps with redundancy? I asked a similar question. He believe he mentioned that he was trying to get around the 1Gbit limit of each interface. WRT redundancy, he probably means the use of a backup firewall, carp and probably pfsync. -Matthew ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On 10/9/19 2:34 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 01:05:37PM -0700, Julian Elischer wrote: On 10/8/19 8:58 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: Hi Julien, Hi Matthew, It's not clear why you are trying to assign multiple carp IP address to two different interfaces from within the same IP subnet. Are you trying to fail over a 2nd carp address or are you trying to improve throughput/redundancy? If you just want to fail over a 2nd carp address, assign a 2nd alias to your first interface. If your trying to improve throughput/redundancy, assign both interfaces to a lagg and build your carp interfaces on top of that instead. Currently outbound traffic from $net1 and $net2 (two private networks) pass through the same network interface (igb0) (as you can see in (1) in my previous post) on the router. I'd like to prevent that $net2 saturates the interface and slow down traffic from $net1 (which is more important). I could lagg and build CARP on top of that but it wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ of course, which I'd like to avoid). -Matthew On 10/8/2019 8:48 AM, Julien Cigar wrote: Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" can you draw it? yes, see https://ibb.co/mv5RPM9 so, you have several ways of doing this: one is to assign a different routing table to each class of traffic. Each table has a different default route, sending data out to a different external interface. Each interface out is NAT'd so that the return packets will come back the same way. But you only have a single pipe to the internet, So one wonders how that helps with redundancy? ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On 10/9/2019 4:10 AM, Julien Cigar wrote:
On Tue, Oct 08, 2019 at 11:22:51AM -0500, Matthew Grooms wrote:
On 10/8/2019 10:58 AM, Julien Cigar wrote:
On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote:
Hi Julien,
Hi Matthew,
It's not clear why you are trying to assign multiple carp IP address to
two different interfaces from within the same IP subnet. Are you trying
to fail over a 2nd carp address or are you trying to improve
throughput/redundancy? If you just want to fail over a 2nd carp address,
assign a 2nd alias to your first interface. If your trying to improve
throughput/redundancy, assign both interfaces to a lagg and build your
carp interfaces on top of that instead.
Currently outbound traffic from $net1 and $net2 (two private networks)
pass through the same network interface (igb0) (as you can see in (1)
in my previous post) on the router. I'd like to prevent that
$net2 saturates the interface and slow down traffic from $net1 (which is
more important). I could lagg and build CARP on top of that but it
wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ
of course, which I'd like to avoid).
Well, I'm not sure how well it will work but I think what you are
looking for is the route-to pf rule option. You can specify that certain
traffic be transmitted via a specific network interface to a specific
next hop. However, I believe you'll need to match traffic as it's
received on the internal interface, ie. before the kernel determines the
egress interface.
table internal_networks { $net1, $net2 }
pass in on $internal_interface route-to( igb0 $default_gw ) from $net1
to !
pass in on $internal_interface route-to( igb1 $default_gw ) from $net2
to !
Thanks, I haven't used the route-to yet but if I understand well it's
a way to "bypass" the default route/interface?
Yes. It's essentially pf's way of providing policy based routing in the
rule set.
-Matthew
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On Tue, Oct 08, 2019 at 01:05:37PM -0700, Julian Elischer wrote: > On 10/8/19 8:58 AM, Julien Cigar wrote: > > On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: > >> Hi Julien, > > Hi Matthew, > > > >> It's not clear why you are trying to assign multiple carp IP address to > >> two different interfaces from within the same IP subnet. Are you trying > >> to fail over a 2nd carp address or are you trying to improve > >> throughput/redundancy? If you just want to fail over a 2nd carp address, > >> assign a 2nd alias to your first interface. If your trying to improve > >> throughput/redundancy, assign both interfaces to a lagg and build your > >> carp interfaces on top of that instead. > >> > > Currently outbound traffic from $net1 and $net2 (two private networks) > > pass through the same network interface (igb0) (as you can see in (1) > > in my previous post) on the router. I'd like to prevent that > > $net2 saturates the interface and slow down traffic from $net1 (which is > > more important). I could lagg and build CARP on top of that but it > > wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ > > of course, which I'd like to avoid). > > > >> -Matthew > >> > >> On 10/8/2019 8:48 AM, Julien Cigar wrote: > >>> Hello, > >>> > >>> I'd like to NAT outbound traffic from two different private networks > >>> through two different interfaces, with CARP on top. I have 4 public IPS > >>> available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). > >>> > >>> I have two redundant router/firewall running FreeBSD 12 with CARP and > >>> PF with the following: (1) which works well, but all traffic > >>> goes through the same interface. > >>> > >>> So I'd like to switch to something like (2), which will not work (lines > >>> 5 and 13 are not valid) and I'm wondering if I could use something like > >>> (3) ..? > >>> > >>> Thank you! > >>> Julien > >>> > >>> (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 > >>> (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 > >>> (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db > >>> > >> ___ > >> freebsd-net@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-net > >> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > > can you draw it? yes, see https://ibb.co/mv5RPM9 > > > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. signature.asc Description: PGP signature
Re: CARP and NAT question
On Tue, Oct 08, 2019 at 11:22:51AM -0500, Matthew Grooms wrote:
> On 10/8/2019 10:58 AM, Julien Cigar wrote:
> > On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote:
> >> Hi Julien,
> > Hi Matthew,
> >
> >> It's not clear why you are trying to assign multiple carp IP address to
> >> two different interfaces from within the same IP subnet. Are you trying
> >> to fail over a 2nd carp address or are you trying to improve
> >> throughput/redundancy? If you just want to fail over a 2nd carp address,
> >> assign a 2nd alias to your first interface. If your trying to improve
> >> throughput/redundancy, assign both interfaces to a lagg and build your
> >> carp interfaces on top of that instead.
> >>
> > Currently outbound traffic from $net1 and $net2 (two private networks)
> > pass through the same network interface (igb0) (as you can see in (1)
> > in my previous post) on the router. I'd like to prevent that
> > $net2 saturates the interface and slow down traffic from $net1 (which is
> > more important). I could lagg and build CARP on top of that but it
> > wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ
> > of course, which I'd like to avoid).
>
> Well, I'm not sure how well it will work but I think what you are
> looking for is the route-to pf rule option. You can specify that certain
> traffic be transmitted via a specific network interface to a specific
> next hop. However, I believe you'll need to match traffic as it's
> received on the internal interface, ie. before the kernel determines the
> egress interface.
>
> table internal_networks { $net1, $net2 }
> pass in on $internal_interface route-to( igb0 $default_gw ) from $net1
> to !
> pass in on $internal_interface route-to( igb1 $default_gw ) from $net2
> to !
Thanks, I haven't used the route-to yet but if I understand well it's
a way to "bypass" the default route/interface?
>
> Hope this helps,
>
> -Matthew
>
--
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
signature.asc
Description: PGP signature
Re: CARP and NAT question
On 10/8/19 8:58 AM, Julien Cigar wrote: On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: Hi Julien, Hi Matthew, It's not clear why you are trying to assign multiple carp IP address to two different interfaces from within the same IP subnet. Are you trying to fail over a 2nd carp address or are you trying to improve throughput/redundancy? If you just want to fail over a 2nd carp address, assign a 2nd alias to your first interface. If your trying to improve throughput/redundancy, assign both interfaces to a lagg and build your carp interfaces on top of that instead. Currently outbound traffic from $net1 and $net2 (two private networks) pass through the same network interface (igb0) (as you can see in (1) in my previous post) on the router. I'd like to prevent that $net2 saturates the interface and slow down traffic from $net1 (which is more important). I could lagg and build CARP on top of that but it wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ of course, which I'd like to avoid). -Matthew On 10/8/2019 8:48 AM, Julien Cigar wrote: Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" can you draw it? ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On 10/8/2019 10:58 AM, Julien Cigar wrote:
On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote:
Hi Julien,
Hi Matthew,
It's not clear why you are trying to assign multiple carp IP address to
two different interfaces from within the same IP subnet. Are you trying
to fail over a 2nd carp address or are you trying to improve
throughput/redundancy? If you just want to fail over a 2nd carp address,
assign a 2nd alias to your first interface. If your trying to improve
throughput/redundancy, assign both interfaces to a lagg and build your
carp interfaces on top of that instead.
Currently outbound traffic from $net1 and $net2 (two private networks)
pass through the same network interface (igb0) (as you can see in (1)
in my previous post) on the router. I'd like to prevent that
$net2 saturates the interface and slow down traffic from $net1 (which is
more important). I could lagg and build CARP on top of that but it
wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ
of course, which I'd like to avoid).
Well, I'm not sure how well it will work but I think what you are
looking for is the route-to pf rule option. You can specify that certain
traffic be transmitted via a specific network interface to a specific
next hop. However, I believe you'll need to match traffic as it's
received on the internal interface, ie. before the kernel determines the
egress interface.
table internal_networks { $net1, $net2 }
pass in on $internal_interface route-to( igb0 $default_gw ) from $net1
to !
pass in on $internal_interface route-to( igb1 $default_gw ) from $net2
to !
Hope this helps,
-Matthew
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: CARP and NAT question
On Tue, Oct 08, 2019 at 10:20:34AM -0500, Matthew Grooms wrote: > Hi Julien, Hi Matthew, > > It's not clear why you are trying to assign multiple carp IP address to > two different interfaces from within the same IP subnet. Are you trying > to fail over a 2nd carp address or are you trying to improve > throughput/redundancy? If you just want to fail over a 2nd carp address, > assign a 2nd alias to your first interface. If your trying to improve > throughput/redundancy, assign both interfaces to a lagg and build your > carp interfaces on top of that instead. > Currently outbound traffic from $net1 and $net2 (two private networks) pass through the same network interface (igb0) (as you can see in (1) in my previous post) on the router. I'd like to prevent that $net2 saturates the interface and slow down traffic from $net1 (which is more important). I could lagg and build CARP on top of that but it wouldn't prevent $net2 to saturate the interface (unless I'm plugin ALTQ of course, which I'd like to avoid). > -Matthew > > On 10/8/2019 8:48 AM, Julien Cigar wrote: > > Hello, > > > > I'd like to NAT outbound traffic from two different private networks > > through two different interfaces, with CARP on top. I have 4 public IPS > > available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). > > > > I have two redundant router/firewall running FreeBSD 12 with CARP and > > PF with the following: (1) which works well, but all traffic > > goes through the same interface. > > > > So I'd like to switch to something like (2), which will not work (lines > > 5 and 13 are not valid) and I'm wondering if I could use something like > > (3) ..? > > > > Thank you! > > Julien > > > > (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 > > (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 > > (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db > > > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. signature.asc Description: PGP signature
Re: CARP and NAT question
Hi Julien, It's not clear why you are trying to assign multiple carp IP address to two different interfaces from within the same IP subnet. Are you trying to fail over a 2nd carp address or are you trying to improve throughput/redundancy? If you just want to fail over a 2nd carp address, assign a 2nd alias to your first interface. If your trying to improve throughput/redundancy, assign both interfaces to a lagg and build your carp interfaces on top of that instead. -Matthew On 10/8/2019 8:48 AM, Julien Cigar wrote: Hello, I'd like to NAT outbound traffic from two different private networks through two different interfaces, with CARP on top. I have 4 public IPS available (193.x.x.89, 193.x.x.90, 193.x.x.91, 193.x.x.92). I have two redundant router/firewall running FreeBSD 12 with CARP and PF with the following: (1) which works well, but all traffic goes through the same interface. So I'd like to switch to something like (2), which will not work (lines 5 and 13 are not valid) and I'm wondering if I could use something like (3) ..? Thank you! Julien (1) https://gist.github.com/silenius/4f6173a9b6690292c2174ab3bb89d292 (2) https://gist.github.com/silenius/da9be7e74e9861fa55f927d194e3e410 (3) https://gist.github.com/silenius/b237565b0d181248ff80ea296e5537db ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
