Changing the NAT IP on demand?

Leo Bicknell bicknell at ufp.org
Sun Oct 5 17:45:24 PDT 2003 

In a message written on Sun, Oct 05, 2003 at 01:43:01PM -0700, Wes Peters wrote:
> Leo, you may be able to do this with ipfilter's ipnat.  Nat rules are 
> traditionally processed with 'ipnat -CF', the -C clears the rules and 
> the -F option clears the currently active NAT mappings.  You should 
> experiment with rewriting the rules and instantiating them with -C 
> only.  This should leave the existing stateful mappings to the formerly 
> preferred interface while creating all new mappings on the newly 
> preferred interface.

That's interesting.  I've never used ipnat before with ipfilter, but
from some quick man page reads that looks good.  Save a second problem I
just noticed...see below.

> This might tend to confuse UDP-based services, which might see the next 
> request as a different 'session', but I doubt those are much a problem 
> across the internet.

TCP only is good for my application.

In a message written on Sun, Oct 05, 2003 at 02:29:11PM +0100, Paul Robinson wrote:
> Depends on how much money you have, but had you considered getting your 
> own address range and BGP peering with your ISPs? I'd consider talking 
> to them about it. It'll take some time to setup, but it means your 
> "switching" is done at the router, not at the NAT box, which is the 
> wrong place to do it anyway.

This application is for cheap + fast redundancy.  Think getting 2xDSL
line, or DSL + Cable modem for a quick conference / classroom deal and
wanting some redundancy.

In a message written on Sun, Oct 05, 2003 at 11:54:31AM -0300, Fred Souza wrote:
>   If I understood what Leo asked correctly, what's needed is to change
>   the default route on the FreeBSD gateway whenever an event tells it
>   to (in this case, the increase/decrease in performance for the ISPs).
>   The concern here is to keep currently-stablished connections alive, so
>   the process is carried out seamlessly.

Actually, no not exactly, but this brings up a new problem.

If you have box with link A, and IP a.a.a.a, and link B, and IP
b.b.b.b I want a packet with source address b.b.b.b to have a
"default route" out link B, and a packet with source a.a.a.a to
route out link A.  I then want NAT to be able to switch, on the fly
from using a.a.a.a, or b.b.b.b.

So, in network speak I want to "policy route", and the do NAT to
two different IP's, with only one active at a time.

I'd then do some external monitoring to decide which IP to use.

Again, think like 2xDSL line, 1 (possibly dynamic) IP from each.
Do the policy route (eg if you wrote an application on the box
to bind to a.a.a.a or b.b.b.b it would use only that link) thing,
and then have NAT pick an IP on the fly.  They key is when nat
switches not to dump the existing connections so it appears to
be a "seamless" switch over.


-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20031005/d315057e/attachment.bin

More information about the freebsd-hackers mailing list