Internal routing to different gateway

Tony Frank tfrank at optushome.com.au
Thu Mar 18 02:32:35 PST 2004


Hi there,

On Tue, Mar 16, 2004 at 10:01:17PM -0800, J.T. Davies wrote:
> I have an internal mail server running qmail on FreeBSD (ip of 10.2.1.52).
> 
> I have two gateway/routers::
> Internal IP's of 10.2.1.1 and 10.2.1.2, each has their own external IP's.
> 
> The mail server (10.2.1.52) has a default_router set as 10.2.1.1.
> 
> However, traffic coming in from 10.2.1.2 is answered via 10.2.1.1 (and not
> going back out the original route of 10.2.1.2).
> 
> Of course this doesn't work because the NAT tables don't sync up between the
> two, so 10.2.1.1 doesn't know where to route the reply traffic.
> 
> Incoming traffic on 10.2.1.1 works very well.
> 
> Here's my potential solution...please tell me if there's a better way
> (through another port) or if I'm on a good track.
> 
> ==========
> I create an IP alias on the mail server (10.2.1.53) and create routes in
> natd on 10.2.1.2 to route SMTP and POP3 traffic to the new alias IP.
> 
> I enable IPFW on the mail server (defaults to allow connections because it's
> internal).
> 
> I'll add two rules:
> ipfw add fwd 10.2.1.2 from 10.2.1.53 to any out via vr0
> ipfw add fwd 10.2.1.1 from 10.2.1.52 to any out via vr0
> (I think the syntax of the rules are right...if not, I'll experiment to
> perfect them)
> ==========
> 
> Thoughts?

I just (last week or so) posted a reply (on -net or -isp I think) that did 
this kind of things for a webserver setup with alternate upstream sources.
The setup was a bit different to what you describe in that there was one
'router' with two uplinks rather than two separate routers.
In that case I needed to use the natd redirection feature to proxy traffic
to the alias address.
Your routers will need to be able to rewrite the traffic in some way to do this
(ie change the destination IP to 10.2.1.53)
As it is application layer, a regular IP route is probably not sufficient.

Another option is to 'reverse NAT' on the routers so the traffic to 10.2.1.52
appears to originate from 10.2.1.1 or 10.2.1.2.
Then your server will reply to the appropriate address and the NAT on the router
should send the result to the original client.
I guess this will depend a little on the application and how well it can handle
NAT; SMTP and POP3 should be fine as long as you're not trying to do source-ip
based filtering. (unless you do that on the routers before they nat/proxy the
traffic)

Hope it helps,

Tony


More information about the freebsd-ipfw mailing list