Internal routing to different gateway
J.T. Davies
jtd at hostthecoast.org
Thu Mar 18 05:37:46 PST 2004
> Hi there,
>
> On Tue, Mar 16, 2004 at 10:01:17PM -0800, J.T. Davies wrote:
> > I have an internal mail server running qmail on FreeBSD (ip of
10.2.1.52).
> >
> > I have two gateway/routers::
> > Internal IP's of 10.2.1.1 and 10.2.1.2, each has their own external
IP's.
> >
> > The mail server (10.2.1.52) has a default_router set as 10.2.1.1.
> >
> > However, traffic coming in from 10.2.1.2 is answered via 10.2.1.1 (and
not
> > going back out the original route of 10.2.1.2).
> >
> > Of course this doesn't work because the NAT tables don't sync up between
the
> > two, so 10.2.1.1 doesn't know where to route the reply traffic.
> >
> > Incoming traffic on 10.2.1.1 works very well.
> >
> > Here's my potential solution...please tell me if there's a better way
> > (through another port) or if I'm on a good track.
> >
> > ==========
> > I create an IP alias on the mail server (10.2.1.53) and create routes in
> > natd on 10.2.1.2 to route SMTP and POP3 traffic to the new alias IP.
> >
> > I enable IPFW on the mail server (defaults to allow connections because
it's
> > internal).
> >
> > I'll add two rules:
> > ipfw add fwd 10.2.1.2 from 10.2.1.53 to any out via vr0
> > ipfw add fwd 10.2.1.1 from 10.2.1.52 to any out via vr0
> > (I think the syntax of the rules are right...if not, I'll experiment to
> > perfect them)
> > ==========
> >
> > Thoughts?
>
> I just (last week or so) posted a reply (on -net or -isp I think) that did
> this kind of things for a webserver setup with alternate upstream sources.
> The setup was a bit different to what you describe in that there was one
> 'router' with two uplinks rather than two separate routers.
> In that case I needed to use the natd redirection feature to proxy traffic
> to the alias address.
> Your routers will need to be able to rewrite the traffic in some way to do
this
> (ie change the destination IP to 10.2.1.53)
> As it is application layer, a regular IP route is probably not sufficient.
>
> Another option is to 'reverse NAT' on the routers so the traffic to
10.2.1.52
> appears to originate from 10.2.1.1 or 10.2.1.2.
> Then your server will reply to the appropriate address and the NAT on the
router
> should send the result to the original client.
> I guess this will depend a little on the application and how well it can
handle
> NAT; SMTP and POP3 should be fine as long as you're not trying to do
source-ip
> based filtering. (unless you do that on the routers before they nat/proxy
the
> traffic)
>
> Hope it helps,
>
> Tony
Hi Tony,
I saw your post (and a few people forwarded it to me). I did try to
implement, but for some reason could not get it to work.
Instead, I did this (which may not be the best option, but it works).
Create an alias on the mail server of (10.2.1.53).
Configure IPFW and create a rule to forward any traffic coming from
10.2.1.53 to the gateway at 10.2.1.2.
Voila! It amazingly worked! Although, not too keen on having firewall rules
on an internal box (the default is to accept, so any traffic coming in from
internal networked machines would be able to communicate with it).
Thanks!
J.T.
More information about the freebsd-ipfw
mailing list