multiple natd + ipfw, with 2 internal ip's

[Brian Candler]

On Sat, Jan 28, 2006 at 01:01:53PM +0100, Unix-Solutions - Steven wrote:
> Hi you guy's,
> 
> I have a little problem with my natd or ipfw configuration.

This may not be what you want to hear, but in my experience if you have a
configuration with multiple external interfaces and multiple NAT instances,
ipfw + natd becomes almost impossible to configure correctly. You need
multiple running instances of natd, which isn't a problem, but making a set
of ipfw rules which correctly passes the right packets to the right natd
instances, both inbound and outbound, is pretty hard.

If I were you, I'd switch to pf. Having two NAT interfaces in pf.conf is
trivial. So then the only thing you need to do is to swing your defaultroute
from ISP1 to ISP2, to change the traffic flow.

> Now I want to add 192.168.2.253 as alias on the FXP0
> and when a PC on my internal network sets his gateway to 192.168.2.253
> I want that this PC takes the versatel route.
> How is this possible ?

Unfortunately, it's not possible at all.

When your PC sends a packet from X.X.X.X to Y.Y.Y.Y, and decides that
192.168.2.254 is the next hop router, it uses ARP to find the MAC address of
this router. It then encapsulates the IP datagram in an ethernet frame using
this as the destination MAC address.

If it decided to use 192.168.2.253 as the next hop, and this is an alias on
the same machine, then it would still get the same MAC address. So when the
packet arrives at the router, it would be impossible to tell whether the
originator had used 192.168.2.254 or 192.168.2.253 as the next-hop address.

(That's unless you do something very nasty, like assigning multiple MAC
addresses to the same interface and writing your own ARP daemon to respond
with different MAC addresses, but even then you would still have to somehow
make a forwarding decision based on the MAC address of the incoming frame.
You could put two different NICs on the same LAN segment, which would
automatically give you two MAC addresses and let you forward based on the
source interface, but I think that FreeBSD still has a problem when running
two NICs on the same LAN segment, because it mixes the ARP table into the
forwarding table)

If you want to selectively have some clients using ISP1 and other clients
using ISP2, then I think you could implement that using pf 'route-to' or
ipfw 'fwd' rules, matching the source IP address, which is a lot simpler.

In any case, if all you're concerned about is failover, then you probably
don't want to reconfigure every client PC when ISP1 goes down in order to
point to ISP2. Rather, you could run a script on the gateway PC which
monitors the link status, and changes its own defaultroute to point to the
other ISP.

HTH,

Brian.