multiple natd + ipfw, with 2 internal ip's

Julian Elischer julian at elischer.org
Mon Jan 30 10:49:15 PST 2006 

Brian Candler wrote:

>On Sat, Jan 28, 2006 at 01:01:53PM +0100, Unix-Solutions - Steven wrote:
>  
>
>>Hi you guy's,
>>
>>I have a little problem with my natd or ipfw configuration.
>>    
>>
>
>This may not be what you want to hear, but in my experience if you have a
>configuration with multiple external interfaces and multiple NAT instances,
>ipfw + natd becomes almost impossible to configure correctly. You need
>multiple running instances of natd, which isn't a problem, but making a set
>of ipfw rules which correctly passes the right packets to the right natd
>instances, both inbound and outbound, is pretty hard.
>  
>


Actually it's pretty easy.

make a separate natd.conf file for each daemon, and specify it to each 
daemon on the command line.
then separate out the dataflow usinf ipfw.
e.g.
add 100 skipto 300 ip from any to any in recv fxp0
add 101 skipto 400 ip from any to any in recv fxp1
add 102 skipto 500 ip from any to any out xmit fxp0
add 103  skipto 600 ip from any to any out xmit fxp1

now in each section 300,400,500,600  you can have a different set of 
filters etc.
you can also use different divert sockets for the two interfaces, 
sending the data to the two different
natds which you have listenning on different divert sockets.

>If I were you, I'd switch to pf. Having two NAT interfaces in pf.conf is
>trivial. So then the only thing you need to do is to swing your defaultroute
>from ISP1 to ISP2, to change the traffic flow.
>
>  
>
>>Now I want to add 192.168.2.253 as alias on the FXP0
>>and when a PC on my internal network sets his gateway to 192.168.2.253
>>I want that this PC takes the versatel route.
>>How is this possible ?
>>    
>>
>
>Unfortunately, it's not possible at all.
>  
>
Well you could if you set your internal interface to be in promiscuous 
mode and set proxy arp for that address
using a different MAC address. Then using ipfw at the ethernet layer you 
could tell which
address it had been aimed at..

A different approach would be to run two different subnets on the wire.
192.168.1.x and 192.1.68.2.x for example.
each by default could be made to go out through a different egress 
interface using an ipw FWD
rule.

>When your PC sends a packet from X.X.X.X to Y.Y.Y.Y, and decides that
>192.168.2.254 is the next hop router, it uses ARP to find the MAC address of
>this router. It then encapsulates the IP datagram in an ethernet frame using
>this as the destination MAC address.
>
>If it decided to use 192.168.2.253 as the next hop, and this is an alias on
>the same machine, then it would still get the same MAC address. So when the
>packet arrives at the router, it would be impossible to tell whether the
>originator had used 192.168.2.254 or 192.168.2.253 as the next-hop address.
>
>(That's unless you do something very nasty, like assigning multiple MAC
>addresses to the same interface and writing your own ARP daemon to respond
>with different MAC addresses, but even then you would still have to somehow
>make a forwarding decision based on the MAC address of the incoming frame.
>You could put two different NICs on the same LAN segment, which would
>automatically give you two MAC addresses and let you forward based on the
>source interface, but I think that FreeBSD still has a problem when running
>two NICs on the same LAN segment, because it mixes the ARP table into the
>forwarding table)
>
>If you want to selectively have some clients using ISP1 and other clients
>using ISP2, then I think you could implement that using pf 'route-to' or
>ipfw 'fwd' rules, matching the source IP address, which is a lot simpler.
>
>In any case, if all you're concerned about is failover, then you probably
>don't want to reconfigure every client PC when ISP1 goes down in order to
>point to ISP2. Rather, you could run a script on the gateway PC which
>monitors the link status, and changes its own defaultroute to point to the
>other ISP.
>
>HTH,
>
>Brian.
>_______________________________________________
>freebsd-net at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>  
>

More information about the freebsd-net mailing list