setfib, ipfw, dual-NICs, separate subnets

Freddie Cash fjwcash at gmail.com
Thu Jan 21 16:29:30 UTC 2010 

Good morning networking gurus, :)

Just looking for clarification that I'm using setfib and ipfw "correctly" in
this situation.

I have a server at home with two NICs, connected to two separate routers,
with two separate Internet connections.  Each NIC is part of a different
subnet.  Each NIC is configured via DHCP from the respective router.

sk0 is 172.20.0.0/24
xl0 is 10.172.20.0/24

sk0 is in fib 0
xl0 is in fib 1

I want to use sk0 for all "normal" Internet traffic (SMTP, HTTP, DNS, FTP,
etc).
And use xl0 for all "bulk" Internet traffic (mainly torrents, but also long
HTTP/FTP downloads).  This link will get throttled by Shaw Cable due to the
torrent traffic, which is the main driver for using split Internet
connections and setfib.  :)

Right now, I'm using /etc/rc.local to configure things:

# Remove all routes for xl0 (second NIC) from the primary routing table
setfib 0 route delete 10.172.20.0/24
setfib 0 route delete 10.172.20.0.2
setfib 0 route delete 10.172.20.0.1
setfib 0 route delete default


# Remove all routes for sk0 (primary NIC) from the secondary routing table
setfib 1 route delete 172.20.0.0/24
setfib 1 route delete 172.20.0.10
setfib 1 route delete 172.20.0.2
setfib 1 route delete default


# Set the correct default routes in each table
setfib 0 route add default 172.20.0.10
setfib 1 route add default 10.172.20.1


# IPFW rules to set the correct FIB on incoming packets
ipfw add allow ip from any to any via lo0
ipfw add setfib 1 ip from any to any via xl0
ipfw add setfib 0 ip from any to any via sk0
ipfw add allow ip from any to any

Then, I start applications using wrapper scripts that "setfib 1" the apps
that I want to use the secondary Internet link.

I've run some tcpdumps on each interface, and it looks like the traffic is
being separated correctly.  Eventually, I'll be adding more IPFW rules to
block unwanted traffic.

Am I missing anything?  Are the "route delete" statements needed?  Is there
a better way to configure this than using /etc/rc.local?


-- 
Freddie Cash
fjwcash at gmail.com

More information about the freebsd-net mailing list