Different providers for different nat clients

Julian Elischer julian at freebsd.org
Tue Aug 13 17:28:13 UTC 2013 

On 8/13/13 8:34 PM, Olivier Nicole wrote:
> Artem,
>
>> Um.. i was planning to use the included natd
>> But i think it has only one external address to use
> I think there is a couple of rules to add to ipfw to enable NAT, that
> maybe where you divert to here or there:
>
> ipfw add divert natd all from 192.169.x.y to any via ISPB
> ipfw add divert natd all from any to any via ISPA
>
> That's the direction I would look at.

Ok here are some thoughts..
you want existing sessions from the offending client to continue to 
run through the original interface, or their session will immediately 
die. so you need to use dynamic session based routing.
one way to so this is using the
keep-state and check state rules in ipfw.

if you do a  rule like
  check-state
  fwd ISP2 ip from table(1) to any in recv $LAN keep-state
  fwd ISP1 ip from any to any in recv $LAN keep-state


then that session will continue to do that even if the contents of 
table(1) change.

then you can use  NAT rules on each $ISP interface to ensure that 
packets get translated correctly
it's up to you to arrange the contents of the table..

I can't remember off hand whether a firewall pass terminates on a fwd 
rule match or not..
you may want to check that.

I think you should divide your rules up into rules for each interface 
and direction using skipto,
and then in each section have specialist rules for just that traffic.
so with 3 interfaces you would have 6 sets of rules, (say 1000, 2000, 
3000, 4000, 5000 and 6000)
and the very first rules would be:
skipto 1000 ip from any to any in recv $LAN
skipto 2000 ip from any to any out xmit $LAN
skipto 3000 ip from any to any in recv $ISP1
skipto 4000 ip from any to any out xmit $ISP1
skipto 5000 ip from any to any in recv $ISP2
skipto 6000 ip from any to any out xmit $ISP2
[handle loopback packets here]

at 1000 you have the rules above.
at 3000 , 4000, 5000 and 6000 you have NAT rules (with different NAT 
instances for each interface.

you can use whatever method you like (e.g. dummynet accounting?) to 
work out how much traffic is going, and add and remove entries in the 
table.

remember though to make sure exisiting sessions don't get switched!

Julian


>
> Best regards,
>
> Olivier
>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list