From nobody Tue Oct 12 11:29:31 2021 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BC75717F381F for ; Tue, 12 Oct 2021 11:29:42 +0000 (UTC) (envelope-from arcade@b1t.name) Received: from limbo.b1t.name (limbo.b1t.name [178.218.68.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4HTD3B3hF1z3DGZ for ; Tue, 12 Oct 2021 11:29:42 +0000 (UTC) (envelope-from arcade@b1t.name) Received: from [172.29.1.106] (probe2.42.lan [172.29.1.106]) by limbo.b1t.name (Postfix) with ESMTPSA id 50AA85C; Tue, 12 Oct 2021 14:29:32 +0300 (EEST) Subject: Re: net.add_addr_allfibs - alternative usecases To: Oleksandr Kryvulia , freebsd-net@freebsd.org References: <12fee2ec-5a32-48b8-ae85-87472ebab1ad@shurik.kiev.ua> From: Volodymyr Kostyrko Message-ID: Date: Tue, 12 Oct 2021 14:29:31 +0300 User-Agent: Mozilla/5.0 (X11; DragonFly x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 In-Reply-To: <12fee2ec-5a32-48b8-ae85-87472ebab1ad@shurik.kiev.ua> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=b1t.name; s=dkim; t=1634038173; bh=fCXu15Ve2ZMB7jhVJJq5Cnmxrm+7lbxbAK8wPlOk8eo=; h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=bhlI1KFD7H9g29XhT6u9Cej5yZW6xl3Wt0RlFrU1i8fn5gYGf+2w3CCEJbjoVRz7gUmnizESB43kVntwpmFoztQ1+fNiuclqcxtDfkeeIUcYlMna/aT0yPYZe7b+WPcFfYgflvi9gWLOZPuuJlJyrVQDnvn9D5KKVODa727MMbs= X-Rspamd-Queue-Id: 4HTD3B3hF1z3DGZ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On 12.10.21 11:27, Oleksandr Kryvulia wrote: > 04.10.21 10:33, Volodymyr Kostyrko пишет: >> Hello. >> >> First of all, I came here not to agitate for any change, I want to >> understand how my configuration is inefficient and how I can do that >> better. >> >> I have two outgoing interfaces, if0 and if0. Those are different >> internet providers, I even get ipv6 through second one, and that's >> nice. I want to automatically fallback to the interface that is >> working in case of outage. Also, I want some traffic only on one of >> those interfaces. So I got 3 fibs: >> >> fib 0: default route >> fib 1: default route is if0 >> fib 2: default route is if1 >> >> Fibs 1-2 are used for traffic that should only pass through exactly >> that interface. Traffic pinning is done with PF: >> >> pass out on $outside2 inet from ($outside2) queue(in_std2, in_priv2) >> modulate state rtable 2 >> >> For example, I can test connectivity to both sides via: >> >> setfib 1 ping -qc 5 8.8.8.8 >> setfib 2 ping -qc 5 8.8.8.8 >> >> And in case one of them doesn't work I can switch to other one by >> changing routing on fib 0. >> >> Everything seems to work fine with net.add_addr_allfibs enabled. But >> once it was disabled I started wondering whether I'm using the right >> tools to solve my problem, or this can be done easier. Disabling >> net.add_addr_allfibs means that only assigned interface will provide >> default route for correspondent fib, and you can't manually add them >> to the other fib. Or maybe I got that part totally wrong? >> >> Thanks in advance, any bit of knowledge would be appreciated. >> > > Hi > Yes, in your current scheme you need net.add_addr_allfibs enabled. > As for me fibs are useful when you need to run jails or other local > processes with different routing tables. To do PBR you can use pf's > route-to/reply-to instead. > Thank you for reply. Actually I already did a few attempts on route-to/reply-to, but those where deliberately failing for some connections. Plus it's not that easy to switch when you need to reroute connections as routing table can be changed outside of route definitions. Actually I found a way to propagate required routes to other fibs: route add -net -interface if0 or route_rule='-net -interface if0 fib 1' in /etc/rc.conf. -- Sphinx of black quartz judge my vow.