A dual-ISP hack with jail/vnet and ipfw
Julian Elischer
julian at freebsd.org
Sun Feb 5 07:58:36 UTC 2012
On 2/4/12 9:05 AM, Poul-Henning Kamp wrote:
> Natd(8) knows how to deal with multiple NAT instances for different
> interfaces, which is useful when you have multiple ISPs.
>
> The problem with it, is that it becomes incredibly hairy to configure
> your IPFW rules, in particular if you have other policy to implement
> too.
this is sort of what I did when I switched ISPs recently, and had a
transition period..
I had a jail/vnet for each ISP. and just switched at the top level
an unexpected advantage was that sessions from the main machine were
'one hop'
away from the disruption when I screwed things so instead of getting
terminated
when teh rules/routes were screwed, they just 'hung' until I fixed things.
Much like they do when there is internet disruption between sites.
I've meant to do something cleaner like this for a while..
good move.
> I spent some quality time with a 9.0-Stable nanobsd image today,
> and the script below is my proof of concept of a simpler way to
> do that.
>
> The idea is to let a jail deal with the two ISPs and use an epair
> to deliver a "normal default route interface" to the rest of the
> firewall, making its configuration simpler and easier to understand.
>
[...]
More information about the freebsd-hackers
mailing list