ISP redundancy and with IPFW
J.T. Davies
jtd at hostthecoast.org
Mon May 24 15:08:50 PDT 2004
Hi Simon,
>From another IPFW newbie (myself), I solved it with the following:
The two router computers would use NATD to redirect the port traffic inside.
On the webserver (if you're fortunate enough to have FreeBSD on that, which
I did), I also enabled IPFW and used two rules:
The first would route traffic back to the .1 router if it came from that
router. The second would be the same, but direct to .2. I think I used the
forward action with IPFW. (Forward to .1 if the traffic came from .1,
forward to .2 if the traffic came from .2)
I don't have that configuration anymore to share, but it worked rather well.
It may not have been the best solution (aside from installing another port),
but it did work well!
J.T.
-----Original Message-----
From: owner-freebsd-ipfw at freebsd.org [mailto:owner-freebsd-ipfw at freebsd.org]
On Behalf Of Simon Chang
Sent: Monday, May 24, 2004 6:31 AM
To: freebsd-ipfw at freebsd.org
Subject: ISP redundancy and with IPFW
Hello all,
IPFW newbie question.
I am lucky enough to have 2 ADSL connections with 6 static addresses on each
router. I have a web server that needs to be always availaible from the
internet for our road warriors. What I would like to do is give this web
server a private address say 10.0.0.1 and put it behind a freeBSD/IPFW
firewall. I would then like to nat this private address to a public address
from each ISP's range.
Say 100.1.1.2 for ISP1 (The ISP router address is 100.1.1.1) and 200.2.2.2
for ISP2 (The ISP router address is 200.2.2.1)
This would mean that our roadwarriors could type into their browsers either
http://100.1.1.2 or http://200.2.2.2 and arrive at the web server.
The problem I'm not sure about is how to configure the return routing of the
packets (I don't think I can use a default router on the firewall).
Say for example ISP1 was down - 100.1.1.2 does not work, so the user types
200.2.2.2 the packet arrives at the firewall is natted to 10.0.0.1 and sent
to the web server. The retun packet is returned to the firewall where the
souce is "unnattted" to 200.2.2.2 (destination could be anything), how do I
specify a rule that says for this source address (in ISP2's network) send
the packet to ISP2's router (200.2.2.1)?
Obviously I cannot route by destination address as this could be anything
(for the return packets).
Is this possible with IPFW? and Nat together?
Has anyone a similar rule set that they could send me?
Cheers, Simon Chang.
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
_______________________________________________
freebsd-ipfw at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list