Two Networks on one System

Damien Fleuriot ml at my.gd
Tue Jun 21 10:34:08 UTC 2011 


On 6/21/11 12:30 AM, Gary Gatten wrote:
> On 6/20/11 5:07 PM, Martin McCormick wrote:
> 
> I was kinda going this route as well - policy based routing type thing, but, is there an "easier" way?
> 
> 1.) Temporarily enable ipforwarding - not my favorite
> 2.) Instead of a second NIC, bind the new IP to the org nic (alias).
> 
> man ifconfig specifically mentions using alias during ip renumbering:
> 
> " alias   Establish an additional network address for this interface.  This
> is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface.  If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given.  Usually 0xffffffff is most appropriate."
> 
> Once everything is transitioned, you may reconfigure the interface with the "permanent" config.
> 
> G
> 
> 

Alias lets your interface have multiple IP addresses, however it will
not address your routing issue.

Find below the configuration we're using on firewalls both in the
195.158.0.0/16 network and 46.182.0.0/16 network.



In the case of a simple access rule:
# PASS quick SSH from trusted IPs
pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto
tcp from <allowed_ssh> to <myself_wan_195> port 22
pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto
tcp from <allowed_ssh> to <myself_wan_46> port 22





In the case of a RDR , where we redirect traffic to another host:
First we tag the packets in the RDR rule, then we make our access rule
only match the tagged packets.

# To VPN backoffice on both IP ranges
rdr on $ifvlan13 inet proto tcp from any to <myself_wan_195> port 1195
tag rdr_195_1195 -> 10.104.10.244 port 1195
rdr on $ifvlan13 inet proto tcp from any to <myself_wan_46> port 1195
tag rdr_46_1195 -> 10.104.10.244 port 1195
# PASS in openvpn backoffice
pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto
tcp from any to <openvpn> port 1195 tagged rdr_195_1195 keep state label
"PASS in openvpn_bo_195"
pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto
tcp from any to <openvpn> port 1195 tagged rdr_46_1195 keep state label
"PASS in openvpn_bo_46"

More information about the freebsd-questions mailing list