Two Networks on one System

Jerome Herman jherman at dichotomia.fr
Tue Jun 21 16:29:40 UTC 2011 

On 06/21/11 12:41, Damien Fleuriot wrote:
>
> On 6/21/11 2:32 AM, Jerome Herman wrote:
>
>> So depending on the client route, packets from a given IP address can
>> land on either interface. Actually two clients nated behind the same
>> public address might end up on both interfaces at the same time.
>> Even though your solution should work 99% of the time , it can lead to
>> pretty strange behavior. I am not completely sure of how reply-to works,
>> notably with keep state (and of course OpenBSD manuals on PF are down
>> right now, at least from here). I remember attempting similar setups and
>> having quite a lot of trouble with ICMP (especially RST for that matter).
>>
> This does not depend on the route the client takes, but rather on the IP
> the client tries to reach, wouldn't you agree ?

Most of the problems I was afraid of were lifted when further 
explanations where given. But just for the records I would like to 
explain further what I meant, adding some examples.

1°) It is perfectly possible for a public IP to be routed differently 
depending on the ISP. Actually it is quite common when you have multiple 
provider to create "shortcuts" in the routing table. Let us say your 
main provider is ISP A who is officially routing your public IP, but you 
also have a privileged link with ISP B who will redirect any request 
made to your public IP to a private IP on your network (NAT or DMZ, your 
pick).
All clients from ISP A will come to your public IP directly, all clients 
from ISP B will go through your private IP, but clients from ISP C ? 
Well it will depends on whether the route they elect goes to ISP A or 
ISP B first.

2°) Even if there are two distinct public addresses A & B , what happens 
when two nated computers behind an public address Z try to connect to 
the server at the same time ? reply-to disturbs the normal flow of 
answers, in case two connections are attempted from the same distant 
address at the same moment (second SYN received before first SYN/ACK is 
sent ) what is supposed to happen. I think each connection will receive 
a proper SYN/ACK from the right interface, but I cannot find anything to 
confirm/infirm this.

3°) Another thing that can happen, in case the interface selection is 
route dependent, is that the route can change between packet N and 
packet N+1. In this case using reply-to will very probably lead to a 
connection RST on the second interface while the first will go into 
timeout.

So basically these were the problematics I was trying to point out in my 
previous mail.

Hope I am clearer now

Jerome Herman

More information about the freebsd-questions mailing list