Two Networks on one System

Damien Fleuriot ml at my.gd
Tue Jun 21 16:45:30 UTC 2011 


On 6/21/11 6:30 PM, Jerome Herman wrote:
> On 06/21/11 12:41, Damien Fleuriot wrote:
>>
>> This does not depend on the route the client takes, but rather on the IP
>> the client tries to reach, wouldn't you agree ?
> 
> Most of the problems I was afraid of were lifted when further
> explanations where given. But just for the records I would like to
> explain further what I meant, adding some examples.
> 
> 1°) It is perfectly possible for a public IP to be routed differently
> depending on the ISP. Actually it is quite common when you have multiple
> provider to create "shortcuts" in the routing table. Let us say your
> main provider is ISP A who is officially routing your public IP, but you
> also have a privileged link with ISP B who will redirect any request
> made to your public IP to a private IP on your network (NAT or DMZ, your
> pick).
> All clients from ISP A will come to your public IP directly, all clients
> from ISP B will go through your private IP, but clients from ISP C ?
> Well it will depends on whether the route they elect goes to ISP A or
> ISP B first.
> 

This has to do with BGP, transits and peerings, this is not really
relevant to your case of having 2 public IPs served by a box.

But then, to answer your question:

Let's say you have 2 public and 1 private IP on the box.

Traffic to public IP A has a reply-to to the ISP's router in network A.
Traffic to public IP B has a reply-to to the ISP's router in network B.
Traffic to private IP C has a reply-to to the ISP's router in network C.

I really can not see what your concern is, here.

In fact, this is pretty much what we use here, we have RDR rules set up
on our firewalls to pass packets to our reverse proxies' private IPs.


> 2°) Even if there are two distinct public addresses A & B , what happens
> when two nated computers behind an public address Z try to connect to
> the server at the same time ? reply-to disturbs the normal flow of
> answers, in case two connections are attempted from the same distant
> address at the same moment (second SYN received before first SYN/ACK is
> sent ) what is supposed to happen. I think each connection will receive
> a proper SYN/ACK from the right interface, but I cannot find anything to
> confirm/infirm this.
> 

What you need to take into account is that these are 2 different
connections each with an ID, a source IP (shared: Z) and a source port
(randomized).

This will not be messed up by reply-to.


> 3°) Another thing that can happen, in case the interface selection is
> route dependent, is that the route can change between packet N and
> packet N+1. In this case using reply-to will very probably lead to a
> connection RST on the second interface while the first will go into
> timeout.
> 

We're talking about your own egress route here, which depends on the IP
you are replying from.

If you're replying with IP A, you'll use the router in network A.
If you're replying with IP B, you'll use the router in network B.

Whatever BGP topology changes your ISP undergoes at that time has no
effect on this part of networking.


Now, if your primary ISP were to have a problem, BGP will converge and
your secondary transit will be used to route packets to your public IPs.

In this case of course, it is mandatory that when ISP1 fails, ISP2 takes
over the router IPs you're using in networks A and B.

More information about the freebsd-questions mailing list