Two Networks on one System

Jerome Herman jherman at dichotomia.fr
Tue Jun 21 17:26:40 UTC 2011


On 06/21/11 18:45, Damien Fleuriot wrote:
>
> On 6/21/11 6:30 PM, Jerome Herman wrote:
>> On 06/21/11 12:41, Damien Fleuriot wrote:
>>> This does not depend on the route the client takes, but rather on the IP
>>> the client tries to reach, wouldn't you agree ?
>> Most of the problems I was afraid of were lifted when further
>> explanations where given. But just for the records I would like to
>> explain further what I meant, adding some examples.
>>
>> 1°) It is perfectly possible for a public IP to be routed differently
>> depending on the ISP. Actually it is quite common when you have multiple
>> provider to create "shortcuts" in the routing table. Let us say your
>> main provider is ISP A who is officially routing your public IP, but you
>> also have a privileged link with ISP B who will redirect any request
>> made to your public IP to a private IP on your network (NAT or DMZ, your
>> pick).
>> All clients from ISP A will come to your public IP directly, all clients
>> from ISP B will go through your private IP, but clients from ISP C ?
>> Well it will depends on whether the route they elect goes to ISP A or
>> ISP B first.
>>
> This has to do with BGP, transits and peerings, this is not really
> relevant to your case of having 2 public IPs served by a box.
>
> But then, to answer your question:
>
> Let's say you have 2 public and 1 private IP on the box.
>
> Traffic to public IP A has a reply-to to the ISP's router in network A.
> Traffic to public IP B has a reply-to to the ISP's router in network B.
> Traffic to private IP C has a reply-to to the ISP's router in network C.

No, the problem is the following :
Traffic to public IP A going through ISP X goes to interface 1 
configured with public IP A
Traffic to public IP A going through ISP Y goes to interface 2 
configured with private IP C

And no this is not a fantasy config that can only be found once every 
millennium when following a unicorn. There are actually quite a lot of 
setups that use this trick to work.

> I really can not see what your concern is, here.
>
> In fact, this is pretty much what we use here, we have RDR rules set up
> on our firewalls to pass packets to our reverse proxies' private IPs.
>
>
>> 2°) Even if there are two distinct public addresses A&  B , what happens
>> when two nated computers behind an public address Z try to connect to
>> the server at the same time ? reply-to disturbs the normal flow of
>> answers, in case two connections are attempted from the same distant
>> address at the same moment (second SYN received before first SYN/ACK is
>> sent ) what is supposed to happen. I think each connection will receive
>> a proper SYN/ACK from the right interface, but I cannot find anything to
>> confirm/infirm this.
>>
> What you need to take into account is that these are 2 different
> connections each with an ID, a source IP (shared: Z) and a source port
> (randomized).
>
> This will not be messed up by reply-to.
That is what I thought, but I can't seem to find a proper doc on the 
nook and crannies of reply-to and route-to. And I am always a bit 
cautious about the idea of checking BSD code myself to get answers.



More information about the freebsd-questions mailing list