On Sun, 4 Mar 2001, Mike Nowlin wrote:
>
> Just had a second DSL connection installed, and have several questions
> regarding how to map it into the FBSD router we use...
>
> The basic setup here (with just the single DSL line, 32 IPs on that
> line) is DSL->Router->hosts, where DSL->Router is on dc0, and
> Router->hosts is on fxp0. Basically, I added dc1 for the 2nd DSL
> connection. Local traffic is split between fxp0 and dc2, depending on
> the subnet it's for. (10.193.x.x or 10.98.x.x, and those subnets go
> to a pair of BSD routers that break things down further, going to
> several ethernet segs and Cisco 804s for various ISDN links, plus
> another router that has a cable connection on it for outgoing FTP/HTTP
> requests from certain machines, not to mention the 200+ "ppp -auto"
> links - kinda fun to figure out how a packet gets from point A to
> point B..:) ) Ah, the joys of having a network supporting a lot of
> physical locations that has to be cost-effective..
>
> All of our machines are assigned a 10.x.x.x address, and I use ipfw
> and natd to do translation between the DSL1 and net-10 addresses -
> works beautifully.
>
> First question: after playing with this a bit, I've come to the
> decision that I probably need to send NAT packets to two different
> divert sockets - one for each DSL IP block. With /etc/natd.conf
> holding the NAT rules, is it possible to have two "port" or
> "alias_address" lines:
>
> alias_address 1.2.3.4
> port 8668
> redirect_address 10.1.1.7 1.2.3.7
> redirect_address 10.1.1.8 1.2.3.8
> alias_address 5.6.7.1
> port 8669
> redirect_address 10.1.1.7 5.6.7.7
> redirect_address 10.1.1.8 5.6.7.8
>
> ...or do I need to run two copies of natd for this to work correctly?
You should run 2 different copies of natd. More comments below.
>
> Second question: I could probably do this blindfolded on a Cisco
> router, but is there some way to accomplish the Cisco idea of
> "policy-based routing" on a FBSD box? I basically need to look at the
> source address of a packet and send it to the appropriate ethernet
> interface for the DSL IP block that matches that source address.
The closest thing to Cisco's policy based routing (not including
netgraph) is `ipfw fwd`.
As a side note, 1 thing you are going to have a problem with is
routing out these 2 different DSL providers. Once the packet gets
diverted (inbound from DSL provider-2) to a private address and
ran through your network, it doesn't know how to get back through
to the original source DSL (provider2) network, if your
default gateway is through DSL provider1. There is no way
in FreeBSD to do route caching on inbound interfaces. If your DSL
provider #1 is allowing only your hosts IP's to go through his
network (likely) you're SOL!
However, there is a solution to this problem. Run 3 copies of
natd [!!], Why??? I'll see if I can explain. Consider the
folowing diagram:
ISP #1 ISP #2
| |
\ /
dc0 - BSD - dc1
|
fxp0
|
Internet net (10.0.0.0)
The BSD machine is running 2 different copies of natd both
operating on dc0 and dc1. It's default gateway is through ISP #1.
What happens when packets originate from (or through) ISP #2? :
1) Packets get diverted to the proper redirect_address inside
2) Packets get sent to the internal machine
3) Machine responds to packet, sending it to the BSD machine
==> 4) BSD machine tries to send out ISP #1 because of default gateway
5) ...timeout...timeout...timeout...
ACK! This is because FreeBSD doesn't support route caching. So
you solve this by tagging packets coming in from ISP #2 by
chaning the source address using natd -reverse and aliasing all
inbound traffic to a non-routeable like (192.168.1.1). This
tricks the internal machines to think that all traffic from ISP #2
is coming from one machine, 192.168.1.1. Now you can add the
appropriate route on your BSD machine:
# route add 192.168.1.1 -iface dc1
and force the packets to go the right way as they are on the
return from the internal machines.
Here's the tricky part. You also want to change the destination
address (redirect_address) after the source address has been
changed to 192.168.1.1 on incoming packets. This is were your 3rd
natd comes into play. This 3rd natd will also keep track of your
outbound address translations as well. So here is how the packets
get treated for ISP #2 traffic:
1) Packets come in from a host (3.3.3.3) via ISP #2
2) destination address is changed to internal machine-A
3) Source address (3.3.3.3) is changed to 192.168.1.1
4) Packet is sent to machine-A
5) machine-A responds to packet, sends to BSD machine
6) BSD machine changes destination from 192.168.1.1 to 3.3.3.3
7) BSD machine changes source address from internal to public
8) Packet is sent to ISP #2 (ipfw fwd).
The firewall rules for these operations are a tad tricky. Using
a combination of skipto's, natd's, and fwd it seems to work
OK. If anyone would like more detail (config files, etc) please
let me know.
There may be a better solution...anyone?
Nick Rogness <[EMAIL PROTECTED]>
- Keep on routing in a Free World...
"FreeBSD: The Power to Serve!"
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
