On Sat, 17 Mar 2001, Julian Elischer wrote:
> Alex Pilosov wrote:
> >
> > On Sat, 17 Mar 2001, Nick Rogness wrote:
> >
> > > There is no way to tell your packet to go back out to ISP #2. That is the
> > > point I'm trying to get across. Unless your running a routing
> > > daemon. But is that really practical with cable modems, dsl, etc?...I
> > > don't think so.
> > <flame>
> > Is the clue really gone from this list?
> > </flame>
> >
> >
> >
> > With policy routing, you indeed will be able to multihome, without any
> > cooperation of your upstream (assuming strict filters on their ingress
> > interfaces) and have things work.
>
> it should be possible to use IPFW and natd to do this:
> IPFW could use Luigi's probability feature to select an interface to
> use for each initiating session and ipfw could use a stateful rule
> to 'remember the choice made'
I would be interested to see what you are talking about with
probability. I'll play with it this afternoon.
Just to be clear to everyone, the problem I'm seeing is this:
1) Packet comes in with src A.A.A.A dest B.B.B.B in interface A
(in from ISP #2)
2) natd-2 (listening on interface A from ISP #2) changes the
destination from B.B.B.B to machine X.X.X.X (internal)
3) Packet gets sent to machine X.X.X.X on the internal network.
4) Machine X.X.X.X responds to B.B.B.B, sending the packet
back to the BSD machine.
5) The BSD machine looks up in the routing table how to get to
B.B.B.B. Oh no! Go out interface B connected to ISP#1...the
default gateway.
6) This triggers natd-1 to change the source to C.C.C.C and sends
the packet out to B.B.B.B on the default interface B because of
the default gateway.
7) Machine B.B.B.B is expecting a response from A.A.A.A, but
instead, it is seeing a response from C.C.C.C
And Alex, you can't fwd based on source because of the 2 natd's
on 2 different interfaces. The firewall does not keep track of
INCOMING packets. So the firewall does not know the right
interface to forward the packet to, so the wrong natd get's
triggered.
>
> The final step is to select to which divert rule the packets eventually get
> sent.
> Each divert rule goes to a different natd, each of which is attached to a
> different outgoing interface.
I am going to look at what you suggested this afternoon to see if
it works.
Nick Rogness <[EMAIL PROTECTED]>
- Keep on routing in a Free World...
"FreeBSD: The Power to Serve!"
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
