Artyom Viklenko ha scritto:
Very brief example (just to show main idea).
Assume you have thre interfaces in router fxp0 - lan, fxp1 - adsl1, fxp2
- adsl2.
fxp0 - 192.168.0.1, fxp1 - 192.168.1.2, fxp2 - 192.168.2.2
adsl1 - 192.168.1.1, adsl2 - 192.168.2.1
$server="192.168.0.2"
$adsl1="192.168.1.1"
$adsl2="192.168.2.1"
pass in on fxp1 inet from any to $server keep state tag ADSL1
pass in on fxp2 inet from any to $server keep state tag ADSL2
pass out on fxp0 reply-to (fxp1 $adsl1) from any to $server tagged ADSL1
keep state
pass out on fxp0 reply-to (fxp2 $adsl2) from any to $server tagged ADSL2
keep state
This is just part of whole rulebase regarding your problem.
Packets coming in via adsl1 will pass and got tagged by ADSL1 tag. Also,
state will
be created. Then packet will pass out to server, state will be created.
and all replies from server will be frowarded back via adsl1.
Same for traffic from adsl2.
Thank you very much, this might do the trick.
However, in your example the two ADSL routers are on separate
interfaces, while in the setup I have there's only one external
interface (and a switch).
Would this work the same, by tagging based on MAC address?
Even if the machine is not acting as a bridge?
Should I create a bridge0 interface, even if it would actually not
bridge anything?
Besides, I don't really understand what fxp0 has to do with this: the
box which is connected to the two ADSL is running the server, so in the
above example $server would be 192.168.0.1 itself.
If I understand correctly I should do something on the line of:
$adsl1="192.168.0.1"
$adsl1mac="aa:bb:cc:dd:ee:ff"
$adsl2="192.168.0.2"
$adsl2mac="gg:hh:ii:jj:kk:ll"
//Tag based on MAC address
pass in on fxp0 reply-to (fxp0 $adsl1) inet from any to $server tagged
ADSL1 keep state
pass in on fxp0 reply-to (fxp0 $adsl2) inet from any to $server tagged
ADSL2 keep state
One last question: could I use this, while still filtering with ipfw as
I do now? Can the two firewalls cooperate?
Would this be too much trouble (even if I have a non trivial ruleset
working)?
Someone can suggest a way with ipfw?
I found this: http://archive.netbsd.se/?ml=dfbsd-users&a=2005-10&t=1361976
(the last message).
It would involve creating a second net on the same ethernet segment, but
I can live with that (altough it is going to be slightly more
compilcated since I'm also using CARP).
Any opinion on this?
bye & Thanks
av.
bye & Thanks
av.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
