On 28/04/2014 11:15, Julian Elischer wrote:
replying to myself..
On 4/28/14, 6:11 PM, Julian Elischer wrote:
On 4/28/14, 5:44 PM, Andrea Venturoli wrote:
On 04/28/14 11:18, Andreas Nilsson wrote:
You could put all the services which are on 2.0.0.2 in a separate
fib and
there have another default-route.
Thanks, but unfortunately I can't, since some services must be able
to answer on both addresses.
the answer is to use the ipfw setfib rule for incoming packets on the
second interface.
setfib 1 ip from any to any in recv em0
In new freebsd kernels you can do this with ifconfig em0 fib 1 (I
think that's the syntax) without involving ipfw.
then the session will inherit that fib. Outgoing packets from that
session will use fib 1 while other outgoing packets will use fib0.
from the ifconfig man page. (FreeBSD 11 but I think it's in 10 too.)
fib fib_number
Specify interface FIB. A FIB fib_number is assigned to all
frames or packets received on that interface. The FIB is
not
inherited, e.g., vlans or other sub-interfaces will use the
default FIB (0) irrespective of the parent interface's
FIB. The
kernel needs to be tuned to support more than the default
FIB
using the ROUTETABLES kernel configuration option, or the
net.fibs tunable.
this can be simulated using ipfw setfib should you not have it in the
release you are running.
"Outgoing packets from that session will use fib 1 while other outgoing
packets will use fib0."
I haven't tried this but outgoing packets not associated with any
existing fib1 session (e.g. new TCP connections, UDP, etc.) could also
be attached to fib1 with a rule like this?
setfib 1 ip from 2.0.0.0/29 to any out xmit vlan2
Keeping all the rules in ipfw is one advantage but then you have to
maintain 2 sets of routing tables - one for each fib.
Doing source-routing with pf means two firewalls to manage but just one
routing table. You could argue that the routing table is obscured by
rules in pf though so doing "netstat -rnf inet" wouldn't be authorititative.
I'd like to do something like this:
route add -srcnet 2.0.0.0/29 2.0.0.1
(kernel uses arp to translate 2.0.0.1 to an interface address like vlan2)
Dom
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
