18.07.2017 1:19, Eugene Grosbein пишет: > 18.07.2017 0:48, Alan Somers wrote: > >> I think what you meant to say is "this will work for a server directly >> connected to two external gateways (whether or not NAT is involved), >> but won't work if the server is not on the same subnet as the >> gateways". That's true. But judging by the OP, I think they're all >> on the same subnet. > > Yes. Anyway, as long as there is NAT involved, one already has stateful engine > and simpliest and universal solution for this situation is PBR after NAT for > outgoing packets. > > It works no matter whether gateways are directly connecter or not > and does not require multiple routing tables nor complex FIB or VNET > configurations: > > # remove "default" NAT rule > ipfw delete 50 > > # translate incoming traffic and create NAT states > ipfw add 40 nat 123 ip from any to any in recv $iface1 > ipfw add 50 nat 124 ip from any to any in recv $iface2 > > # insert normal filtering here > ... > # translate outgoing replies using existing NAT states > ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 > ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 > > # translate new outgoing connections not having a state yet > ipfw add 50040 nat 123 ip from any to any out xmit $iface1 > ipfw add 50050 nat 124 ip from any to any out xmit $iface2
bugfix: ipfw add 50040 nat 123 ip from $LAN to any out xmit $iface1 ipfw add 50050 nat 124 ip from $LAN to any out xmit $iface2 > # perform Policy Based Routing for packets going to "wrong" route > ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 > ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 > > # that's all, folks! > > This works no matter where default route points to ($gateway1 or $gateway2). > All you need is working default route and net.inet.ip.fw.one_pass=0. > > This can be extended to any number of external channels/interfaces > and optimized with ipfw tables but for two channels I prefer write it so > for readability. I use this for many installations and it just works. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
