On Thu, 12 Jul 2007, Andrea Venturoli wrote:
Artyom Viklenko ha scritto:
Very brief example (just to show main idea).
Assume you have thre interfaces in router fxp0 - lan, fxp1 - adsl1, fxp2 -
adsl2.
fxp0 - 192.168.0.1, fxp1 - 192.168.1.2, fxp2 - 192.168.2.2
adsl1 - 192.168.1.1, adsl2 - 192.168.2.1
$server="192.168.0.2"
$adsl1="192.168.1.1"
$adsl2="192.168.2.1"
pass in on fxp1 inet from any to $server keep state tag ADSL1
pass in on fxp2 inet from any to $server keep state tag ADSL2
pass out on fxp0 reply-to (fxp1 $adsl1) from any to $server tagged ADSL1
keep state
pass out on fxp0 reply-to (fxp2 $adsl2) from any to $server tagged ADSL2
keep state
This is just part of whole rulebase regarding your problem.
Packets coming in via adsl1 will pass and got tagged by ADSL1 tag. Also,
state will
be created. Then packet will pass out to server, state will be created. and
all replies from server will be frowarded back via adsl1.
Same for traffic from adsl2.
Thank you very much, this might do the trick.
However, in your example the two ADSL routers are on separate interfaces,
while in the setup I have there's only one external interface (and a switch).
Would this work the same, by tagging based on MAC address?
Even if the machine is not acting as a bridge?
Should I create a bridge0 interface, even if it would actually not bridge
anything?
Besides, I don't really understand what fxp0 has to do with this: the box
which is connected to the two ADSL is running the server, so in the above
example $server would be 192.168.0.1 itself.
If I understand correctly I should do something on the line of:
$adsl1="192.168.0.1"
$adsl1mac="aa:bb:cc:dd:ee:ff"
$adsl2="192.168.0.2"
$adsl2mac="gg:hh:ii:jj:kk:ll"
//Tag based on MAC address
Unfortunately, PF does not work with layer 2 data
like MAC addresses.
pass in on fxp0 reply-to (fxp0 $adsl1) inet from any to $server tagged ADSL1
keep state
pass in on fxp0 reply-to (fxp0 $adsl2) inet from any to $server tagged ADSL2
keep state
This should work.
Also, is is possible to set up two aliases on FreeBSD box for server and
redurect connections from adsl routers to different addresses on it.
And then route back packets from server to adsl routers based on ip.
One last question: could I use this, while still filtering with ipfw as I do
now? Can the two firewalls cooperate?
Would this be too much trouble (even if I have a non trivial ruleset
working)?
While it is possible to use two firewalls on the same system, I won't
recommend to do so until you have some special requirements in layer 2
filtering. E.g. if you need to filter some cleints based on their MAC
address. IPFW alone also can do what you want.
PF way just more elegant. :)
You have yo deside how would you differentiate packets going back from
your server. If you have two incoming interfaces it is much simpler.
If you have managed switch, you can create separate VLAN for each
ADSL and two vlan interfaces on FreeBSD. You can do this even with
dumb unmanaged swich.
Or use two ip addresses on server.
Someone can suggest a way with ipfw?
I found this: http://archive.netbsd.se/?ml=dfbsd-users&a=2005-10&t=1361976
(the last message).
It would involve creating a second net on the same ethernet segment, but I
can live with that (altough it is going to be slightly more compilcated since
I'm also using CARP).
Any opinion on this?
--
Sincerely yours,
Artyom Viklenko.
-------------------------------------------------------
[EMAIL PROTECTED] | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve - http://www.freebsd.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
