Re: net.add_addr_allfibs - alternative usecases
- In reply to: Oleksandr Kryvulia : "Re: net.add_addr_allfibs - alternative usecases"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 12 Oct 2021 11:29:31 UTC
On 12.10.21 11:27, Oleksandr Kryvulia wrote: > 04.10.21 10:33, Volodymyr Kostyrko пишет: >> Hello. >> >> First of all, I came here not to agitate for any change, I want to >> understand how my configuration is inefficient and how I can do that >> better. >> >> I have two outgoing interfaces, if0 and if0. Those are different >> internet providers, I even get ipv6 through second one, and that's >> nice. I want to automatically fallback to the interface that is >> working in case of outage. Also, I want some traffic only on one of >> those interfaces. So I got 3 fibs: >> >> fib 0: default route >> fib 1: default route is if0 >> fib 2: default route is if1 >> >> Fibs 1-2 are used for traffic that should only pass through exactly >> that interface. Traffic pinning is done with PF: >> >> pass out on $outside2 inet from ($outside2) queue(in_std2, in_priv2) >> modulate state rtable 2 >> >> For example, I can test connectivity to both sides via: >> >> setfib 1 ping -qc 5 8.8.8.8 >> setfib 2 ping -qc 5 8.8.8.8 >> >> And in case one of them doesn't work I can switch to other one by >> changing routing on fib 0. >> >> Everything seems to work fine with net.add_addr_allfibs enabled. But >> once it was disabled I started wondering whether I'm using the right >> tools to solve my problem, or this can be done easier. Disabling >> net.add_addr_allfibs means that only assigned interface will provide >> default route for correspondent fib, and you can't manually add them >> to the other fib. Or maybe I got that part totally wrong? >> >> Thanks in advance, any bit of knowledge would be appreciated. >> > > Hi > Yes, in your current scheme you need net.add_addr_allfibs enabled. > As for me fibs are useful when you need to run jails or other local > processes with different routing tables. To do PBR you can use pf's > route-to/reply-to instead. > Thank you for reply. Actually I already did a few attempts on route-to/reply-to, but those where deliberately failing for some connections. Plus it's not that easy to switch when you need to reroute connections as routing table can be changed outside of route definitions. Actually I found a way to propagate required routes to other fibs: route add -net <network> -interface if0 or route_rule='-net <network> -interface if0 fib 1' in /etc/rc.conf. -- Sphinx of black quartz judge my vow.