Changing the NAT IP on demand?
Nick Rogness
nick at rogness.net
Sun Oct 5 00:56:31 PDT 2003
On Sat, 4 Oct 2003, Leo Bicknell wrote:
>
> I'm considering options for a new project, and I think I've discovered
> what I think is the best idea, but I don't think current software
> supports the config. I'd like to get some confirmation, and comments on
> if it would be hard to implement.
>
> Consider:
>
>
> ISP #1-------\
> \
> FreeBSD Box----LAN
> /
> ISP #2-------/
>
> In this case the LAN would be 1918 space, the two ISP's would each
> provide a public IP for the FreeBSD box.
>
> Now, NAT would be required. What I want to do is write an external
> application to decide the performance of ISP #1 and ISP#2, and
> somehow tell NAT which outside address to use.
>
> That, by itself, is not hard. Here's the trick. I want the switch
> to be seamless. That is, if NAT is translating to ISP #1 and the
> application says switch to #2 the existing translations to #1 (until
> they go away naturally) should be kept, while new ones go to #2.
>
> The only ways I know to change the outside address seem to tear down
> all existing connections.
>
> Is it possible to make this work today? Would it be hard to fix if
> it doesn't work today?
This can simply not work without resetting connections. The
socket pair on the "outside" would break as your outside traffic
switches from one to the other (src/dst would change). There is
no fix, as this breaks basic IP principals.
A suggestion to make this kinda work would be to get a range that
ISP#1 && ISP#2 would both allow you to route in/out. Then you
would have to write some app that routes your traffic out either
ISP, keeping the same "outside" range.
So you get a range (or single IP), call it X.X.X.X. This is your
external (non 1918) address. When packets leave your FreeBSD
machine destined for the Internet, the source IP would be X.X.X.X.
Since both ISP's allow source IP X.X.X.X out, it is only a matter
of determining which ISP to send the traffic out to. This would
be done by modifying the routing table (or with fw forwarding of
some sort). The inverse is true with traffic inbound from the
Internet to X.X.X.X.
However, if you are going to go through this type of trouble, you
might as well just route peer with the ISPs via BGP or whatnot.
Nick Rogness <nick at rogness.net>
-
How many people here have telekenetic powers? Raise my hand.
-Emo Philips
More information about the freebsd-hackers
mailing list