Again two ADSL lines, routing problems

Andrea Venturoli ml at netfence.it
Thu Jul 12 20:01:52 UTC 2007 

Artyom Viklenko ha scritto:

> Very brief example (just to show main idea).
> Assume you have thre interfaces in router fxp0 - lan, fxp1 - adsl1, fxp2 
> - adsl2.
> fxp0 - 192.168.0.1, fxp1 - 192.168.1.2, fxp2 - 192.168.2.2
> adsl1 - 192.168.1.1, adsl2 - 192.168.2.1
> 
> 
> 
> $server="192.168.0.2"
> $adsl1="192.168.1.1"
> $adsl2="192.168.2.1"
> 
> pass in on fxp1 inet from any to $server keep state tag ADSL1
> pass in on fxp2 inet from any to $server keep state tag ADSL2
> 
> pass out on fxp0 reply-to (fxp1 $adsl1) from any to $server tagged ADSL1 
> keep state
> pass out on fxp0 reply-to (fxp2 $adsl2) from any to $server tagged ADSL2 
> keep state
> 
> This is just part of whole rulebase regarding your problem.
> Packets coming in via adsl1 will pass and got tagged by ADSL1 tag. Also, 
> state will
> be created. Then packet will pass out to server, state will be created. 
> and all replies from server will be frowarded back via adsl1.
> 
> Same for traffic from adsl2.

Thank you very much, this might do the trick.
However, in your example the two ADSL routers are on separate 
interfaces, while in the setup I have there's only one external 
interface (and a switch).
Would this work the same, by tagging based on MAC address?
Even if the machine is not acting as a bridge?
Should I create a bridge0 interface, even if it would actually not 
bridge anything?

Besides, I don't really understand what fxp0 has to do with this: the 
box which is connected to the two ADSL is running the server, so in the 
above example $server would be 192.168.0.1 itself.
If I understand correctly I should do something on the line of:


$adsl1="192.168.0.1"
$adsl1mac="aa:bb:cc:dd:ee:ff"
$adsl2="192.168.0.2"
$adsl2mac="gg:hh:ii:jj:kk:ll"
//Tag based on MAC address
pass in on fxp0 reply-to (fxp0 $adsl1) inet from any to $server tagged 
ADSL1 keep state
pass in on fxp0 reply-to (fxp0 $adsl2) inet from any to $server tagged 
ADSL2 keep state



One last question: could I use this, while still filtering with ipfw as 
I do now? Can the two firewalls cooperate?
Would this be too much trouble (even if I have a non trivial ruleset 
working)?



Someone can suggest a way with ipfw?
I found this: http://archive.netbsd.se/?ml=dfbsd-users&a=2005-10&t=1361976
(the last message).
It would involve creating a second net on the same ethernet segment, but 
I can live with that (altough it is going to be slightly more 
compilcated since I'm also using CARP).
Any opinion on this?



  bye & Thanks
	av.



  bye & Thanks
	av.

More information about the freebsd-net mailing list