Server with multiple public IP

Dominic Froud dom at talk2dom.com
Mon Apr 28 11:06:32 UTC 2014 

On 28/04/2014 11:15, Julian Elischer wrote:
> replying to myself..
>
> On 4/28/14, 6:11 PM, Julian Elischer wrote:
>> On 4/28/14, 5:44 PM, Andrea Venturoli wrote:
>>> On 04/28/14 11:18, Andreas Nilsson wrote:
>>>
>>>> You could put all the services which are on 2.0.0.2 in a separate 
>>>> fib and
>>>> there have another default-route.
>>>
>>> Thanks, but unfortunately I can't, since some services must be able 
>>> to answer on both addresses.
>>
>> the answer is to use the ipfw setfib rule for incoming packets on the 
>> second interface.
>> setfib 1 ip from any to any in recv em0
>> In new freebsd kernels you can do this with ifconfig em0 fib 1 (I 
>> think that's the syntax) without involving ipfw.
>>
>> then the session will inherit that fib. Outgoing packets from that 
>> session will use fib 1 while other outgoing packets will use fib0. 
> from the ifconfig man page. (FreeBSD 11 but I think it's in 10 too.)
>
>    fib fib_number
>              Specify interface FIB.  A FIB fib_number is assigned to all
>              frames or packets received on that interface.  The FIB is 
> not
>              inherited, e.g., vlans or other sub-interfaces will use the
>              default FIB (0) irrespective of the parent interface's 
> FIB.  The
>              kernel needs to be tuned to support more than the default 
> FIB
>              using the ROUTETABLES kernel configuration option, or the
>              net.fibs tunable.
>
> this can be simulated using ipfw setfib should you not have it in the 
> release you are running.
>

"Outgoing packets from that session will use fib 1 while other outgoing 
packets will use fib0."

I haven't tried this but outgoing packets not associated with any 
existing fib1 session (e.g. new TCP connections, UDP, etc.) could also 
be attached to fib1 with a rule like this?

setfib 1 ip from 2.0.0.0/29 to any out xmit vlan2

Keeping all the rules in ipfw is one advantage but then you have to 
maintain 2 sets of routing tables - one for each fib.

Doing source-routing with pf means two firewalls to manage but just one 
routing table. You could argue that the routing table is obscured by 
rules in pf though so doing "netstat -rnf inet" wouldn't be authorititative.

I'd like to do something like this:

route add -srcnet 2.0.0.0/29 2.0.0.1

(kernel uses arp to translate 2.0.0.1 to an interface address like vlan2)

Dom

More information about the freebsd-net mailing list